Trust & Compliance Overview

What’s in This Section
Compliance Use Cases
Vulnerability Management SLA
Software Bill of Materials (SBOM)
VEX Statements
Provenance and Supply Chain Attestation
FedRAMP
PCI-DSS 4.0

Root is built for organizations with rigorous security and compliance requirements. This section covers Root’s own security posture, the certifications and attestations Root holds, and resources for procurement, legal, and compliance reviews.

What’s in This Section

Security Posture

Root’s secure development practices, vulnerability disclosure policy, and infrastructure security.

Certifications & Attestations

SOC 2, and other compliance certifications with audit report access.

Trust Center

Sub-processors, data residency, and security FAQ for procurement reviews.

Compliance Use Cases

Vulnerability Management SLA

Many compliance frameworks (SOC 2, PCI-DSS, FedRAMP) require that vulnerabilities be remediated within defined time windows. Root’s SLA-backed remediation provides the documented evidence auditors need:

Severity	Root SLA	Typical Requirement
Critical	7 days	30 days (PCI-DSS 4.0)
High	14 days	30–60 days
Medium	60 days	90 days

Software Bill of Materials (SBOM)

Executive Order 14028 and emerging regulations (EU CRA, NTIA minimum elements) require SBOMs for software in production. Every Root artifact ships with an automatically generated SBOM in SPDX or CycloneDX format. See SBOMs.

VEX Statements

VEX documents let you communicate to auditors and downstream consumers which vulnerabilities in your software are not exploitable. Root generates VEX statements alongside every Root Patch. See VEX Statements.

Provenance and Supply Chain Attestation

SLSA and SSDF frameworks require attestation of how software was built. Root’s provenance attestations provide cryptographic proof that every artifact passed through Root’s verified AVR pipeline. See Provenance.

FedRAMP

Root’s SLA-backed CVE remediation, SBOM generation, and provenance attestations align with FedRAMP’s continuous monitoring and supply chain risk management requirements. Contact Root for agency-specific guidance.

PCI-DSS 4.0

PCI-DSS 4.0 (Requirement 6.3.3) requires that all software components are protected from known vulnerabilities. Root’s automated, SLA-backed patching and SBOM artifacts directly address these requirements. Contact Root for QSA guidance materials.

Changelog Security Posture

⌘I

Getting Started

Root Image Catalog

Root Library Catalog

Core Concepts

Registry Integrations

Reports & Insights

Reference

Trust & Compliance

Trust & Compliance Overview

What’s in This Section

Security Posture

Certifications & Attestations

Trust Center

Compliance Use Cases

Vulnerability Management SLA

Software Bill of Materials (SBOM)

VEX Statements

Provenance and Supply Chain Attestation

FedRAMP

PCI-DSS 4.0

Getting Started

Root Image Catalog

Root Library Catalog

Core Concepts

Registry Integrations

Reports & Insights

Reference

Trust & Compliance

​What’s in This Section

Security Posture

Certifications & Attestations

Trust Center

​Compliance Use Cases

​Vulnerability Management SLA

​Software Bill of Materials (SBOM)

​VEX Statements

​Provenance and Supply Chain Attestation

​FedRAMP

​PCI-DSS 4.0

What’s in This Section

Compliance Use Cases

Vulnerability Management SLA

Software Bill of Materials (SBOM)

VEX Statements

Provenance and Supply Chain Attestation

FedRAMP

PCI-DSS 4.0