# Overview How Flopsar handles security, vulnerabilities, regulatory conformity, and product lifecycle commitments. Flopsar Technology Sp. z o.o. designs, develops, and licenses Flopsar — a fault detection and diagnosis platform for production Java systems. Flopsar is commercial, proprietary software, distributed under a commercial licence; its source code is not published. Because Flopsar typically runs inside the trust boundary of the customer's most sensitive applications, the way we build, ship, and maintain the product is itself a security concern for the operator — and that concern has to be addressed through documentation, contractual commitments, and verifiable artefacts rather than through source disclosure. \ This section of the documentation collects the artefacts that let security, compliance, procurement, and legal teams perform that verification. It is intended to be read as a coherent statement of our posture, not as marketing material. ## What this section covers Trust & Compliance is the **regulatory and lifecycle** view of the product. It answers the questions that an external reviewer needs answered before Flopsar can be approved for use: * **How long will this version receive security updates?** * **What happens when somebody finds a vulnerability?** * **What third-party code is shipped inside the product, under what licences?** * **Which regulations apply to the product, and where is the evidence of conformity?** * **Whom do I contact, and how, under each of the above scenarios?** It does not duplicate the operator documentation. Instructions for the secure deployment, hardening, key management, and audit-log configuration of a running Flopsar installation live under Security. Functional user-facing documentation — profiles, data browser, metrics — lives under User Guide. Trust & Compliance focuses on the artefacts that exist *because of* regulation and customer governance, not because of product function. ## How we approach trust in a closed-source product We treat trust as the composition of three commitments that have to hold simultaneously, for every release, for every component: 1. **Verifiable identity of every release.** Every released artifact — server binary, agent shared library, workstation bundle, container image — is uniquely identified by name and version, is cryptographically signed, and is accompanied by a CycloneDX Software Bill of Materials. Customers and competent authorities can determine which third-party components are shipped inside the product, and at what version, without needing access to the source code. 2. **A clear and time-bound response to vulnerabilities.** A single public point of contact accepts vulnerability reports; an internal PSIRT process triages, fixes, and releases patches against published timelines; an advisory is then published in a machine-readable format (CSAF 2.0 and CycloneDX VEX) so that customers can react automatically. Reports from third-party security researchers are governed by a published Coordinated Vulnerability Disclosure policy with a safe harbour statement. 3. **A predictable lifecycle.** Each release line has a stated end of security support, announced at least twelve months in advance of its end-of-life date, and the schedule is honored. These commitments map directly to obligations under the European Union Cyber Resilience Act (Regulation (EU) 2024/2847), but they predate the regulation in our internal process. The regulation made them auditable. ## What is and is not public Because Flopsar is proprietary software, we distinguish between three categories of information: * **Public.** The documents required by regulation to be openly available — the Coordinated Vulnerability Disclosure policy, the public-facing security advisories, the support and maintenance lifecycle, the EU Declaration of Conformity, the single point of contact for vulnerability reports, and the public commitments on this page — are published on this documentation site without authentication. Where this site does not host the artifact directly (for example, a signed PDF), it links to the authoritative location. * **Available to competent authorities on request.** The full technical documentation prescribed by Annex VII of the Cyber Resilience Act, including risk assessments, internal test reports, the secure development lifecycle description, and supporting evidence of conformity, is retained internally for at least ten years and is provided to market surveillance authorities upon a reasoned request, subject to the trade-secret protections of Article 53 of the Regulation. This three-tier model lets us meet every applicable regulatory obligation without disclosing material that is commercially sensitive or that would otherwise reduce the security of the product for our customers. ## Audience This section is written for readers who are not necessarily using the product day-to-day. In particular: * **Procurement and vendor risk teams** preparing a vendor risk assessment or a Data Processing Agreement. * **Security and compliance officers** mapping Flopsar to an internal control framework (ISO/IEC 27001, SOC 2, NIS2 operator obligations). * **Auditors and assessors**, including market surveillance authorities under the Cyber Resilience Act. * **Security researchers** preparing a coordinated vulnerability disclosure. * **National CSIRTs and ENISA**, in the context of Article 14 of the Cyber Resilience Act. If you are operating an installed Flopsar deployment and looking for a hardening checklist or a key-rotation procedure, the Security section is the right place instead. ## Regulatory framing Flopsar is placed on the European Union market by Flopsar Technology Sp. z o.o., based in Poland. Under the Cyber Resilience Act, Flopsar 7.x is classified as a product with digital elements in the **default category** — that is, it is not listed in Annex III or Annex IV of the Regulation and therefore is not classified as an "important" (class I or II) or "critical" product. Conformity assessment is carried out using **Module A (internal production control)** under Annex VIII, point 1 of the Regulation. No external notified body is involved in the conformity assessment for products in this category. The Cyber Resilience Act entered into force on 10 December 2024. The obligation to report actively exploited vulnerabilities to ENISA (Article 14) applies from 11 September 2026, and the remaining obligations — including the requirement of CE marking for placing the product on the EU market — apply from 11 December 2027. Flopsar's compliance documentation is aligned to those dates: the public-facing artifacts in this section are scheduled to be complete before each applicable deadline, and the supporting internal technical documentation prescribed by Annex VII of the Regulation is retained for at least ten years after a release is first placed on the market, as required by Article 31(2). Beyond the Cyber Resilience Act, Flopsar's documentation also addresses the operator-side implications of the NIS2 Directive (Directive (EU) 2022/2555) for customers operating essential or important entities. The Regulatory Compliance page provides the traceability matrix for each. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.flopsar.com/7/overview-1.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.