Legal notice
Last updated: March 2026
1. Purpose
This legal notice governs the use of the website emethra.io and the EMETHRA platform (hereinafter, the "Platform"), owned by SPARRING LABS, S.L. The Platform provides a cyber resilience analysis service for software products, including software bill of materials (SBOM) generation, vulnerability detection, license analysis and compliance documentation generation (CRA, NIS2). Access to and use of the Platform implies full and unreserved acceptance of all the conditions included in this legal notice. If you disagree with any of these conditions, please do not use the Platform.
2. Owner identification
In compliance with Article 10 of Spanish Law 34/2002 on Information Society Services and Electronic Commerce (LSSI-CE), the following identification details of the owner of this website and the Platform are provided:
| Company name | SPARRING LABS, S.L. |
| Tax ID (CIF) | B75876110 |
| Registered address | Calle Chile 54, 26007 Logroño, La Rioja, Spain |
| legal@emethra.com | |
| Commercial register | Registered at the Commercial Register of La Rioja |
3. Service description
EMETHRA is a SaaS platform designed as a comprehensive cyber resilience control system for software products. In a regulatory landscape shaped by the Cyber Resilience Act (CRA) and the NIS2 Directive, organisations need tools that allow them to understand in depth the composition of their software, identify security risks and generate the documentation required to demonstrate regulatory compliance. EMETHRA addresses this need by providing an automated environment that enables engineering teams, compliance officers and management to gain full visibility into the security and regulatory conformity of their products.
The services available on the Platform include:
- Software composition analysis (SCA) and SBOM generation in CycloneDX format.
- Detection of known vulnerabilities (CVE) in dependencies.
- Static application security testing (SAST) through Semgrep rules.
- Detection of exposed secrets in source code.
- Third-party component license analysis.
- Compliance documentation generation: CRA Annex VII reports, NIS2 incident notification templates and EU declarations of conformity.
- Issuance of chain of custody certificates with cryptographic verification.
The results generated by the Platform are indicative in nature and are designed to support the user's internal assessment and compliance processes. They do not replace a professional security audit nor constitute a conformity certification issued by an accredited body.
4. Access and registration conditions
Access to certain features of the Platform requires prior user registration. To create an account, the user must provide a valid email address, an identifying name and a secure password. By registering, the user agrees to provide truthful, complete and up-to-date information, and to keep such data current throughout the duration of the contractual relationship.
The user is solely responsible for maintaining the confidentiality of their access credentials, including their password and any API keys generated through the Platform. All activity carried out under their account shall be deemed to have been performed by the user, and they must therefore adopt the necessary security measures to prevent unauthorised access, such as enabling two-factor authentication (2FA).
SPARRING LABS, S.L. reserves the right to suspend, restrict or cancel user accounts in the event of a breach of these conditions, fraudulent or abusive use of the Platform, or where there are reasonable grounds to suspect activity contrary to applicable law. In such cases, the user will be notified as far in advance as possible, unless the urgency or severity of the situation requires immediate action.
5. Intellectual and industrial property
The protection of intellectual property is essential in an environment where technological innovation forms the core of the service. EMETHRA incorporates internally developed analysis algorithms, detection engines and report formats, whose integrity and exclusivity are fundamental to ensuring the quality of the service offered.
All intellectual and industrial property rights over the Platform, including but not limited to its design, source code, analysis algorithms, detection engines, report formats, brand, logos and content, are the exclusive property of SPARRING LABS, S.L. or its licensors.
The reproduction, distribution, public communication, transformation or any other form of exploitation of the elements of the Platform is prohibited without the express written authorisation of SPARRING LABS, S.L.
User content
The user retains all intellectual property rights over the source code and repositories uploaded to or connected with the Platform. SPARRING LABS, S.L. does not acquire any ownership rights over such content. Source code provided by the user is processed solely to perform the requested analysis and is deleted from our systems once the analysis is complete. Only the analysis results (reports, SBOM, vulnerability lists) associated with the user's account are retained.
The user may export their analysis results at any time in standard formats (CycloneDX, PDF, JSON), thereby ensuring data portability and independence from the Platform.
6. Source code handling
A software product's source code is one of the most sensitive intellectual property assets of any organisation. We understand that entrusting this asset to an external service requires solid and verifiable guarantees. For this reason, EMETHRA has been designed from its architecture to minimise source code exposure and provide a level of protection commensurate with the criticality of this type of information.
The specific guarantees that EMETHRA provides regarding source code handling are detailed below:
| Guarantee | Detail |
|---|---|
| European infrastructure | Code is processed on infrastructure located entirely within the European Union, subject to EU data protection legislation. |
| Automatic deletion | Source code is automatically deleted from our servers once the analysis is complete. No copies are retained. |
| Limited retention | Only analysis results are retained: SBOMs, vulnerability reports, compliance reports and associated metadata. |
| No third-party sharing | Under no circumstances is user source code shared with third parties, business partners or service providers. |
| Automated processing | All processing is performed automatically through analysis tools, with no human access to the code. |
7. Data protection
The processing of personal data is governed by our privacy policy, which forms an integral part of this legal notice. It details the information regarding the data controller, purposes, legal basis, retention periods and data subject rights, in accordance with Regulation (EU) 2016/679 (GDPR) and Spanish Organic Law 3/2018 on the protection of personal data and the guarantee of digital rights (LOPDGDD).
8. Limitation of liability
EMETHRA provides technical information and documentation designed to support decision-making in the areas of security and regulatory compliance. However, the ultimate responsibility for actions taken based on that information lies exclusively with the user. The following limitations of liability apply to the use of the Platform.
SPARRING LABS, S.L. does not guarantee the permanent and uninterrupted availability of the Platform. Interruptions may occur for maintenance, updates or reasons beyond our control.
The results provided by EMETHRA (vulnerability reports, compliance analyses, SBOMs) are informative and indicative in nature. They do not constitute a security audit, a regulatory compliance certification or legal advice. The Platform facilitates the collection and organisation of technical information to support the user's compliance processes, but the ultimate responsibility for decisions taken lies exclusively with the user.
SPARRING LABS, S.L. shall not be liable for any damages arising from the misuse of the Platform, from the inaccuracy or outdatedness of information provided by the user, or from temporary access unavailability.
9. Modifications
SPARRING LABS, S.L. reserves the right to modify the presentation, configuration and content of the Platform, as well as the conditions of this legal notice, at any time. Modifications shall take effect from their publication on the Platform. It is the user's responsibility to periodically review these conditions. Continued use of the Platform after the publication of changes implies acceptance thereof.
10. Applicable law and jurisdiction
This legal notice is governed by Spanish law. For the resolution of any dispute that may arise in relation to the access or use of the Platform, the parties submit to the jurisdiction of the courts of Logroño, La Rioja, Spain, expressly waiving any other jurisdiction that may apply.