Compliance Documentation
This section contains documentation required for regulatory compliance, including materials for the EU Cyber Resilience Act (CRA).
Contents
- CRA Technical File — The CRA Technical Documentation File containing all required compliance artifacts
- Roles and Contacts — Compliance ownership and security contacts
- Distribution and Versioning — How Lighthouse is distributed and versioned
- Security Update Policy — Best-effort security update targets and process
- PSIRT Process — Internal vulnerability handling runbook
- CRA Self-Assessment — Self-assessment checklist against CRA Annex I
- Declaration of Conformity — EU Declaration of Conformity template
Quick Links
- Report a vulnerability: security@letpeople.work
- SECURITY.md: See SECURITY.md in the repository root
CRA Classification
Lighthouse is classified as a standard product with digital elements under the EU Cyber Resilience Act. This classification was determined based on:
- The product does not fall under CRA Annex III (critical products) or Annex IV (highly critical products)
- Lighthouse is a self-hosted forecasting and flow metrics tool
- It integrates with external work tracking systems (Jira, Azure DevOps, Linear) but does not provide security-critical infrastructure functions
Document Maintenance
These compliance documents are maintained by LetPeopleWork GmbH and are updated:
- At least annually
- When significant product changes occur
- When regulatory requirements change
Last Review: 2025-12-30