Important: Please read these Terms of Service carefully before using CRA Evidence. By accessing or using our platform, you agree to be bound by these terms.

1. Agreement to Terms

These Terms of Service ("Terms") constitute a legally binding agreement between you ("User", "you", or "your") and CRA Evidence Team ("Company", "we", "us", or "our") governing your access to and use of the CRA Evidence platform ("Service").

By creating an account or using the Service, you acknowledge that you have read, understood, and agree to be bound by these Terms and our Privacy Policy.

Beta Notice: During the beta phase, CRA Evidence is managed by individual developers based in Spain. Full legal entity details will be provided upon commercial launch.

1.1 Definitions

In these Terms:

  • "Service" means the CRA Evidence platform, including all features, APIs, and related services.
  • "Customer Data" means all data you upload or input into the Service, including product information and documents.
  • "SBOM Data" means Software Bills of Materials and related component, dependency, and vulnerability information.
  • "Compliance Artifacts" means reports, exports, and documentation generated by the Service based on your Customer Data.

2. Description of Service

CRA Evidence is a compliance management platform designed to help manufacturers of Products with Digital Elements (PDEs) meet the requirements of:

  • EU Cyber Resilience Act (Regulation (EU) 2024/2847)
  • BSI TR-03183 (SBOM quality and vulnerability handling)

The Service allows you to:

  • Register and manage products and versions
  • Upload, validate, and store Software Bills of Materials (SBOMs)
  • Manage compliance documentation
  • Track CRA readiness status
  • Generate technical file exports

Important Compliance Notice

The Service is designed to assist you in managing documentation and evidence related to the EU Cyber Resilience Act. However:

  • The Service does NOT guarantee compliance with the CRA, EN 303 645, or any other regulatory requirement.
  • You remain solely responsible for ensuring your products comply with all applicable laws and regulations.
  • The Service does NOT constitute legal, regulatory, or professional advice.
  • CRA Evidence is NOT a Notified Body, Conformity Assessment Body, or certification authority.
  • Use of the Service does NOT guarantee market surveillance authority approval or avoidance of regulatory penalties.

We recommend consulting with legal counsel and qualified conformity assessment bodies regarding your specific CRA compliance obligations.

3. Account Registration

3.1 Eligibility

To use the Service, you must:

  • Be at least 18 years of age
  • Have the legal authority to enter into these Terms
  • Represent a legitimate business entity (for business accounts)

3.2 Account Security

You are responsible for:

  • Maintaining the confidentiality of your account credentials
  • All activities that occur under your account
  • Notifying us immediately of any unauthorized access

3.3 Accurate Information

You agree to provide accurate, current, and complete information during registration and to update this information as needed.

4. Acceptable Use

You agree NOT to:

  • Use the Service for any unlawful purpose
  • Upload malicious content, viruses, or harmful code
  • Attempt to gain unauthorized access to the Service or other accounts
  • Interfere with or disrupt the Service or servers
  • Reverse engineer, decompile, or disassemble any part of the Service
  • Use automated systems to access the Service without permission
  • Resell or redistribute the Service without authorization
  • Use the Service to store or transmit content that infringes intellectual property rights

5. User Content

5.1 Ownership

You retain ownership of all content you upload to the Service ("User Content"), including SBOMs, documents, and product information.

5.2 License to Us

By uploading User Content, you grant us a limited, non-exclusive license to store, process, and display the content as necessary to provide the Service to you.

5.3 Your Responsibilities

You are solely responsible for:

  • The accuracy and legality of your User Content
  • Ensuring you have the right to upload and share the content
  • Backing up your important data

6. Intellectual Property

6.1 Our Property

The Service, including its design, features, functionality, and content (excluding User Content), is owned by us and protected by copyright, trademark, and other intellectual property laws.

6.2 Limited License

We grant you a limited, non-exclusive, non-transferable license to access and use the Service for its intended purpose, subject to these Terms.

6.3 Compliance Artifacts

You own all Compliance Artifacts generated by the Service based on your Customer Data, including:

  • Technical file exports and compliance reports
  • CRA readiness assessments and checklists
  • SBOM exports in CycloneDX or SPDX formats

We retain no ownership rights to your Compliance Artifacts after generation.

7. Fees and Payment

Details regarding subscription plans, pricing, and payment terms will be provided separately in your service agreement or on our pricing page.

