Security at CRA Evidence

CRA Evidence is hosted on AWS in the European Union. All customer data is encrypted in transit and at rest. We enforce strict tenant isolation: your organisation's data is never accessible to other customers.

Encryption

• In Transit: TLS 1.2 or higher on all connections (HTTPS enforced)
• At Rest: AES-256 encryption on all data stores
• Key Management: Dedicated key management service; keys are never exposed to the application layer
• Credentials: Passwords hashed with memory-hard algorithms; API keys hashed before storage (plaintext never retained)

Authentication & Access Control

• Login: Email/password, OAuth (Google, Microsoft, GitHub), SAML SSO
• MFA: TOTP-based multi-factor authentication with backup codes; organisations can enforce MFA for all members
• Roles: Four roles per organisation (Owner, Admin, Member, Viewer), following the principle of least privilege
• API Keys: Scoped permissions, individually revocable
• SSO Enforcement: Organisations can require SAML SSO for all members

Tenant Isolation

CRA Evidence is a multi-tenant platform. Every database query filters by organisation_id at the service layer:

• Organisations cannot access, query, or reference another organisation's data
• SBOM data, vulnerability data, products, and compliance documents are all scoped to the owning organisation
• Storage paths are segregated by organisation ID
• Audit logging tracks all data access per organisation

Vulnerability Management

• Vulnerability Knowledge Base: Self-hosted multi-source vulnerability database with 15-minute sync from NVD, OSV.dev, GitHub Advisories, CISA KEV, and EPSS. Our vulnerability scanner runs as an independent verification layer.
• Dependency Monitoring: Automated checks on application dependencies
• Patch Management: Regular updates to application and infrastructure components

Data Retention

• Active account data: Retained while subscription is active
• Deleted accounts: Data removed within 30 days of request
• Audit logs: Retained for 10 years per CRA Article 13(14) requirements
• Backups: Encrypted daily automated snapshots

GDPR & Privacy

• Data Processing Agreement (DPA): Available on request (privacy@craevidence.com)
• Records of Processing Activities (ROPA): Maintained per GDPR Article 30
• Subprocessors: Published list with 30-day change notification
• Data Portability: SBOM export in standard formats (CycloneDX, SPDX)
• Data Deletion: Account and all associated data deleted within 30 days of request
• Privacy Policy: Read our privacy policy

Compliance

Our Compliance

• Compliant with GDPR (EU 2016/679): ROPA, DPA, subprocessor list, privacy policy
• EU data residency: all data hosted in the European Union
• RFC 9116: security.txt published
• ISO 29147/30111 aligned: Coordinated Vulnerability Disclosure process

Infrastructure Provider Certifications

Our infrastructure provider maintains SOC 1/2/3, ISO 27001, ISO 27017, ISO 27018, and C5 (German BSI) certifications for the EU region we operate in.

Roadmap

• Independent penetration testing (planned)
• SOC 2 Type II (planned)
• ISO 27001 (under evaluation)

We are building our compliance posture alongside our product. This page reflects where we are today.

Vulnerability Disclosure

We welcome responsible security research. If you discover a vulnerability in our platform, please report it.

How to Report

• Email: security@craevidence.com
• Response: Acknowledged within 24 hours, initial assessment within 7 business days

Scope

• In scope: *.craevidence.com, the CRA Evidence API, the CRA Evidence CLI
• Out of scope: Third-party services, social engineering, denial-of-service attacks

Safe Harbor

We will not pursue legal action against security researchers who:

• Act in good faith
• Avoid privacy violations, data destruction, or service disruption
• Report findings promptly and allow reasonable time for remediation

CVD Policy

We follow ISO 29147/30111 standards for Coordinated Vulnerability Disclosure.

Contact

• Security reports: security@craevidence.com
• Privacy inquiries: privacy@craevidence.com
• DPA requests: privacy@craevidence.com

Last updated: March 2026.