At CRA-Direct, we place paramount importance on the confidentiality and security of your professional data. As a company dedicated to cybersecurity regulatory compliance (Cyber Resilience Act), we apply the strictest protection standards.
1. Publisher and Data Controller
The website and platform accessible at https://cra-direct.fr (collectively the "Platform") are published by CRA Direct ("CRA Direct" or "we"), a French simplified joint-stock company (SAS) in the process of registration, with its registered office in France. The primary contact address is contact@cra-direct.fr.
Under the General Data Protection Regulation (GDPR 2016/679) and the French Data Protection Act of 6 January 1978 as amended:
- CRA Direct acts as the Data Controller for personal data collected during your browsing, account creation, or use of our diagnostic modules.
- CRA Direct acts as a Processor (under Article 28 GDPR) for technical data imported by our clients into their secure workspace (e.g., SBOM files, internal vulnerability reports, software patches). The client remains the sole Data Controller of their business and application data.
2. Personal Data Collected
We collect only the information strictly necessary to provide our compliance services and administer your workspaces.
A. Registration and Account Data
Provided directly by you when creating your platform access or requesting a demo:
- Name, title, and professional contact details (business email, phone number).
- Role or function within the client company (e.g., CISO, CTO, Compliance Officer).
- Access password (encrypted using one-way, non-reversible algorithms).
B. Company and Assessment Data
- Company name, registered office address, country of establishment, business or VAT identification number.
- Information about your hardware or software products subject to CRA compliance analysis: product name, version, associated CRA category (standard, important class I or II, or critical).
C. Infrastructure and Continuous Compliance Data
Technical information essential for vulnerability analysis and regulatory reporting:
- Software Bill of Materials (SBOM) files uploaded to the Platform.
- Vulnerability scan history, CVE analysis data, remediation status, and VEX triage reports.
- Technical audit evidence and draft mandatory notifications for the European Single Reporting Platform (SRP/ENISA).
D. Connection and Traceability Data
To meet regulatory audit requirements and ensure Platform security:
- Connection IP address, security logs, access dates and times, browser type, and administrative action history.
3. Purposes and Legal Basis for Processing
| Processing Purpose | Legal Basis (GDPR) |
|---|---|
| Account management and platform access | Contract performance (Art. 6.1.b) |
| CRA maturity diagnostics and recommendations | Contract performance (Art. 6.1.b) |
| SBOM analysis, CVE monitoring, audit documentation | Contract performance (Art. 6.1.b) |
| Platform security, intrusion detection, audit trails | Legitimate interest (Art. 6.1.f) |
| Critical vulnerability email alerts | Contract performance (Art. 6.1.b) |
| Newsletters and regulatory updates | Consent (Art. 6.1.a) or Legitimate interest (B2B) |
| Accounting and subscription billing | Legal obligation (Art. 6.1.c) |
4. Recipients and Data Hosting
CRA Direct applies a strict no-commercialization policy. Your information and technical files are never sold, rented, or transferred to third parties for advertising purposes.
Authorized recipients are exclusively:
- Authorized CRA Direct personnel, bound by strict confidentiality (technical support, security engineers, administration).
- Our trusted technical subcontractors, necessary for Platform operation (infrastructure providers).
Physical Location & Sovereignty: All database servers, application servers, and SBOM storage are located within the European Union (highly secure infrastructure in France and Germany). Our servers are configured to prevent extraterritorial interception and ensure compliance with Article 25 GDPR (Data Protection by Design and by Default).
5. Data Retention Period
- Account and diagnostic data: Retained for the duration of the contractual relationship. After termination, archived for 3 years for evidentiary purposes, then permanently deleted.
- SBOM files and vulnerability data: Deleted within 30 days of workspace closure, unless otherwise instructed or required by ongoing legal proceedings.
- Activity logs and connection data: Retained for a rolling 12-month maximum, then deleted.
- Accounting records and invoices: Retained for 10 years from fiscal year close, per French Commercial Code.
6. No Transfers Outside the European Union
No personal data or SBOMs are transferred outside the European Economic Area (EEA). CRA Direct excludes any use of cloud subcontractors subject to extraterritorial surveillance laws for processing and storing sensitive vulnerability data.
7. Your Rights (GDPR)
- Right of access (Art. 15): Obtain confirmation of data processing and receive a complete copy.
- Right to rectification (Art. 16): Request correction of inaccurate or incomplete information.
- Right to erasure (Art. 17): Request permanent deletion of your personal data.
- Right to restriction (Art. 18): Request temporary freezing of data processing.
- Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
- Right to object (Art. 21): Object to processing based on your particular situation, or to direct marketing.
- Post-mortem directives: Define instructions for your data after your death.
Exercise these rights at any time by emailing privacy@cra-direct.fr or via the data export options in your Platform workspace. If unsatisfied with our response, you may file a complaint with the CNIL (3 Place de Fontenoy, 75007 Paris — www.cnil.fr).
8. Security and Data Integrity
- Strong encryption: All data in transit is encrypted with TLS 1.3. SBOM files and sensitive diagnostic data at rest are encrypted with AES-256.
- Strict identity management: User authentication features complex password policies and multi-factor authentication (MFA) support.
- Logical isolation (Multi-tenant): Each organization's workspace is isolated at the application and database level (Row-Level Security) to prevent cross-company data leaks.
- Monitoring and auditing: Systems undergo continuous logging. Regular security audits and penetration tests are conducted.
9. Contact and Data Protection Officer (DPO)
CRA Direct has appointed a Data Protection Officer (DPO) to oversee privacy compliance across all operations. For any questions regarding this policy or to exercise your rights, contact our DPO at:
Email: privacy@cra-direct.fr
10. Changes to This Policy
This privacy policy may be updated periodically to reflect changes in our operational practices, new features, or regulatory adjustments to the EU Cyber Resilience Act. Significant changes will be notified by email or via an alert upon your next Platform login.