> ## Documentation Index
> Fetch the complete documentation index at: https://docs.root.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Certifications & Attestations

> Root's compliance certifications and how to access audit reports.

Root maintains third-party certifications and attestations to support customer compliance programs and procurement requirements.

## SLSA Compliance

Root's AVR pipeline generates SLSA (Supply chain Levels for Software Artifacts) provenance attestations for every artifact it produces. Attestations are available for all images and packages from `cr.root.io` and `pkg.root.io`.

Every artifact includes:

* **Signed SLSA provenance** - cryptographically signed build record in SLSA format
* **SPDX SBOM** - full component inventory
* **OpenVEX statements** - vulnerability exploitability assertions
* **cosign image signatures** - image signing for supply chain verification

See [Provenance](/concepts/provenance) for details on verification.

## FIPS & STIG

Root has published FIPS and STIG attestation materials at [github.com/rootio-avr/fips-attestations](https://github.com/rootio-avr/fips-attestations). For questions about FIPS requirements and current availability, contact [security@root.io](mailto:security@root.io).

## SOC 2 Type II

Root holds SOC 2 Type II certification, validating controls for security, availability, and confidentiality. To request the report, contact [security@root.io](mailto:security@root.io).

## Cyber Essentials

Root holds Cyber Essentials certification, demonstrating essential cybersecurity measures.

## Industry Memberships

Root is an active participant in key open source and security standards bodies:

* **CNCF** - Contributing member
* **OWASP Global** - Member
* **OASIS** - Voting member

## Requesting Compliance Documentation

| Document                                    | How to Access                                                                                       |
| ------------------------------------------- | --------------------------------------------------------------------------------------------------- |
| SOC 2 Type II report                        | Email [security@root.io](mailto:security@root.io)                                                   |
| FIPS attestations and STIG scan results     | [github.com/rootio-avr/fips-attestations](https://github.com/rootio-avr/fips-attestations) (public) |
| SLSA provenance for any artifact            | Root API - `/v1/images/tags/{rrtID}/provenance`                                                     |
| SBOMs for any artifact                      | Root API - `/v1/images/tags/{rrtID}/sbom`                                                           |
| Security questionnaire / procurement review | Email [security@root.io](mailto:security@root.io)                                                   |