Security

Security is the product, not a feature.

cramio handles sensitive vulnerability data, regulatory submissions, and compliance evidence for manufacturers across the EU. We apply the same rigor to our own infrastructure that we help our customers demonstrate to regulators.

No source code exfiltration

Only SBOM metadata and vulnerability findings leave your infrastructure. Source code, build artifacts, and proprietary logic are never transmitted to or stored on our servers.

Immutable Evidence Vault

Every report, assessment, and SRP receipt is stored with SHA-256 hash chaining. Entries cannot be modified or deleted, providing an independently verifiable audit trail.

EU data residency

All customer data is processed and stored within EU/EEA regions. Enterprise customers can select specific regions and data center locations for regulatory compliance.

Infrastructure security

TLS 1.3 encryption in transit for all API and web traffic

AES-256 encryption at rest for stored SBOM payloads and evidence records

Strict Content Security Policy, HSTS, and X-Frame-Options headers

Rate limiting on all API endpoints with per-tenant isolation

HMAC-SHA256 webhook signature verification for all CI/CD integrations

Multi-stage Docker builds with minimal attack surface in production images

Authentication & access control

User authentication uses bcrypt-hashed passwords with a minimum 10-character requirement enforced at registration. Sessions are managed via signed JWT tokens with configurable expiration.

Role-based access control (RBAC) with four tiers — owner, admin, member, and viewer — ensures least-privilege access across all organization resources. API keys support scoped permissions with per-key rate limits.

Bcrypt password hashing (cost factor 10)

JWT-based session management

Role-based access control (owner / admin / member / viewer)

Scoped API keys with individual rate limits

Timing-safe comparison for all secret verification

Complete audit logging for all state-changing operations

Data flow & minimization

1. Your infrastructure

SBOMs are generated on your build servers using your preferred tooling (Syft, cdxgen, etc.). Source code never leaves your environment.

2. cramio control plane

Only SBOM metadata (component names, versions, PURLs) and vulnerability findings are transmitted. Payloads are encrypted at rest with AES-256.

3. Regulatory submission

CRA reports are generated with minimal required fields for ENISA SRP submission. Cryptographic receipts are stored in the Evidence Vault.

Vulnerability disclosure

If you discover a security vulnerability in cramio, we encourage responsible disclosure. Please report findings to security@cramio.eu. We will acknowledge receipt within 24 hours and provide an initial assessment within 72 hours.

We ask that you avoid accessing or modifying other users' data, disrupting services, or publicly disclosing vulnerabilities before we have had an opportunity to address them. We do not pursue legal action against researchers acting in good faith.

Compliance commitments

GDPR-compliant data processing with DPA available on request

EU/EEA data residency with no transfers outside approved jurisdictions

Tenant isolation with separate encryption contexts per organization

Immutable audit logs with configurable retention periods

Regular dependency scanning and security updates

Incident response procedures aligned to our own CRA reporting obligations