Unless otherwise specified:

  • Fees are billed in advance on a monthly or annual basis
  • All fees are non-refundable except as required by law
  • We may change pricing with 30 days' notice

8. Service Availability and Security

We strive to maintain high availability but do not guarantee uninterrupted access. The Service may be unavailable due to:

  • Scheduled maintenance (with advance notice when possible)
  • Emergency maintenance or security updates
  • Circumstances beyond our reasonable control

8.1 Security Measures

We implement appropriate technical and organizational measures to protect your data, including:

  • Encryption of data in transit and at rest
  • Access controls and authentication mechanisms
  • Regular security assessments

8.2 Incident Notification

In the event of a security incident affecting your Customer Data, we will:

  • Notify you within 72 hours of becoming aware of the incident
  • Provide details about the nature and scope of the incident
  • Take reasonable steps to mitigate the impact and prevent recurrence

9. Disclaimer of Warranties

THE SERVICE IS PROVIDED "AS IS" AND "AS AVAILABLE" WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO:

  • WARRANTIES OF MERCHANTABILITY
  • FITNESS FOR A PARTICULAR PURPOSE
  • NON-INFRINGEMENT

We do not warrant that:

  • The Service will meet your specific requirements
  • The Service will be uninterrupted, timely, secure, or error-free
  • The results obtained from using the Service will be accurate or reliable
  • The Service will ensure your CRA compliance (you remain responsible for compliance)

9.1 SBOM and Vulnerability Data

The Service analyzes Software Bills of Materials (SBOMs) you provide. You acknowledge that:

  • We do not warrant that our analysis will identify all components, licenses, or dependencies in your software.
  • Vulnerability information is sourced from third-party databases (NVD, GitHub Advisory, etc.) and may contain inaccuracies, delays, or omissions.
  • We do not guarantee detection of all vulnerabilities ("false negatives") or absence of incorrect vulnerability matches ("false positives").
  • Any remediation actions you take based on Service outputs are your sole responsibility.

10. Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY LAW, WE SHALL NOT BE LIABLE FOR:

  • INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES
  • LOSS OF PROFITS, DATA, USE, OR GOODWILL
  • BUSINESS INTERRUPTION

OUR TOTAL LIABILITY SHALL NOT EXCEED THE AMOUNT PAID BY YOU FOR THE SERVICE IN THE 12 MONTHS PRECEDING THE CLAIM.

10.1 Regulatory Exclusions

Without limiting the foregoing, we shall not be liable for:

  • Regulatory fines, penalties, or sanctions imposed by any government authority
  • Costs of product recalls or market withdrawal
  • Market surveillance authority actions or enforcement measures
  • Failure to achieve CRA compliance or conformity assessment approval

11. Indemnification

You agree to indemnify and hold harmless the Company, its officers, directors, employees, and agents from any claims, damages, losses, or expenses (including reasonable legal fees) arising from:

  • Your use of the Service
  • Your violation of these Terms
  • Your violation of any third-party rights
  • Your User Content

11.1 SBOM Data Accuracy

You specifically agree to indemnify us from claims arising from:

  • Inaccurate, incomplete, or misleading SBOM Data you provide
  • Failure to disclose known vulnerabilities or security issues in your products
  • Third-party claims related to your product's components or dependencies

12. Termination

12.1 By You

You may terminate your account at any time by contacting us or through account settings (when available).

12.2 By Us

We may suspend or terminate your account if you:

  • Violate these Terms
  • Engage in fraudulent or illegal activity
  • Fail to pay applicable fees

12.3 Effect of Termination

Upon termination:

  • Your access to the Service will be revoked
  • You may request export of your data within 30 days of termination
  • We will provide exports in standard formats (JSON, CSV, CycloneDX, SPDX)
  • Your Customer Data will be deleted within 30 days after the export period
  • Anonymized, aggregated data may be retained indefinitely for analytics

13. Governing Law and Jurisdiction

These Terms shall be governed by and construed in accordance with the laws of Spain, without regard to its conflict of law provisions.

Any disputes arising from these Terms shall be subject to the exclusive jurisdiction of the courts of Spain.

14. Changes to Terms

We reserve the right to modify these Terms at any time. We will provide notice of material changes by:

  • Posting the updated Terms on the Service
  • Sending an email to the address associated with your account
  • Displaying a prominent notice on the platform

Your continued use of the Service after changes become effective constitutes acceptance of the revised Terms.

15. Miscellaneous

15.1 Entire Agreement

These Terms, together with the Privacy Policy and Data Processing Addendum (DPA), constitute the entire agreement between you and us regarding the Service.

15.2 Data Processing

For customers in the European Economic Area, our Data Processing Addendum (DPA) forms part of these Terms and governs our processing of personal data on your behalf. The DPA includes EU Standard Contractual Clauses for international data transfers. Contact legal@craevidence.com to request a copy.

15.3 Severability

If any provision of these Terms is found to be unenforceable, the remaining provisions shall remain in full force and effect.

15.4 Waiver

Our failure to enforce any provision of these Terms shall not constitute a waiver of that provision.

15.5 Assignment

You may not assign these Terms without our prior written consent. We may assign these Terms without restriction.

16. Contact Information

For questions about these Terms, please contact us at:

CRA Evidence Team Email: legal@craevidence.com

Last updated: January 2, 2026