These Terms and Conditions of Use and Sale govern all contractual relations between CRA Direct and its professional clients in connection with access to the Cyber Resilience Act compliance modules.
1. Legal Notice
Under Article 6 of French Law No. 2004-575 of 21 June 2004 for confidence in the digital economy (LCEN):
- Publisher: The Platform is published by CRA Direct, a French SAS in the process of registration with the Paris Trade and Companies Register (RCS), having its registered office in France. Email: contact@cra-direct.fr.
- Director of Publication: The CEO of CRA Direct (contact via the Publisher's email).
- Hosting: The Platform is hosted within the European Union by OVH SAS, 2 rue Kellermann, 59100 Roubaix, France.
2. Object and Enforceability
These General Terms and Conditions (the "Terms") govern all access to and use of the Platform at https://cra-direct.fr by a professional client ("Client"). Access and subscription imply full and unconditional acceptance of these Terms. CRA Direct reserves the right to modify these Terms at any time; the applicable version is that in effect on the subscription or renewal date.
3. Access to Services and Account Creation
Services are exclusively intended for professionals (B2B). Access requires prior online account creation. The Client agrees to provide accurate, complete, and up-to-date identification information. Login credentials are strictly personal and confidential. The Client is solely responsible for any use of the Platform made under their credentials. In case of loss, theft, or fraudulent use, the Client must immediately notify CRA Direct at contact@cra-direct.fr.
4. Services and Platform Modules
CRA Direct provides an integrated on-premises or private cloud software suite designed to support manufacturers, importers, and distributors in their compliance with the EU Cyber Resilience Act (CRA):
- CRA Direct Assess: Regulatory maturity assessment module including economic operator role mapping, product classification (standard, important class I or II, or critical), gap analysis against Annex I essential requirements, Annex VII technical documentation verification, and draft EU Declaration of Conformity generation.
- CRA Direct Operate: Operational module providing continuous SBOM ingestion, CVE vulnerability monitoring, automated and manual VEX triage, support for mandatory 24-hour serious incident reporting, and audit trail compilation required by national supervisory authorities.
5. Financial Terms and Payment
A. Pricing
Subscription and diagnostic fees are listed on the site in Euros, excluding tax (HT). They will be increased by the applicable French VAT (currently 20%) at the time of invoicing.
B. Payment Terms
Payment is by credit card, SEPA direct debit, or bank transfer. Subscriptions are invoiced and payable in advance (monthly or annually).
C. Late Payment
Any late payment will automatically trigger: (i) late penalties at three times the French statutory interest rate, (ii) a fixed recovery indemnity of €40 HT, and (iii) CRA Direct's right to suspend Platform access after a 10-day email notice.
6. Intellectual Property
A. Platform Ownership
CRA Direct retains exclusive ownership of all intellectual property rights in the Platform, including source code, graphic design, trademarks, logos, regulatory diagnostic databases, triage algorithms, and explanatory texts. The Client receives a personal, temporary, non-exclusive, non-transferable right to use the Platform services for the subscription duration.
B. Client Data Ownership
The Client retains full and exclusive ownership of all data, SBOMs, documents, and information uploaded or generated in their workspace. The Client grants CRA Direct a limited license to host, process, and reproduce this data solely to the extent necessary for performing the Platform services.
7. Obligations of the Parties
A. Client Obligations
The Client agrees to use the Platform in accordance with applicable regulations and these Terms, including: not uploading counterfeit or malicious data, providing authentic SBOMs and accurate information, and not attempting to compromise Platform security.
B. CRA Direct Obligations
CRA Direct undertakes to exercise all due care in providing high-quality services under a best-efforts obligation (moyens). We implement industry-leading security standards with a target availability of 99.9% per year, excluding scheduled maintenance.
8. Non-Legal Advice Clause and Limitation of Liability
IMPORTANT — REGULATORY WARNING AND NON-ADVICE CLAUSE: CRA Direct provides software tools for self-assessment, SBOM management, and administrative preparation of incident report forms. Under no circumstances do the content, diagnostics, compliance scores, exported reports, or alerts produced by CRA Direct constitute legal advice, attorney consultation, or definitive regulatory compliance certification. The Client remains solely legally responsible for final validation of technical documentation, CE marking, and the accuracy and timely submission of vulnerability reports to ENISA and national CSIRTs within the 24-hour legal deadline.
CRA Direct shall not be liable for: damages resulting from inaccurate information entered by the Client, internet network interruptions, or indirect damages (loss of revenue, customers, goodwill, or administrative fines). Liability cap: Any indemnity shall not exceed the total amounts paid by the Client in the 12 months preceding the event giving rise to the dispute.
9. Term, Termination, and Data Reversibility
A. Term
The contract is for the duration chosen by the Client (monthly or annually), automatically renewed unless notice of termination is given by either party.
B. Termination for Convenience
Monthly subscriptions: at least 15 days before renewal. Annual subscriptions: at least 30 days before the annual renewal date.
C. Termination for Breach
In case of serious or repeated breach (notably non-payment or intellectual property infringement), CRA Direct may terminate the contract 15 days after an unsuccessful email notice.
D. Data Reversibility
Within 30 days following the termination effective date, the Client may export all data (SBOMs, diagnostic history) in standard structured formats (JSON, CSV, SPDX). After 30 days, CRA Direct will permanently delete all Client data from production servers.
10. Governing Law and Jurisdiction
These Terms are governed by French law. EXCLUSIVE JURISDICTION: Any dispute arising between CRA Direct and a professional client relating to the formation, interpretation, performance, or termination of this contract shall be submitted to the exclusive jurisdiction of the Paris Commercial Court (Tribunal de Commerce de Paris), notwithstanding multiple defendants or third-party claims.