Share proof in one click — and keep your secrets.
Your customers and their procurement teams are already asking for SBOMs. Turn that obligation into a polished, audit-logged experience instead of a stale zip file in an inbox.
Three ways to share — all under your control.
01
Tokenized Trust Portal links
Issue a clean, time-limited URL that always points to your latest build. No account required on the recipient side — they see a branded, read-only view of components, CVEs, licenses, and compliance status.
02
Organization-to-organization exchange
Exchange directly with a domain-verified counterparty who imports the SBOM into their own tenant. The relationship survives staff turnover — no link forwarded around an inbox for years.
03
Per-share redaction
Disclose the compliance proof, withhold the secrets. Mask a component, drop it entirely, share only third-party OSS, or strip suppliers, hashes, and CPEs — with a preview of exactly what the recipient will see.
From SBOM to customer in under a minute
Every step logged, every byte you intended — and nothing more.
Pick & redact
Choose the SBOM, set an expiry, and apply any redaction. Preview it as the recipient before it leaves.
Send the link
A clean URL like sbomvault.ai/share/abc123 — branded to your organization, no recipient login.
They self-serve
Searchable inventory, CVEs, licenses, compliance marks, and CycloneDX/SPDX/PDF downloads.
You see every access
Who opened it, when, from what IP, what they downloaded — exportable as SOC 2 evidence.
Access-logged by default
Every view and download recorded with timestamp and IP — SOC 2 evidence captured, not reconstructed after the fact.
Encrypted end to end
AES-256 at rest, TLS 1.3 in transit. Enterprise customers can bring their own key with KMS / HSM.
Independently audited
A SOC 2 Type II audit is in progress with Schellman, a leading independent assessor.
Standards-native
CycloneDX, SPDX, and SWID across 16 ecosystems — open formats in, open formats out, no proprietary lock-in.
A live SBOM, not a stale zip file.
The Trust Portal is the branded, audit-logged customer view behind every share link. See exactly what your customers see.
Explore the Trust Portal →Import
Any source or format, 16 ecosystems.
Go to Import →Manage
One inventory, prioritized risk, monitoring.
Go to Manage →Share
Trust Portal links & org-to-org exchange.
Frequently asked questions
- Can I share SBOMs with customers and regulators?
- Yes — through tokenized, time-limited Trust Portal links with a full access audit trail, or organization-to-organization exchange to a domain-verified counterparty that imports the SBOM directly into their own tenant.
- Can I hide proprietary components when sharing?
- Yes. A per-share redaction engine lets you mask a component (it shows as REDACTED so counts stay honest), drop it entirely including its dependency edges, share only third-party OSS, or strip suppliers, hashes, and CPEs — with a preview of exactly what the recipient sees. You can also flag components private so they are dropped from every share by default.
- Do share links expire, and can I revoke them?
- Links are time-limited by default and expire automatically. You can also revoke any link with one click — future access is blocked while the audit trail is preserved.
- What does the access audit trail capture?
- Every view and download, with timestamp and IP, recorded and exportable — the evidence a SOC 2 audit expects, captured by default rather than reconstructed after the fact.