Cloud video surveillance and AI analytics

Cyber Resilience Act (CRA) Compliance

1. Document Overview

Document Title: CRA Compliance Statement

Products Covered:

  • vCloud.ai Video Análisis Plataforma
  • Cluebase VMS (Video Management Sistema)

Prepared For: European Union Regulatory Alignment

Version: 1.1.2

Date: March 2026

2. Executive Summary

This document outlines the compliance of vCloud.ai and Cluebase VMS with the requirements of the EU Cyber Resilience Act (CRA). Both sistemas are designed with a strong focus on ciberseguridad, resilience, and secure lifecycle management, ensuring protection against unauthorized access, data breaches, and operational disruptions.

The plataformas integrate AI-based análisis, distributed processing, and enterprise-grade video management while maintaining compliance with modern ciberseguridad standards applicable within the European Union.

3. Product Description

3.1 vCloud.ai Plataforma

vCloud.ai is an AI-driven análisis de video con IA plataforma leveraging:

  • Large Language Models (LLMs)
  • Custom-trained neural networks
  • Edge and servidor-side inference

Key capabilities:

  • Object, face, and reconocimiento de placas
  • Behavioral análisis
  • Tiempo real alerting and automatización
  • Integración with terceros sistemas (control de acceso, intercoms, IoT)

3.2 Cluebase VMS

Cluebase VMS is a scalable video management sistema providing:

  • Centralized and distributed grabación de video
  • Device and cámara management
  • Seguro streaming via RTSP/HTTPS
  • API-based integracións (ISAPI, ONVIF, REST)

4. CRA Applicability

Both products fall under “Products with Digital Elements” as defined by the Cyber Resilience Act due to:

  • Red connectivity
  • Software-based control and processing
  • Remote access capabilities
  • Integración with external sistemas

5. Ciberseguridad Risk Management

5.1 Risk Assessment

A continuous risk assessment process is implemented:

  • Threat modeling (STRIDE-based)
  • Vulnerability scanning (automated + manual)
  • Penetration testing (internal and terceros)

5.2 Risk Mitigation Measures

  • Role-based control de acceso (RBAC)
  • Seguro authentication (OAuth2, API tokens, optional MFA)
  • Red segmentation support
  • Encryption (TLS 1.2+ for data in transit)

6. Seguro Development Lifecycle (SDLC)

Both plataformas follow a secure SDLC aligned with CRA requirements:

  • Code reviews and static analysis (SAST)
  • Dependency vulnerability scanning (SCA)
  • Container security (Docker hardening, minimal images)
  • Seguro CI/CD pipelines
  • Version control with audit trails

7. Vulnerability Handling & Disclosure

7.1 Vulnerability Management Policy

  • Continuous monitoring for CVEs
  • Patch release cycles (critical, high, medium severity tiers)
  • Emergency patching procedures

7.2 Coordinated Vulnerability Disclosure (CVD)

  • Public reporting channel for researchers
  • Defined SLA for response and remediation
  • Transparency in security advisories

8. Seguridad by Design

Seguridad is embedded into architecture:

  • Least privilege principles
  • Default secure configuracións
  • Hardened APIs with authentication and rate limiting
  • Isolation of análisis pipelines
  • Optional air-gapped despliegue support

9. Datos Protection

9.1 Datos Handling

  • Video streams processed securely
  • Metadata storage minimized
  • Configurable retention policies

9.2 Encryption

  • TLS encryption for all communications
  • Optional encryption at rest (disk-level or application-level)

9.3 GDPR Alignment

  • Soportes anonymization (face blurring, masking)
  • Audit logs for data access
  • Datos subject access request (DSAR) support via APIs

10. Identity & Access Management

  • Role-based control de acceso (Admin, Operator, Viewer, API)
  • Integración with LDAP / Active Directory
  • API authentication tokens with scope limitation
  • Optional multi-factor authentication (MFA)

11. Red Seguridad

  • Seguro communication protocols (HTTPS, WSS)
  • Firewall-friendly architecture
  • VPN compatibility
  • Soporte for segmented despliegues (edge/nube hybrid)

12. Software Updates & Patch Management

  • Digitally signed software updates
  • Seguro update delivery channels
  • Version tracking and rollback capability
  • Long-term support (LTS) versions available

13. Incident Detección & Response

  • Tiempo real monitoring and alerting
  • Logging and audit trails (user actions, sistema eventoos)
  • Integración with SIEM sistemas
  • Incident response procedures defined and documented

14. Supply Chain Seguridad

  • Verification of terceros libraries
  • SBOM (Software Bill of Materials) maintained
  • Trusted container registries
  • Vendor risk assessment procedures

15. Documentación & Transparency

The following documentation is maintained and available:

  • Seguridad guidelines for despliegue
  • API documentation
  • Hardening guidelines
  • Incident response procedures
  • Release notes and vulnerability disclosures

16. Compliance Mapaping to CRA Requirements

CRA RequirementImplementation
Seguro by designIntegrated into architecture and SDLC
Vulnerability handlingDefined policy + disclosure program
Datos protectionEncryption + GDPR alignment
Control de accesoRBAC + MFA
Update mechanismsSeguro, signed updates
Incident reportingLogging + SIEM integración
DocumentaciónFull technical and security documentation

17. Conformity Assessment

vCloud.ai and Cluebase VMS are prepared for:

  • Internal conformity assessment (self-assessment)
  • Terceros audits (upon request)
  • CE marking readiness (where applicable)

18. Maintenance & Lifecycle Soporte

  • Regular security updates
  • Long-term support versions
  • End-of-life (EOL) policy defined
  • Migration support between versions

19. Residual Risks

Despite strong security controls, residual risks may include:

  • Misconfiguración by end users
  • Compromised terceros integracións
  • Red-level attacks outside sistema control

Mitigation:

  • Despliegue guidelines
  • Seguridad best practices documentation
  • Monitoreo and alerting tools

20. Conclusion

vCloud.ai and Cluebase VMS are designed to meet the core requirements of the EU Ley de Resiliencia Cibernética. The plataformas implement a comprehensive ciberseguridad framework covering secure development, despliegue, operation, and maintenance.

The sistemas demonstrate a proactive approach to ciberseguridad, ensuring resilience, transparency, and compliance within the European regulatory environment.

21. Contacto Information

For compliance inquiries:

Company: vCloud.ai

Email: support@vcloud.ai

Department: Security & Compliance