Skip to content

Manufacturer identification — CRA Art. 10 / Art. 13(8)

This page is the manufacturer-identification record required by CRA Art. 10 (accompanying documentation) and Art. 13(8) (single point of contact) for the CRE8EVE-shipped SDKs.

Keep in sync with /SECURITY.md § Manufacturer Identification. The legal-entity facts below are sourced from the same single record (@rakomi/shared CRE8EVE_ENTITY, verified against the Polish KRS register). If a registration fact changes, update the source record first; this page and SECURITY.md are renders of it, never a fork.

FieldValue
Legal entityCRE8EVE Sp. z o.o.
Legal formSpółka z ograniczoną odpowiedzialnością (limited liability company)
Registered postal addressTulipanowa 4, 72-003 Dobra, Poland
EU establishmentPoland (EU Member State)
RegisterKRS 0000912669 — Sąd Rejonowy Szczecin-Centrum w Szczecinie, XIII Wydział Gospodarczy KRS
Tax identifiersNIP 8513262229 · REGON 389506637
Single point of contactsecurity@rakomi.com (role-based address — no personal mailbox or phone is published)

EU establishment — no Authorised Representative required

Section titled “EU establishment — no Authorised Representative required”

CRE8EVE Sp. z o.o. is itself established in the European Union (Poland). Under CRA Art. 13(4), the obligation to appoint an EU-established Authorised Representative applies only to manufacturers established outside the Union. Because the manufacturer is EU-established, no Art. 13(4) Authorised Representative is required — the manufacturer fulfils the manufacturer obligations directly.

CRE8EVE is governed by a two-director Management Board (Zarząd):

  • Bogumil Wrona — President of the Management Board (Prezes Zarządu)
  • Agnieszka Wrona — Member of the Management Board (Członek Zarządu)

The two-director board is recorded here as a continuity and availability signal, not merely a legal field: vulnerability-handling decisions and the single point of contact remain operable if one director is unavailable (succession / break-glass). It is the same dual-authority posture used across CRE8EVE’s governance controls.

The four customer-shipped SDK packages are classified under CRA Annex III as Class I important products (identity-management software):

PackageEcosystemSource
@rakomi/nodenpm (JS family)packages/sdk/
@rakomi/sdk-corenpm (JS family)packages/sdk-core/
@rakomi/reactnpm (JS family)packages/react/
@rakomi/react-nativenpm (JS family)packages/react-native/

The native lines RakomiSDK (Swift) and rakomi_flutter (Dart) are CRA-scoped manufacturer products as well; their distribution and per-package accompanying documentation are tracked separately (native SDK distribution work) and are not yet published.

The in-scope SDKs are Class I important products under CRA Annex III. For Class I products the manufacturer may demonstrate conformity through the internal-control procedure (Annex VIII, Module A) — a manufacturer self-assessment with no mandatory third-party (notified-body) involvement. CRE8EVE follows the Module A / internal control route.

The EU Declaration of Conformity and CE marking attach at the CRA application date (December 2027) per the CRA application timeline (Art. 71); they are not yet issued. Publishing a pre-1.0 (0.x) package today is a forward-looking distribution and is not a present conformity claim.

The coordinated vulnerability-disclosure policy, response targets, and reporting channel are defined once in /SECURITY.md and published in machine-readable form at https://rakomi.com/.well-known/security.txt. The operational reporting capability (national CSIRT identification, EU single-reporting-platform onboarding, statutory filing timelines) is being stood up separately as part of CRA Art. 14 reporting readiness; this documentation describes the policy and intent.