Tenant-scoped access
Evidence workflows are designed around tenant boundaries, roles, and explicit administration controls.
Security and trust
Built for evidence integrity and controlled access.
CRA Ledger is designed around tenant-scoped records, audit activity, original artifact retention, and controlled operational diagnostics.
Trust control model
Evidence records with controlled access
Tenant scope
Records separated
RBAC
Access controlled
Audit logs
Activity retained
Diagnostics
Sensitive detail masked
No unverified SOC 2, ISO, or legal compliance claims.
Trust model
Controls for trusted evidence workflows.
Security posture is communicated through concrete product controls rather than unverified certification claims.
Role-based access
Admin and user workflows are separated so sensitive evidence operations can be controlled.
Audit logs
Actions, changes, delivery events, and review decisions are preserved as traceable activity.
Original upload retention
Original SBOM uploads remain attached to evidence records for provenance and later review.
Masked diagnostics
Operational diagnostics are designed to be useful without exposing sensitive data unnecessarily.
Delivery records
Webhook and notification delivery history can be reviewed as part of operational evidence.
Security scope and current assurance posture.
CRA Ledger does not claim SOC 2, ISO certification, legal compliance guarantees, or product certification unless verified evidence exists.
Security contact: Use the security contact page for responsible disclosure coordination and security questions.
Data handling and retention policy: Retention and access expectations should be reviewed as part of implementation and commercial scoping.
Operational evidence: Audit activity, original uploads, and delivery records support traceability over time.
Next step
Start with one product line.
Review how tenant-scoped access, audit activity, and retained evidence fit your product-security workflow.