1. EU Declaration of Conformity
The manufacturer declares under its sole responsibility that the product identified below complies with Regulation (EU) 2024/2847 of the European Parliament and of the Council of 27 November 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020 (Cyber Resilience Act).
Product identification:
Product name: CryptPeer®
Product type: Software product with digital elements
Product version: As specified in the product documentation
Product identifier: CryptPeer® — End-to-end encrypted peer-to-peer communication software
2. Manufacturer Identification
Legal name: FullSecure / CryptPeer
Trade name: FullSecure
Registered address:
Av. Copríncep de Gaulle, núm. 13
Edifici Valira — Planta Baixa
AD700 Escaldes — Engordany
PRINCIPAT D'ANDORRA
Country of establishment: Principality of Andorra
Official website: https://cryptpeer.com
Contact: Available through the official website contact form
3. Product Description
Functional scope: CryptPeer® is a software product designed to provide end-to-end encrypted peer-to-peer communication services, including messaging and voice/video calling capabilities. The product operates on a self-hosted, federated, peer-to-peer architecture, enabling secure communication between users without reliance on centralised servers for message routing.
Primary functionality: The primary function of CryptPeer® is secure communication (encrypted messaging and end-to-end encrypted calls), based on a self-hosted and federated architecture. The product is not designed as a network security component (firewall, IDS/IPS), nor as an identity management infrastructure, nor as a hardware security device.
Target users: Organisations, enterprises, and managed environments requiring secure communication capabilities with full control over data hosting and routing.
Explicit limitations: The product does not provide network security functions, identity management services, or hardware security module capabilities. The product is intended for use in managed environments where users have appropriate technical capabilities to deploy and maintain the self-hosted infrastructure components.
4. Legal Basis for Conformity
This declaration is issued in accordance with Regulation (EU) 2024/2847 (Cyber Resilience Act), which entered into force on 16 January 2025.
Applicable articles:
- Article 10 — Essential cybersecurity requirements
- Article 11 — Security by design and by default
- Article 12 — Vulnerability handling requirements
- Article 13 — Reporting obligations
- Article 14 — Documentation requirements
- Article 15 — Information and instructions to users
- Article 16 — Software bill of materials (SBOM)
Product category under CRA: Product with digital elements — standard category
Justification for standard category classification: The product is not explicitly listed in Annex III (important products of class I and II) or Annex IV (critical products) of Regulation (EU) 2024/2847. The classification is based on the primary functionality of the product, which is secure communication rather than network security, identity management, or hardware security functions.
5. Conformity Assessment Procedure
Conformity assessment module applied: Module A — Internal production control and EU declaration of conformity (self-assessment)
Justification for Module A: As a product with digital elements classified in the standard category, CryptPeer® is subject to Module A in accordance with Article 23(1) of Regulation (EU) 2024/2847. No notified body is involved in the conformity assessment procedure for products in the standard category under Module A.
Absence of notified body: The conformity assessment has been carried out by the manufacturer without the involvement of a notified body, in accordance with the provisions of Module A for standard category products.
6. Conformity with Essential Requirements
The manufacturer declares that the product complies with the essential cybersecurity requirements set out in Article 10 of Regulation (EU) 2024/2847:
6.1 Security by design and by default (Article 11): The product has been designed and developed with cybersecurity considerations integrated from the initial design phase. Security features are enabled by default, and the product architecture minimises attack surfaces through peer-to-peer communication, end-to-end encryption, and self-hosted deployment options.
6.2 Protection against unauthorised access (Article 10(1)(a)): The product implements cryptographic mechanisms to protect against unauthorised access to data in transit and, where applicable, data at rest. Access control mechanisms are provided to restrict access to communication channels and user data to authorised users only.
6.3 Integrity, confidentiality, and availability (Article 10(1)(b), (c), (d)): The product employs end-to-end encryption to ensure data confidentiality. Integrity protection mechanisms are implemented to detect unauthorised modifications to communication content. The peer-to-peer architecture supports availability by reducing dependency on centralised infrastructure, subject to the availability of network connectivity and user-managed infrastructure components.
6.4 Vulnerability management (Article 12): The manufacturer maintains processes for the identification, assessment, prioritisation, and remediation of security vulnerabilities. Vulnerabilities are addressed through security updates, which are made available to users through the product's update mechanism.
6.5 Updates and product lifecycle (Article 10(1)(e)): The manufacturer provides security updates for the product throughout its lifecycle. Update mechanisms are designed to maintain security and functionality while minimising disruption to users. The manufacturer commits to providing security updates for a period consistent with the product's intended use and market expectations.
7. Vulnerability Handling and Incident Management
Internal vulnerability management process: The manufacturer maintains documented procedures for vulnerability identification, assessment, prioritisation (including use of CVSS and business impact criteria), remediation, and disclosure. The process includes coordination with security researchers through a coordinated vulnerability disclosure policy.
Notification capability: The manufacturer has the capability to notify actively exploited vulnerabilities and serious incidents to the coordinating CSIRT (CERT-FR in France, or the relevant national CSIRT in other Member States) via ENISA, in accordance with Article 13 of Regulation (EU) 2024/2847.
Vulnerability registry: The manufacturer maintains records of vulnerabilities discovered, assessed, and remediated, including dates of discovery, assessment, remediation, and disclosure, as required for traceability and compliance monitoring.
8. Technical Documentation
Technical file: The manufacturer maintains a technical file containing documentation demonstrating compliance with the essential cybersecurity requirements of Regulation (EU) 2024/2847. The technical file includes, inter alia:
- Product description and functional specifications
- Architecture documentation and security design principles
- Risk assessment and mitigation measures
- Vulnerability management procedures
- Testing and validation documentation
- Software bill of materials (SBOM)
- User documentation and security instructions
Availability to market surveillance authorities: The technical documentation is available to the competent market surveillance authorities upon request, in accordance with Article 14 of Regulation (EU) 2024/2847. Requests should be addressed to the manufacturer through the official contact channels.
9. Manufacturer's Commitment
Ongoing conformity: The manufacturer commits to maintaining the product's conformity with Regulation (EU) 2024/2847 throughout the product's lifecycle. This includes continued compliance with essential cybersecurity requirements, provision of security updates, and adherence to vulnerability handling and notification obligations.
Cooperation with market surveillance authorities: The manufacturer commits to cooperating with the competent market surveillance authorities, including ANFR (Agence Nationale des Fréquences) in France and equivalent authorities in other Member States, in the context of market surveillance activities, investigations, and compliance verification procedures.
Product modifications: In the event of significant modifications to the product that may affect its conformity with the essential requirements, the manufacturer will reassess conformity and, where necessary, update this declaration accordingly.
10. Declaration and Signature
Place of issue: Escaldes-Engordany, Principality of Andorra
Date of issue: 15 January 2025
Name and function of signatory: Jacques Gascuel, CEO Freemindtronic
Signature: Jacques Gascuel
Note: This declaration is made available to users and market surveillance authorities in accordance with Article 14(2) of Regulation (EU) 2024/2847. The declaration is published on the manufacturer's official website at https://cryptpeer.com.