> ## Documentation Index
> Fetch the complete documentation index at: https://docs.thetinybell.com/llms.txt
> Use this file to discover all available pages before exploring further.

# CRA Compliance

> TinyBell's compliance with the EU Cyber Resilience Act (Regulation EU 2024/2847).

## Regulation overview

The Cyber Resilience Act (CRA) is an EU regulation that establishes cybersecurity requirements for products with digital elements. It entered into force in December 2024, with full compliance required by December 2027.

## TinyBell's classification

| Aspect                | Classification                      |
| --------------------- | ----------------------------------- |
| Product type          | Product with Digital Elements (PDE) |
| Risk category         | Default (standard risk)             |
| Role                  | Manufacturer                        |
| Conformity assessment | Module A (self-assessment)          |

TinyBell is classified as a **default risk** product because it does not manage critical network functions, privileged access control, or large-scale identity management.

## Compliance status

### Requirements met

<CardGroup cols={2}>
  <Card title="Security by design" icon="pen-ruler">
    The platform is built with input sanitization, CSRF protection, encrypted connections (TLS via Cloudflare), WAF protection, and secure defaults.
  </Card>

  <Card title="Security by default" icon="lock">
    Accounts are created with secure configurations. Weak passwords are rejected. 2FA is available.
  </Card>

  <Card title="SBOM maintained" icon="list-check">
    A complete Software Bill of Materials is maintained and updated with each release.
  </Card>

  <Card title="Vulnerability disclosure" icon="bug">
    A public vulnerability disclosure channel is active at [info@thetinybell.com](mailto:info@thetinybell.com).
  </Card>

  <Card title="Data minimization" icon="minimize">
    The pixel collects only the data necessary for notification targeting. No personal identifiers.
  </Card>

  <Card title="Secure updates" icon="arrows-rotate">
    Security updates are delivered automatically via CI/CD pipeline. No action required by hotel customers.
  </Card>

  <Card title="Network security" icon="shield">
    All traffic is proxied through Cloudflare with DDoS protection, WAF rules, and bot management enabled by default.
  </Card>
</CardGroup>

### Incident reporting timeline

As required by Article 14 of the CRA, TinyBell follows this notification schedule for actively exploited vulnerabilities:

| Timeframe | Action                                                                   | Authority      |
| --------- | ------------------------------------------------------------------------ | -------------- |
| 24 hours  | Early warning with initial severity assessment                           | ENISA + INCIBE |
| 72 hours  | Detailed technical notification with affected products and initial fixes | ENISA + INCIBE |
| 1 month   | Final report with root cause analysis and remediation                    | ENISA + INCIBE |

<Note>
  These obligations apply from September 11, 2026. TinyBell has implemented internal processes to meet these deadlines.
</Note>

## Support period

TinyBell commits to a minimum **5-year support period** from the date of each product version release. During this period:

* Security updates are provided free of charge
* Vulnerabilities are monitored continuously
* Patches are delivered within 7 days for critical issues

## Technical documentation

The following technical documentation is maintained as part of our CRA compliance:

1. **Risk assessment**: Formal analysis of threats and mitigations
2. **System architecture**: Data flow diagrams and interface descriptions
3. **SBOM**: Complete inventory of components and dependencies
4. **User instructions**: Documentation on secure operation (this docs site)
5. **Conformity declaration**: EU declaration of conformity (available upon request)

## Contact

For CRA-related inquiries or to request documentation: **[info@thetinybell.com](mailto:info@thetinybell.com)**

Subject line: `[CRA]` followed by your request.
