> ## Documentation Index
> Fetch the complete documentation index at: https://docs.root.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Trust & Compliance Overview

> Root's security posture, certifications, and resources for compliance and procurement teams.

Root is built for organizations with rigorous security and compliance requirements. This section covers Root's own security posture, the certifications and attestations Root holds, and resources for procurement, legal, and compliance reviews.

## What's in This Section

<CardGroup cols={2}>
  <Card title="Security Posture" icon="shield" href="/compliance/security-posture">
    Root's secure development practices, vulnerability disclosure policy, and infrastructure security.
  </Card>

  <Card title="Certifications & Attestations" icon="certificate" href="/compliance/certifications">
    SOC 2, and other compliance certifications with audit report access.
  </Card>

  <Card title="Trust Center" icon="building-shield" href="/compliance/trust-center">
    Sub-processors, data residency, and security FAQ for procurement reviews.
  </Card>
</CardGroup>

## Compliance Use Cases

### Vulnerability Management SLA

Many compliance frameworks (SOC 2, PCI-DSS, FedRAMP) require that vulnerabilities be remediated within defined time windows. Root's SLA-backed remediation provides the documented evidence auditors need:

| Severity | Root SLA | Typical Requirement   |
| -------- | -------- | --------------------- |
| Critical | 7 days   | 30 days (PCI-DSS 4.0) |
| High     | 14 days  | 30–60 days            |
| Medium   | 60 days  | 90 days               |

### Software Bill of Materials (SBOM)

Executive Order 14028 and emerging regulations (EU CRA, NTIA minimum elements) require SBOMs for software in production. Every Root artifact ships with an automatically generated SBOM in SPDX or CycloneDX format. See [SBOMs](/concepts/sbom).

### VEX Statements

VEX documents let you communicate to auditors and downstream consumers which vulnerabilities in your software are not exploitable. Root generates VEX statements alongside every Root Patch. See [VEX Statements](/concepts/vex).

### Provenance and Supply Chain Attestation

SLSA and SSDF frameworks require attestation of how software was built. Root's provenance attestations provide cryptographic proof that every artifact passed through Root's verified AVR pipeline. See [Provenance](/concepts/provenance).

### FedRAMP

Root's SLA-backed CVE remediation, SBOM generation, and provenance attestations align with FedRAMP's continuous monitoring and supply chain risk management requirements. [Contact Root](https://root.io) for agency-specific guidance.

### PCI-DSS 4.0

PCI-DSS 4.0 (Requirement 6.3.3) requires that all software components are protected from known vulnerabilities. Root's automated, SLA-backed patching and SBOM artifacts directly address these requirements. [Contact Root](https://root.io) for QSA guidance materials.