This section collects security, compliance-oriented transparency, and hardening information for Decabill: mapping to EU Cyber Resilience Act (CRA) and BSI IT-Grundschutz documentation themes, a formal accepted-risk register, vulnerability reporting, SBOM artifacts, and pointers to environment variables for production.
For disclosure, supported versions, SBOM paths, and response-time commitments, see Vulnerability reporting and artifacts. A concise risk summary table is in Accepted risks.
Decabill spans browsers, a NestJS billing API, Express SSR frontends (billing console and docs), Redis-backed background jobs, and optional cloud provisioning for bundled product stacks. Security is enforced through authentication modes, tenant guards, sanitized logging, content security policy choices, hardened container images (non-root users, no default secrets in images), Stripe webhook verification, and documented residual risks where product or deployment constraints apply.
How public documentation relates to CRA (Regulation (EU) 2024/2847) and BSI IT-Grundschutz / typical ISMS practice: expected artifacts, transparency goals, and a high-level product mapping. Informative only; conformity and certification require your own legal and audit advisors.
Register DR-001 through DR-005: provisioning SSH posture, billing multi-tenant API key scope, frontend CSP, backend authentication method resolution, and Trivy unfixed-CVE gating. Includes acceptance dates, review cadence, mitigations, and withdrawal paths.
Runtime users (agenstra / node) for decabill-billing-api, decabill-billing-console-server, and decabill-docs-server.
Implemented controls: container image hardening, correlation IDs and access logs, tenant guard, runtime /config proxy behavior, CSP and CSP_ENFORCE, WebSocket CORS, and authentication resolution behavior.
Responsible disclosure, CycloneDX SBOM location on Decabill R2 (decabill-*.cdx.json), and downloads at downloads.decabill.com.
Automated Trivy scans on pull requests; CRITICAL fail gate (fixable issues only; see DR-005).
For variable-by-variable deployment settings, including CONFIG_*, CSP_ENFORCE, TENANTS, STATIC_API_KEY_TENANT_ID, and Stripe variables, see Environment configuration and Production checklist.
- Deployment - Docker and production guides
- Architecture - Trust boundaries and components
- Features - Product capabilities including multi-tenancy and payments
This folder is maintained for public transparency. Regulatory applicability of the CRA and national schemes depends on how the software is supplied and used; see Compliance and standards.