BOMvault
Request demo
01BOMVAULT // EVIDENCE PLATFORM

AUDIT EVERYTHING.
SHIP THE EVIDENCE,
NOT JUST THE SBOM

BOMvault generates the full, immutable compliance dossier that FDA auditors, DoD ISSOs, and EU CRA reviewers actually sign off on — from a single SBOM run. Built for regulated software teams that cannot afford a Refuse-to-Accept letter.

Request demoView sample dossier
Conforms toFDA 21 CFR Part 820 / QMSRNIST 800-218 SSDFEU CRACycloneDX 1.6SPDX 3.0SOC 2
02EVIDENCE PACKAGE // BV-2026-0509-01
Sealed
sha256:3c8d7e2a…9f1ba03d
release_group: cardio-pump-v3.4 // submitter: r.miles@medtech.io
  1. RECEIVED
  2. VERIFIED
  3. 03
    SEALED
  4. 04
    ARCHIVED
idsubmittedstagestatus
3c8d7e2a2026-05-09_18:42:11ZVulnerability enrichmentVERIFIED
9f1ba03d2026-05-09_18:42:14ZLicense provenanceVERIFIED
61cc44702026-05-09_18:42:17ZEvidence BuilderSEALED
07e2891c2026-05-09_18:42:18ZS3 Object LockARCHIVED
Retention: 7y // Storage: S3 Object Lock // SOC 2 Type II
02THE GAP // EVIDENCE NOT FILES

Your SBOM tool will not
prevent a failed audit.

FDA reviewers, DoD ISSOs, and EU CRA market surveillance do not audit your SBOM file. They audit the cybersecurity documentation package: vulnerability assessments, VEX justifications, component support status, end-of-support dates, and a security architecture view — all tied to the release.

Most tools stop at generating the file. BOMvault closes the gap between SBOM generation and a tamper-evident submission artifact an auditor signs off on, automatically, for every release.

02 // STATUS QUO
Exception

Status quo

Stitched together. Manual before every submission.

  • Snyk for vulnerabilities, FOSSA for license, sheets for support status.
  • SBOM stored in a portal or shared drive. No immutable audit trail.
  • VEX statements and security architecture written by hand the week of submission.
  • One framework at a time — re-run for DoD SSDF, redo for EU CRA.
02 // BOMVAULT
Verified

BOMvault

One pipeline. Audit-ready, every release.

  • Generation, vuln enrichment, and license provenance in one Rust+Go pipeline.
  • Immutable S3 Object Lock storage with SOC 2 audit trail, 7-year retention.
  • Evidence Builder assembles VEX, support status, and architecture into a dossier.
  • Multi-framework: FDA 21 CFR Part 820, NIST 800-218 SSDF, EU CRA from one run.
03PIPELINE // SOURCE TO SEAL

One pipeline. Source code
to sealed evidence.

Every release runs through the same four-stage chain of custody. Hashes are recorded at each stage, statuses are typed, and the output is a framework-specific package — not another SBOM file in a portal.

03.1

Generation

Multi-format SBOMs from source and containers. CycloneDX 1.6 and SPDX 3.0 from a Rust Syft/Grype scanner pool.

03.2

Enrichment

Vulnerability data from OSV, GHSA, and NVD. Three-tier license provenance with conflict detection and risk scoring.

03.3

Evidence Builder

Assembles VEX, support status, end-of-support dates, and security architecture views into a framework-specific dossier.

03.4

Sealed storage

Immutable S3 Object Lock, SOC 2 audit trail, 7-year retention, SAML 2.0 / OAuth 2.0 SSO, and PostgreSQL row-level multi-tenancy.

04terminal // bomvault@release-runner
2026-05-09_18:42:11Z
$ bomvault submit ./build/cardio-pump-v3.4.tar
» resolving manifest…  cyclonedx-1.6 (2,841 components)
» enrich  osv/ghsa/nvd  3,112 advisories matched
» license  3-tier provenance  2 conflicts flagged
» evidence  fda-qmsr  dod-ssdf  eu-cra
✓ SEALED  bv-2026-0509-01  sha256:3c8d7e2a…9f1ba03d
✓ ARCHIVED s3://vault.bomvault.io/cardio-pump-v3.4/bv-2026-0509-01.evp
$
04FRAMEWORKS // ONE RUN COVERS THREE

FDA. DoD. EU CRA.
From one SBOM run.

FDAEffective 2026-02-02

21 CFR Part 820 / QMSR

Medical device + SaMD teams preparing 510(k), De Novo, PMA.

  • Cybersecurity documentation aligned to June 2025 guidance (superseded Feb 2026).
  • VEX statements, component support status, end-of-support dates.
  • Security architecture view tied to eSTAR submission package.
DoDEO 14028 attestation in force

NIST 800-218 SSDF

DoD primes, subcontractors, and federal software programs.

  • SSDF attestation evidence keyed to CISA self-attestation form.
  • Mapped to FedRAMP and NIST SP 800-53 control families.
  • Immutable evidence trail for ISSO and authorizing officials.
EUBinding law for EU digital products

Cyber Resilience Act

Medtech and software vendors shipping into the EU market.

  • Article 13 SBOM and vulnerability handling obligations covered.
  • Long-lifecycle evidence retention (10–15+ years) supported.
  • Notified-body-ready dossier export for regulated product classes.
05FIELD NOTE // FROM REGULATED TEAMS
log_entry  // 7f0c1a2e  // verified
“Auditors don’t want our SBOM file. They want the evidence trail behind it. BOMvault is the first tool that ships that trail by default — sealed, dated, and impossible to argue with.”
VP Software Engineering  //  class II medical device manufacturer
05.1
3frameworks

FDA QMSR, DoD SSDF, EU CRA covered from a single SBOM run.

05.2
7yrretention

Immutable S3 Object Lock storage with SOC 2 access logging.

05.3
0RTA letters

Submission-ready dossier closes the gap that triggers Refuse-to-Accept.

06PRICING // BY RELEASE GROUP

Priced by what you ship,
not by seats or scans.

A release group maps to a shippable software product or device version under regulatory review. Add more as your portfolio grows — no per-seat tax, no scan-count games. Annual subscription, billed against the cost of a failed audit, not a SaaS seat.

06.1

Submission

Single regulated release group. First 510(k) or SSDF attestation.

Contact for pricing
  • 1 release group
  • FDA QMSR or DoD SSDF dossier export
  • OSV / GHSA / NVD enrichment
  • S3 Object Lock storage, 7-year retention
  • JIRA, Slack, GitHub Actions
Talk to sales
Recommended06.2

Portfolio

Mid-market medtech and DoD subs shipping multiple device variants.

Most regulated teams
  • Up to 10 release groups
  • Multi-framework: FDA + DoD + EU CRA
  • Three-tier license provenance
  • Evidence Builder with VEX automation
  • Enterprise SSO (SAML 2.0, OAuth 2.0)
Request demo
06.3

Enterprise

Large primes, hospital networks, multi-product portfolios.

Custom à la carte release groups
  • Unlimited release groups (à la carte)
  • Dedicated regulatory success
  • Evidence review services on request
  • ServiceNow + custom integrations
  • SOC 2 Type II reports on request
Talk to sales
07NEXT STEP // SEAL YOUR FIRST RELEASE

Bring one release.
Walk out with the evidence package.

30 minutes with a BOMvault engineer. We ingest one of your release artifacts and produce a sealed, framework-specific evidence package you can hand to your auditor.

Request demoSee framework coverage
SOC 2 Type II // SAML 2.0 // immutable by default