Certifications & attestations
Trust Services Criteria · 2026 audit window
Annual audit by an AICPA-licensed firm. Report available under NDA.
Information security management
Certified scope: design, development, and operation of sapctl cloud services.
Not in scope
Cardholder data is processed by Stripe; sapctl never stores PAN. SAQ-A applies to our merchant relationship.
Software bill of materials
Every signed release publishes a CycloneDX 1.7 and SPDX 3.0.1 SBOM, plus SLSA L3 provenance attestations. Download the latest:
- sapctl-0.1.0.cdx.json (CycloneDX 1.7)
- sapctl-0.1.0.spdx.json (SPDX 3.0.1)
- sapctl-0.1.0.intoto.jsonl (in-toto attestation)
Verify with cosign verify-blob against our public Fulcio identity.
Penetration testing
Annual third-party penetration test, with a retest after material architecture change. Executive summary available on request; the full report is available under NDA.
EU CRA Annex IV statement
From 11 December 2027 the EU Cyber Resilience Act applies in full to sapctl as a “product with digital elements”. Our Annex IV technical documentation includes: product description, intended use, risk assessment, threat model, secure development lifecycle, vulnerability handling, applied harmonised standards, and a CE marking statement.
Latest draft Annex IV pack is available to customers and conformity assessors: trust@sapctl.dev.
Sub-processors
See the full sub-processor list and subscribe to the change feed.
Contact
trust@sapctl.dev · for security disclosures, security policy.