Trust & security
The passport is a promise.
This is how we keep it.
A Digital Product Passport has to be reachable, correct and unchanged over years. The runtime that serves it has to earn that trust every day. Below is what we do, where the data lives, who we work with, and what we do not yet claim.
01 · Data residency & hosting
Customer data stays in the EU.
The application runs on a serverless platform, pinned to Frankfurt (fra1) and Paris (cdg1) edge regions. The primary datastore is a managed Postgres cluster in AWS eu-central-1. Customer content, tenant records and audit trails never leave the EEA.
Static assets are served from a global CDN; only public, non-sensitive resources (logos, marketing copy, resolver-page HTML) are cached at the edge. Authenticated API responses skip the cache by policy.
Custom tenant domains (for example dpp.brand.com) resolve through the same EU-region infrastructure. We do not maintain any dark-region standby that would relocate data outside the EEA.
02 · Encryption
In transit and at rest, always.
All connections to the resolver, the tenant admin, and the API terminate on TLS 1.2 or higher. HSTS is enforced with a two-year max-age and preload set. Content is served under a restrictive CSP, X-Frame-Options SAMEORIGIN, and Referrer-Policy strict-origin-when-cross-origin.
At rest, Postgres storage volumes are AES-256 encrypted by the provider. Integration credentials (Akeneo, Centra, Shopify, inriver, Delogue, custom REST tokens) live in a per-tenant encrypted vault; the encryption key is held outside the database and rotated on schedule. Tenant-supplied LLM API keys (BYOK) follow the same envelope-encryption pattern.
03 · Authentication & access
Row-level, role-aware, audit-logged.
Sign-in supports email magic-link and OAuth providers (Google, Apple). Sessions are HttpOnly-cookie-based; single sign-on via SAML/OIDC is available on enterprise plans.
Every table containing customer content is protected by database Row-Level Security. A tenant user can never read data belonging to another tenant — the constraint is enforced at the database layer, not just in application code. Staff access is separately scoped through a staff_users table and requires an operational reason recorded in the audit log.
Roles inside a tenant are configurable: owner, admin, editor, viewer, plus regulator-facing roles for the public passport (economic-operator, distributor, refurbisher, recycler, market-surveillance, competent-authority). Impersonation by staff is possible only via a signed, audited flow.
04 · Secrets & credentials
Nothing sensitive gets committed.
Application secrets live exclusively in encrypted platform environment variables. No secret is committed to source control, no secret is logged, and API keys pasted into chat are treated as compromised and rotated on the spot.
Where a tenant integrates with an external system, the credential is stored per-tenant in the encrypted vault described above. Rotations, expirations and scope changes are surfaced in the Integrations panel; access failures are logged to the tenant audit trail.
05 · Backups & continuity
Ten-year passports need ten-year plans.
The primary database is backed up continuously with point-in-time recovery across a rolling window. Daily encrypted snapshots are retained on a schedule appropriate to the tenant plan; long-term retention is available on request for regulated categories.
For customers who require an independent backup host (per EN 18221 §4.5), we run a parallel-write path to a segregated storage tier so the passport remains resolvable even if the primary application is unavailable. The backup-host provider spec is available to prospects under NDA.
Live infrastructure status — uptime, incidents, and scheduled maintenance — is published at status.dppagent.com. Historic incidents include what happened, what we changed, and what we detected next time.
06 · Vulnerabilities & incidents
Disclosure has a phone number.
We accept responsible-disclosure reports at security@dppagent.com. Reports are triaged within one business day and remediated on a severity schedule. Good-faith researchers are protected from legal action, credited on request, and not required to sign an NDA to submit.
For confirmed customer-impacting incidents we follow a documented incident response runbook: containment first, tenant owner notification within the contract-defined window, post-incident writeup published to the status page, and root-cause remediation tracked to closure.
07 · Compliance alignment
What we align to today — and what we do not yet claim.
DPP Agent’s runtime and its output are built to the CEN/CENELEC JTC 24 standards suite (EN 18216 identifier, EN 18219 resolver, EN 18221 lifecycle and continuity, EN 18223 structure and interoperability), the CIRPASS-2 reference profile, and the field-level requirements of ESPR (Regulation 2024/1781) and the EU Battery Regulation (2023/1542). Passport data conforms to GS1 Digital Link with GTIN, batch, CPV and serial application identifiers.
As a data controller / processor operating from the EU, we are subject to the GDPR and offer a standard Data Processing Agreement on request. Customer data flows are documented in our Subprocessors list, which is amended with 30 days’ notice for material changes.
We do not currently hold a SOC 2 or ISO 27001 certification. When a certification is achieved we will publish the report and audit scope here. Enterprise customers can request the current security review pack, penetration- test summary, and internal control checklist under NDA.
For security teams
Need the review pack, DPA or a security questionnaire response?
We keep an up-to-date response to the SIG Lite, CAIQ and a plain-English security overview ready to share. Tell us the framework and we’ll route the right document.