CRA Compliance - TinyBell

Regulation overview
TinyBell’s classification
Compliance status
Requirements met
Incident reporting timeline
Support period
Technical documentation
Contact

Regulation overview

The Cyber Resilience Act (CRA) is an EU regulation that establishes cybersecurity requirements for products with digital elements. It entered into force in December 2024, with full compliance required by December 2027.

TinyBell’s classification

Aspect	Classification
Product type	Product with Digital Elements (PDE)
Risk category	Default (standard risk)
Role	Manufacturer
Conformity assessment	Module A (self-assessment)

TinyBell is classified as a default risk product because it does not manage critical network functions, privileged access control, or large-scale identity management.

Compliance status

Requirements met

Security by design

The platform is built with input sanitization, CSRF protection, encrypted connections, and secure defaults.

Security by default

Accounts are created with secure configurations. Weak passwords are rejected. 2FA is available.

SBOM maintained

A complete Software Bill of Materials is maintained and updated with each release.

Vulnerability disclosure

A public vulnerability disclosure channel is active at info@thetinybell.com.

Data minimization

The pixel collects only the data necessary for notification targeting. No personal identifiers.

Secure updates

Security updates are delivered automatically. No action required by hotel customers.

Incident reporting timeline

As required by Article 14 of the CRA, TinyBell follows this notification schedule for actively exploited vulnerabilities:

Timeframe	Action	Authority
24 hours	Early warning with initial severity assessment	ENISA + INCIBE
72 hours	Detailed technical notification with affected products and initial fixes	ENISA + INCIBE
1 month	Final report with root cause analysis and remediation	ENISA + INCIBE

These obligations apply from September 11, 2026. TinyBell has implemented internal processes to meet these deadlines.

Support period

TinyBell commits to a minimum 5-year support period from the date of each product version release. During this period:

Security updates are provided free of charge
Vulnerabilities are monitored continuously
Patches are delivered within 7 days for critical issues

Technical documentation

The following technical documentation is maintained as part of our CRA compliance:

Risk assessment: Formal analysis of threats and mitigations
System architecture: Data flow diagrams and interface descriptions
SBOM: Complete inventory of components and dependencies
User instructions: Documentation on secure operation (this docs site)
Conformity declaration: EU declaration of conformity (available upon request)

Contact

For CRA-related inquiries or to request documentation: info@thetinybell.com Subject line: [CRA] followed by your request.

Security at TinyBell Vulnerability Disclosure Policy

⌘I

Security & Compliance

​Regulation overview

​TinyBell’s classification

​Compliance status

​Requirements met

Security by design

Security by default

SBOM maintained

Vulnerability disclosure

Data minimization

Secure updates

​Incident reporting timeline

​Support period

​Technical documentation

​Contact

Regulation overview

TinyBell’s classification

Compliance status

Requirements met

Incident reporting timeline

Support period

Technical documentation

Contact