Organisation Settings
Configure compliance settings, security policies, and billing for your entire organisation.
Prerequisites
- Role required: Owner or Admin
- Location: Click the gear icon or go to Settings from the user menu
CRA Economic Operator Role
Your operator role determines which CRA obligations apply to you. This is the most important setting.
Navigate to Settings → Organisation → General.
| Role | Who it's for | Key obligations |
|---|---|---|
| Manufacturer | Companies that design, develop, or manufacture products with digital elements | SBOM creation, vulnerability management, ENISA reporting, technical file |
| Importer | Companies placing products from outside the EU onto the market | Verify manufacturer compliance (Article 19), maintain SBOMs, ensure documentation |
| Distributor | Companies making products available without being manufacturer or importer | Due care (Article 20), verify CE marking and documentation |
Tip: You can select multiple roles if your organisation operates in more than one capacity.
Language settings
| Setting | Purpose |
|---|---|
| Default Language | Language for new team members (users can override in profile) |
| Document Language | Language for generated compliance documents (EU DoC, technical files) |
Supported languages: English, Spanish, German, French, Italian, Polish.
Note: EU compliance documents often need to be in the official language of each member state where you sell.
SBOM Quality Policy
Enforce minimum standards for SBOM uploads across your organisation.
Navigate to Settings → Organisation → SBOM Policy.
Minimum Quality Score
Set a threshold from 0-100. Quality scores measure completeness:
| Score component | What it measures |
|---|---|
| PURLs | Package URL identifiers |
| SHA-256 hashes | Component integrity verification |
| Supplier information | Component origin |
| License data | Legal compliance |
Tip: A score of 70+ is recommended for production use.
Enforcement Mode
| Mode | Behaviour |
|---|---|
| Off | Display scores but allow all uploads |
| Warn | Allow uploads with a warning below threshold |
| Block | Reject uploads below threshold |
Start with Warn to identify gaps, then switch to Block when your SBOM generation is mature.
Security contacts
CRA Article 14 requires a public point of contact for security vulnerabilities.
Navigate to Settings → Organisation → Security.
- Add up to four contact points (email or URL).
- Examples:
security@yourcompany.comorhttps://yourcompany.com/security
These contacts appear in:
- Your
security.txtfile (RFC 9116) - Public security pages
- Technical file exports
Coordinated Vulnerability Disclosure Policy
CRA Article 13(8) requires a CVD policy.
Option 1: Upload a file
- Go to Settings → Organisation → Security.
- Click Upload CVD Policy.
- Select PDF, Word, Markdown, or plain text.
Tip: Download our template in your language as a starting point.
Option 2: Link to external policy
- Enter the URL where your policy is published.
- CRA Evidence references it instead of storing a copy.
Your CVD policy should explain:
- How to report vulnerabilities
- Expected response times
- Coordinated disclosure timeline
- Safe harbour protections
Billing and plans
Note: Only Owners can access billing settings.
Navigate to Settings → Billing.
| Plan | Storage | Key features |
|---|---|---|
| Free | 1 GB | Basic features, evaluation use |
| Professional | 50 GB | SCIM, priority support, advanced features |
| Enterprise | 100 GB+ | SSO, firmware analysis, dedicated support |
The billing page shows:
- Current plan and cycle
- Next billing date
- Usage against limits (storage, members, products)
Tip: Usage bars turn yellow at 70% and red at 90%.
See Billing & Plans for full details.
Audit Log
Navigate to Settings → Audit Log.
Every significant action is logged:
| Event type | Examples |
|---|---|
| Authentication | Logins, logouts, MFA events |
| Data changes | Product/version creation, SBOM uploads |
| Settings | Configuration changes, policy updates |
| Access | Member invitations, role changes |
| API | Key creation, revocation, usage |
Each entry shows: who, when, IP address, and change details.
Note: The audit log is essential for CRA compliance and security investigations.
Filter audit logs
- By date range
- By action type
- By user
Analytics
Navigate to Settings → Analytics.
View usage statistics:
- Storage breakdown
- SBOM upload trends
- Vulnerability scan counts
- User activity patterns
Professional and Enterprise plans can export data for business intelligence tools.
Related documentation
- Team Management — Add and manage users
- Roles & Permissions — Access levels
- API Keys — Programmatic access
- MFA Setup — Account security
- Billing & Plans — Subscription management
Help us improve. What was missing or unclear?