Manufacturer identification — CRA Art. 10 / Art. 13(8)
This page is the manufacturer-identification record required by CRA Art. 10 (accompanying documentation) and Art. 13(8) (single point of contact) for the CRE8EVE-shipped SDKs.
Keep in sync with
/SECURITY.md§ Manufacturer Identification. The legal-entity facts below are sourced from the same single record (@rakomi/sharedCRE8EVE_ENTITY, verified against the Polish KRS register). If a registration fact changes, update the source record first; this page andSECURITY.mdare renders of it, never a fork.
Manufacturer
Section titled “Manufacturer”| Field | Value |
|---|---|
| Legal entity | CRE8EVE Sp. z o.o. |
| Legal form | Spółka z ograniczoną odpowiedzialnością (limited liability company) |
| Registered postal address | Tulipanowa 4, 72-003 Dobra, Poland |
| EU establishment | Poland (EU Member State) |
| Register | KRS 0000912669 — Sąd Rejonowy Szczecin-Centrum w Szczecinie, XIII Wydział Gospodarczy KRS |
| Tax identifiers | NIP 8513262229 · REGON 389506637 |
| Single point of contact | security@rakomi.com (role-based address — no personal mailbox or phone is published) |
EU establishment — no Authorised Representative required
Section titled “EU establishment — no Authorised Representative required”CRE8EVE Sp. z o.o. is itself established in the European Union (Poland). Under CRA Art. 13(4), the obligation to appoint an EU-established Authorised Representative applies only to manufacturers established outside the Union. Because the manufacturer is EU-established, no Art. 13(4) Authorised Representative is required — the manufacturer fulfils the manufacturer obligations directly.
Governance & continuity
Section titled “Governance & continuity”CRE8EVE is governed by a two-director Management Board (Zarząd):
- Bogumil Wrona — President of the Management Board (Prezes Zarządu)
- Agnieszka Wrona — Member of the Management Board (Członek Zarządu)
The two-director board is recorded here as a continuity and availability signal, not merely a legal field: vulnerability-handling decisions and the single point of contact remain operable if one director is unavailable (succession / break-glass). It is the same dual-authority posture used across CRE8EVE’s governance controls.
Products covered (CRA-scoped)
Section titled “Products covered (CRA-scoped)”The four customer-shipped SDK packages are classified under CRA Annex III as Class I important products (identity-management software):
| Package | Ecosystem | Source |
|---|---|---|
@rakomi/node | npm (JS family) | packages/sdk/ |
@rakomi/sdk-core | npm (JS family) | packages/sdk-core/ |
@rakomi/react | npm (JS family) | packages/react/ |
@rakomi/react-native | npm (JS family) | packages/react-native/ |
The native lines RakomiSDK (Swift) and rakomi_flutter (Dart) are CRA-scoped manufacturer products
as well; their distribution and per-package accompanying documentation are tracked separately (native
SDK distribution work) and are not yet published.
Conformity assessment route
Section titled “Conformity assessment route”The in-scope SDKs are Class I important products under CRA Annex III. For Class I products the manufacturer may demonstrate conformity through the internal-control procedure (Annex VIII, Module A) — a manufacturer self-assessment with no mandatory third-party (notified-body) involvement. CRE8EVE follows the Module A / internal control route.
The EU Declaration of Conformity and CE marking attach at the CRA application date (December 2027)
per the CRA application timeline (Art. 71); they are not yet issued. Publishing a pre-1.0 (0.x)
package today is a forward-looking distribution and is not a present conformity claim.
Vulnerability handling & contact
Section titled “Vulnerability handling & contact”The coordinated vulnerability-disclosure policy, response targets, and reporting channel are defined
once in /SECURITY.md and published in
machine-readable form at https://rakomi.com/.well-known/security.txt.
The operational reporting capability (national CSIRT identification, EU single-reporting-platform
onboarding, statutory filing timelines) is being stood up separately as part of CRA Art. 14 reporting
readiness; this documentation describes the policy and intent.
See also
Section titled “See also”- CRA compliance — accompanying documentation — the full Art. 10 map
- Art. 10 documentation-completeness checklist
- SDK Support & Lifecycle — the dated support-window trust page