Data Security
How we protect your data: encryption, access controls, vulnerability disclosure, and incident response.
Security at CRA Evidence
CRA Evidence runs on AWS infrastructure in the EU (Dublin, Ireland). All customer data is encrypted in transit and at rest. We enforce strict tenant isolation — your organisation's data is never accessible to other customers. We are a founder-led company in beta and are transparent about our current security posture and roadmap.
Infrastructure
| Detail | Value |
|---|---|
| Cloud Provider | Amazon Web Services (AWS) |
| Region | eu-west-1 (Dublin, Ireland) |
| Data Residency | All customer data stored exclusively in the EU |
| Network | VPC with private subnets, NAT Gateway, no public IPs on application containers |
| Admin Access | Zero-trust VPN with device-based authentication and least-privilege access controls |
| Internal Traffic | VPC endpoints for S3 and SES (traffic never traverses public internet) |
| DDoS Protection | AWS Shield Standard |
| Infrastructure Audit | AWS CloudTrail for management plane operations |
| Application Audit | Immutable audit log of all user actions (165+ event types, sequence-verified) |
Encryption
| Layer | Method |
|---|---|
| In Transit | TLS 1.2 or higher on all connections (HTTPS enforced) |
| At Rest | AES-256 via AWS (RDS, S3, EBS volumes) |
| Key Management | AWS KMS (keys never leave the KMS boundary) |
| Passwords | Argon2id hashing (memory-hard, resistant to GPU/ASIC attacks) |
| API Keys | SHA-256 hashed before storage (plaintext never retained) |
Authentication & Access Control
- Login: Email/password with Argon2id, OAuth (Google, Microsoft, GitHub), SAML SSO
- MFA: TOTP-based multi-factor authentication with backup codes; organisations can enforce MFA for all members
- Sessions: JWT access tokens (short-lived) with rotating refresh tokens
- Bot Protection: Cloudflare Turnstile on authentication endpoints
- CSRF: Token-based protection on all state-changing operations
- RBAC: Four roles per organisation — Owner, Admin, Member, Viewer — following the principle of least privilege
- API Keys: Scoped permissions, SHA-256 hashed, individually revocable
- SSO Enforcement: Organisations can require SAML SSO for all members
Tenant Isolation
CRA Evidence is a multi-tenant platform. Every database query filters by organisation_id at the service layer:
- Organisations cannot access, query, or reference another organisation's data
- SBOM data, vulnerability data, products, and compliance documents are all scoped to the owning organisation
- Storage paths are segregated by organisation ID
- Audit logging tracks all data access per organisation
Vulnerability Management
- SBOM Scanning: Self-hosted Trivy scanner for continuous vulnerability detection on uploaded SBOMs
- Dependency Monitoring: Automated checks on application dependencies
- Patch Management: Regular updates to application and infrastructure components
- Penetration Testing: Independent penetration test planned (see Roadmap below)
Business Continuity & Disaster Recovery
| Detail | Value |
|---|---|
| Database Backups | Encrypted daily automated RDS snapshots |
| SBOM Storage | S3 with 99.999999999% durability (11 nines) |
| Uptime Commitment | 99.5% (per service agreement) |
| RPO | 24 hours (daily backups) |
| RTO | Target 4 hours |
| Deployment | Single-region (eu-west-1) — multi-AZ planned |
| Incident Response | Founder-led monitoring and response during beta phase |
Data Retention
- Active account data: Retained while subscription is active
- Deleted accounts: Data removed within 30 days of request
- Audit logs: Retained for 10 years per CRA Article 13(14) requirements
- Backups: Encrypted daily automated snapshots
GDPR & Privacy
- Data Processing Agreement (DPA): Available on request (privacy@craevidence.com)
- Records of Processing Activities (ROPA): Maintained per GDPR Article 30
- Subprocessors: Published list with 30-day change notification
- Data Portability: SBOM export in standard formats (CycloneDX, SPDX)
- Data Deletion: Account and all associated data deleted within 30 days of request
- Privacy Policy: Read our privacy policy
Compliance
Our Compliance
- Compliant with GDPR (EU 2016/679) — ROPA, DPA, subprocessor list, privacy policy
- EU data residency — all data in AWS eu-west-1 (Dublin, Ireland)
- RFC 9116 — security.txt published
- ISO 29147/30111 aligned — Coordinated Vulnerability Disclosure process
Infrastructure Provider Certifications
AWS maintains the following certifications for eu-west-1: SOC 1/2/3, ISO 27001, ISO 27017, ISO 27018, C5 (German BSI).
Roadmap
- Independent penetration testing — planned
- SOC 2 Type II — planned
- ISO 27001 — under evaluation
We are building our compliance posture alongside our product. This page reflects where we are today.
Vulnerability Disclosure
We welcome responsible security research. If you discover a vulnerability in our platform, please report it.
How to Report
- Email: security@craevidence.com
- Response: Acknowledged within 24 hours, initial assessment within 7 business days
Scope
- In scope: *.craevidence.com, the CRA Evidence API, the CRA Evidence CLI
- Out of scope: Third-party services, social engineering, denial-of-service attacks
Safe Harbor
We will not pursue legal action against security researchers who:
- Act in good faith
- Avoid privacy violations, data destruction, or service disruption
- Report findings promptly and allow reasonable time for remediation
CVD Policy
We follow ISO 29147/30111 standards for Coordinated Vulnerability Disclosure.
Contact
- Security reports: security@craevidence.com
- Privacy inquiries: privacy@craevidence.com
- DPA requests: privacy@craevidence.com
Last updated: February 2026.
Questions About Our Security Practices?
We're committed to transparency. Reach out if you have any security-related questions.