⚡ CRA's first obligation takes effect · Details →
TegmenSoft enables you to manage CRA compliance from a single control plane, from embedded teams fighting hardware constraints to enterprise IT teams managing tens of thousands of devices.
MCU minimum
256 KB Flash · 64 KB RAM
Linux support
ARM64 · x86_64 · MIPS
TLS
1.3 + mTLS, AES-256-GCM
Signing
Ed25519 / ECDSA-P256
Architecture
A single control plane from hardware identity to cloud reporting. Each layer is built as a cryptographic foundation that the layer above can trust.
MCU / Embedded Linux
Starting at Root of Trust and hardware identity level, the fundamental cryptographic identity that all upper layers depend on.
Chip-to-Cloud Control Plane
The middle layer housing PKI/CA, SBOM engine, and OTA server. Integrates into CI/CD pipelines as a low-footprint library.
Multi-tenant Cloud
Multi-tenant cloud layer; each manufacturer's fleet, audit trails, and reports are isolated with RLS guarantees.
Lifecycle
Six core phases where TegmenSoft works alongside the manufacturer, from the production line to a retired device.
The SDK runs as a build step in existing Jenkins/GitLab/GitHub Actions pipelines; produces and signs SBOM for every artifact.
Each device receives a unique, unclonable cryptographic identity (PUF + certificate) on the production line; Root of Trust is established here.
The device streams periodic telemetry and event logs to the cloud control plane over mTLS; behavioral anomalies are correlated.
When active exploitation is detected, notification drafts are automatically generated; the compliance team approves, the system sends.
The OTA infrastructure distributes signed firmware with staged (canary → general) rollout and A/B partition protection.
All events, reports, and OTA deployments are stored signed in long-term archive; meets CRA Article 14 requirements.
Platform
Competitors silo this cycle. TegmenSoft completes every stage within a single SDK.
Software Bill of Materials & CVE Matching
Extracts a real-time inventory of all software components (open-source and commercial) running on the device; automatically matches them against NVD and MITRE CVE databases. Produces signed SBOM in SPDX and CycloneDX formats.
Article 14 Trigger Mechanism
Detects not just theoretical vulnerabilities but active in-the-wild exploitation through device logs and alarms. The early warning layer that triggers CRA Article 14's 24-hour reporting obligation.
< 24 Hour Legal Notification Automation
Automatically converts detected vulnerabilities into ENISA Single Reporting Platform (SRP) format; prepares early warning, 72-hour full notification, and 14-day final report drafts including affected member states, product lines, and mitigation steps.
Signed Firmware, Bricking Protection
Cryptographically signed (Ed25519 / RSA-PSS) secure firmware distribution with A/B partition rollback and bricking protection — deploys vulnerability patches fleet-wide within hours.
Secure OTA
Cryptographically signed, A/B partition rollback-supported, and optimized for low-bandwidth secure update layer.
Ed25519 / RSA-PSS signed packages; the device only accepts approved firmware verified with the manufacturer's root certificate.
If an update fails, the device automatically rolls back to the working partition. Bricking risk is eliminated.
Only changed blocks are sent; enables practical deployment even on low-bandwidth 2G/NB-IoT devices.
Security Stack
From hardware to cloud database, each layer is built as a cryptographic foundation that the layer above trusts.
Schedule a 30-minute technical deep-dive with our CTO, cryptography, and embedded systems experts. We'll analyze your current product portfolio and map a CRA compliance path.
