CyberResilience Act Compliance

Last Updated: March 27, 2025

1. Introduction

The EU CyberResilience Act (CRA) establishes a comprehensive framework for ensuring the cybersecurity of products with digital elements. At Long COVID Companion, we are committed to complying with the CRA to provide our users with secure digital health solutions.

This document outlines our approach to CRA compliance and the measures we have implemented to ensure the cybersecurity of our application.

2. Product Classification

Under the CRA, the Long COVID Companion application is classified as a Class II product with digital elements, as it processes health data and provides health-related recommendations. We understand the heightened requirements this classification entails and have implemented corresponding security measures.

3. Security Measures Implemented

3.1 Secure Design and Development

Our application is developed following secure-by-design principles:

  • Implementation of a Secure Development Lifecycle (SDL) methodology
  • Regular security training for all development and operations personnel
  • Code review processes with security checkpoints
  • Automated security testing integrated into our CI/CD pipeline
  • Formal vulnerability management procedures

3.2 Data Protection

As a health-related application, we implement stringent data protection measures:

  • End-to-end encryption for all sensitive data transmission
  • Encryption of data at rest using industry-standard algorithms
  • Strict access controls and authentication requirements
  • Regular data protection impact assessments
  • Data minimization and purpose limitation principles

3.3 Vulnerability Handling

We have established comprehensive vulnerability handling processes:

  • Continuous vulnerability scanning of our systems and dependencies
  • Public vulnerability disclosure program
  • Defined process for timely security updates
  • Incident response plan with clearly defined roles and procedures

3.4 Authentication and Access Control

Our application implements robust authentication and access control mechanisms:

  • Multi-factor authentication options for user accounts
  • Role-based access control for administrative functions
  • Session management with secure timeout policies
  • Brute force protection mechanisms

4. Conformity Assessment

In accordance with CRA requirements for Class II products, we have undergone a conformity assessment process including:

  • Documentation of technical compliance with essential requirements
  • Third-party security assessment by a notified body
  • Regular penetration testing by independent security researchers
  • Ongoing monitoring of compliance with evolving requirements

5. Incident Response and Reporting

We have established a robust incident response framework that includes:

  • 24/7 security monitoring of our systems
  • Defined procedures for responding to security incidents
  • Commitment to reporting significant incidents to relevant authorities within 24 hours
  • Regular incident response drills and tabletop exercises
  • Post-incident analysis and continuous improvement processes

6. Updates and Patches

We are committed to maintaining the security of our application throughout its lifecycle:

  • Regular security updates and patches for known vulnerabilities
  • Transparent communication about security updates to users
  • Automated update mechanisms with appropriate user notifications
  • Extended support policy for all deployed versions

7. Documentation and Transparency

We maintain comprehensive documentation regarding the security of our application:

  • Security features and configurations available to users
  • Regular security bulletins and advisories
  • Clear instructions for reporting security concerns
  • Transparency about our security practices and certifications

8. User Responsibilities

While we implement comprehensive security measures, users play an important role in maintaining security:

  • Using strong, unique passwords for their accounts
  • Enabling multi-factor authentication when available
  • Keeping their devices and browsers updated
  • Being vigilant against phishing attempts targeting their account
  • Reporting suspicious activities promptly

9. Contact Information

For questions or concerns about our CyberResilience Act compliance or to report security vulnerabilities, please contact:

  • Security Team: security@longcovidcompanion.com
  • Vulnerability Reports: security-report@longcovidcompanion.com
  • CRA Compliance Officer: cra-compliance@longcovidcompanion.com

10. Updates to This Document

This document will be updated regularly to reflect changes in our security practices, CRA requirements, or identified risks. Users will be notified of significant changes to our security practices.

Last security assessment completed: February 15, 2025

Next scheduled assessment: August 15, 2025