> ## Documentation Index
> Fetch the complete documentation index at: https://docs.thetinybell.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Software Bill of Materials (SBOM)

> Components and dependencies used in the TinyBell platform.

## What is an SBOM?

A Software Bill of Materials is a formal inventory of all software components, libraries, and dependencies used in a product. Under the EU Cyber Resilience Act (CRA), manufacturers of products with digital elements must maintain and provide an SBOM.

## TinyBell platform components

### Backend (PHP 8.2)

| Component         | Version | License     | Purpose                    |
| ----------------- | ------- | ----------- | -------------------------- |
| PHP               | 8.2.x   | PHP License | Server-side runtime        |
| Apache            | 2.4.x   | Apache 2.0  | Web server                 |
| MySQL             | 8.0.x   | GPL 2.0     | Database                   |
| PHPMailer         | 6.x     | LGPL 2.1    | Email delivery             |
| Guzzle HTTP       | 7.x     | MIT         | HTTP client                |
| Stripe PHP        | Latest  | MIT         | Payment processing         |
| HTMLPurifier      | 4.x     | LGPL 2.1    | Input sanitization         |
| SVG Sanitizer     | 0.x     | MIT         | SVG file validation        |
| MaxMind GeoIP2    | 2.x     | Apache 2.0  | IP geolocation (local DB)  |
| QR Code Generator | Various | MIT         | QR code generation         |
| Web Push          | Latest  | MIT         | Browser push notifications |
| Two Factor Auth   | Latest  | MIT         | 2FA support                |

### Frontend (JavaScript)

| Component     | Version | License    | Purpose               |
| ------------- | ------- | ---------- | --------------------- |
| jQuery        | 3.x     | MIT        | DOM manipulation      |
| Bootstrap     | 4.6.x   | MIT        | UI framework          |
| Chart.js      | 3.x     | MIT        | Statistics charts     |
| Pickr         | Latest  | MIT        | Color picker          |
| CookieConsent | Latest  | MIT        | Cookie consent banner |
| EditorJS      | Latest  | Apache 2.0 | Content editor        |

### Pixel script (loaded on hotel websites)

| Component       | Version | License     | Purpose                     |
| --------------- | ------- | ----------- | --------------------------- |
| pixel-header.js | Custom  | Proprietary | Notification display engine |
| pixel.css       | Custom  | Proprietary | Notification styling        |

<Note>
  The pixel script has **zero external dependencies**. It is a self-contained JavaScript file that does not load any third-party libraries on hotel websites.
</Note>

### Infrastructure services

| Service    | Purpose                                         | Data processed                               | Privacy policy                                                            |
| ---------- | ----------------------------------------------- | -------------------------------------------- | ------------------------------------------------------------------------- |
| Cloudflare | DNS, CDN, DDoS protection, WAF, TLS termination | IP addresses, HTTP headers, request metadata | [cloudflare.com/privacypolicy](https://www.cloudflare.com/privacypolicy/) |

### External APIs (free, no authentication)

| Service    | Purpose                  | Data sent                                 | Privacy policy                                          |
| ---------- | ------------------------ | ----------------------------------------- | ------------------------------------------------------- |
| Nager.Date | Public holiday detection | Country code only                         | [nager.at/privacy](https://date.nager.at)               |
| Open-Meteo | Weather data             | Latitude/longitude of hotel (not visitor) | [open-meteo.com/terms](https://open-meteo.com/en/terms) |

## SBOM format

This SBOM follows the [CycloneDX](https://cyclonedx.org/) standard recommendations. A machine-readable version in CycloneDX JSON format is available upon request at [info@thetinybell.com](mailto:info@thetinybell.com).

## Update policy

This SBOM is updated with every major release of the TinyBell platform. Last update: April 2026.

## Vulnerability monitoring

We monitor all listed dependencies for known vulnerabilities using automated tools. When a vulnerability is discovered in a dependency:

1. We assess the impact on TinyBell within **24 hours**
2. We apply patches or mitigations within **7 days** for critical issues
3. We notify affected customers if their data may have been at risk
