Video surveillance and Video analytics
Submit your project details

Cyber Resilience Act (CRA) Compliance

1. Document Overview

Document Title: CRA Compliance Statement

Products Covered:

  • vCloud.ai Video Analytics Platform
  • Cluebase VMS (Video Management System)

Prepared For: European Union Regulatory Alignment

Version: 1.1.2

Date: March 2026

2. Executive Summary

This document outlines the compliance of vCloud.ai and Cluebase VMS with the requirements of the EU Cyber Resilience Act (CRA). Both systems are designed with a strong focus on cybersecurity, resilience, and secure lifecycle management, ensuring protection against unauthorized access, data breaches, and operational disruptions.

The platforms integrate AI-based analytics, distributed processing, and enterprise-grade video management while maintaining compliance with modern cybersecurity standards applicable within the European Union.

3. Product Description

3.1 vCloud.ai Platform

vCloud.ai is an AI-driven video analytics platform leveraging:

  • Large Language Models (LLMs)
  • Custom-trained neural networks
  • Edge and server-side inference

Key capabilities:

  • Object, face, and license plate recognition
  • Behavioral analytics
  • Real-time alerting and automation
  • Integration with third-party systems (access control, intercoms, IoT)

3.2 Cluebase VMS

Cluebase VMS is a scalable video management system providing:

  • Centralized and distributed video recording
  • Device and camera management
  • Secure streaming via RTSP/HTTPS
  • API-based integrations (ISAPI, ONVIF, REST)

4. CRA Applicability

Both products fall under “Products with Digital Elements” as defined by the Cyber Resilience Act due to:

  • Network connectivity
  • Software-based control and processing
  • Remote access capabilities
  • Integration with external systems

5. Cybersecurity Risk Management

5.1 Risk Assessment

A continuous risk assessment process is implemented:

  • Threat modeling (STRIDE-based)
  • Vulnerability scanning (automated + manual)
  • Penetration testing (internal and third-party)

5.2 Risk Mitigation Measures

  • Role-based access control (RBAC)
  • Secure authentication (OAuth2, API tokens, optional MFA)
  • Network segmentation support
  • Encryption (TLS 1.2+ for data in transit)

6. Secure Development Lifecycle (SDLC)

Both platforms follow a secure SDLC aligned with CRA requirements:

  • Code reviews and static analysis (SAST)
  • Dependency vulnerability scanning (SCA)
  • Container security (Docker hardening, minimal images)
  • Secure CI/CD pipelines
  • Version control with audit trails

7. Vulnerability Handling & Disclosure

7.1 Vulnerability Management Policy

  • Continuous monitoring for CVEs
  • Patch release cycles (critical, high, medium severity tiers)
  • Emergency patching procedures

7.2 Coordinated Vulnerability Disclosure (CVD)

  • Public reporting channel for researchers
  • Defined SLA for response and remediation
  • Transparency in security advisories

8. Security by Design

Security is embedded into architecture:

  • Least privilege principles
  • Default secure configurations
  • Hardened APIs with authentication and rate limiting
  • Isolation of analytics pipelines
  • Optional air-gapped deployment support

9. Data Protection

9.1 Data Handling

  • Video streams processed securely
  • Metadata storage minimized
  • Configurable retention policies

9.2 Encryption

  • TLS encryption for all communications
  • Optional encryption at rest (disk-level or application-level)

9.3 GDPR Alignment

  • Supports anonymization (face blurring, masking)
  • Audit logs for data access
  • Data subject access request (DSAR) support via APIs

10. Identity & Access Management

  • Role-based access control (Admin, Operator, Viewer, API)
  • Integration with LDAP / Active Directory
  • API authentication tokens with scope limitation
  • Optional multi-factor authentication (MFA)

11. Network Security

  • Secure communication protocols (HTTPS, WSS)
  • Firewall-friendly architecture
  • VPN compatibility
  • Support for segmented deployments (edge/cloud hybrid)

12. Software Updates & Patch Management

  • Digitally signed software updates
  • Secure update delivery channels
  • Version tracking and rollback capability
  • Long-term support (LTS) versions available

13. Incident Detection & Response

  • Real-time monitoring and alerting
  • Logging and audit trails (user actions, system events)
  • Integration with SIEM systems
  • Incident response procedures defined and documented

14. Supply Chain Security

  • Verification of third-party libraries
  • SBOM (Software Bill of Materials) maintained
  • Trusted container registries
  • Vendor risk assessment procedures

15. Documentation & Transparency

The following documentation is maintained and available:

  • Security guidelines for deployment
  • API documentation
  • Hardening guidelines
  • Incident response procedures
  • Release notes and vulnerability disclosures

16. Compliance Mapping to CRA Requirements

CRA RequirementImplementation
Secure by designIntegrated into architecture and SDLC
Vulnerability handlingDefined policy + disclosure program
Data protectionEncryption + GDPR alignment
Access controlRBAC + MFA
Update mechanismsSecure, signed updates
Incident reportingLogging + SIEM integration
DocumentationFull technical and security documentation

17. Conformity Assessment

vCloud.ai and Cluebase VMS are prepared for:

  • Internal conformity assessment (self-assessment)
  • Third-party audits (upon request)
  • CE marking readiness (where applicable)

18. Maintenance & Lifecycle Support

  • Regular security updates
  • Long-term support versions
  • End-of-life (EOL) policy defined
  • Migration support between versions

19. Residual Risks

Despite strong security controls, residual risks may include:

  • Misconfiguration by end users
  • Compromised third-party integrations
  • Network-level attacks outside system control

Mitigation:

  • Deployment guidelines
  • Security best practices documentation
  • Monitoring and alerting tools

20. Conclusion

vCloud.ai and Cluebase VMS are designed to meet the core requirements of the EU Cyber Resilience Act. The platforms implement a comprehensive cybersecurity framework covering secure development, deployment, operation, and maintenance.

The systems demonstrate a proactive approach to cybersecurity, ensuring resilience, transparency, and compliance within the European regulatory environment.

21. Contact Information

For compliance inquiries:

Company: vCloud.ai

Email: support@vcloud.ai

Department: Security & Compliance