Trust surface.
Statutory positioning, supervisory framework, data residency, and compliance posture for EU Digital Passport Processor. The detailed procurement pack — sub-processor inventory, controls matrix, business-continuity summary, and DPA template — is provided to procurement and infosec teams on request.
“‘Digital Product Passport service provider’ means a natural or legal person authorised by an economic operator to process digital product passport information for the purposes of making it available to economic operators, customers, consumers, users and other relevant actors.”
EU Digital Passport Processor operates under this statutory category. The economic operator placing the product on the EU market is liable for the accuracy, completeness and timeliness of the passport data. The platform processes that data on the operator’s authorised instruction and holds the immutable audit-evidence record for the retention period mandated by the relevant regulation.
The ESPR DPP Service Provider certification scheme has not yet been adopted by the European Commission. Once adopted, supervision of registered providers is expected to fall under the competent authority designated under the relevant delegated act, with co-ordination through the EU EES (European Economic Ecosystem) governance arrangements. The platform will publish the registration identifier and the supervising authority on this surface and on the chrome of every operator page on receipt of registration.
Until certification, EU Digital Passport Processor is designed to meet the expected requirements of the anticipated scheme. No certification is claimed at this time.
Operator personal data and Digital Product Passport content are processed and stored within the European Union. All application hosting, payment processing, transactional email, and error monitoring run on EU-resident infrastructure under executed Data Processing Agreements with each sub-processor. Analytics on public marketing surfaces is cookie-less and EU-resident. The sub-processor inventory and corresponding DPAs are available on request to procurement and infosec teams.
- ICO registration
- Registered with the UK Information Commissioner’s Office under reference ZA00013577864 as a data controller.
- GDPR Article 30
- A record of processing activities is maintained. Available to supervisory authorities on request.
- GDPR Article 33
- Personal-data breach notification commitment: notification to the controller without undue delay (within 72 hours of the platform becoming aware) on any personal-data breach affecting operator data.
- UK GDPR
- Subject to the UK GDPR by virtue of the operating company’s registration in England and Wales. Adequacy decision in force for EU-UK transfers.
- Certification roadmap
- ISO/IEC 27001, SOC 2, and ISAE 3402 attestation work in progress against the ESPR DPP Service Provider scheme. Auditor name, audit period, and effective date will be published in §05 on issue.
Procurement, legal, and infosec teams reviewing the platform receive a procurement pack on request from a Relationship Manager. The pack includes the full sub-processor inventory under executed DPAs, the platform’s security controls matrix, business-continuity summary (recovery and restore-test commitments), in-force audit attestations (when issued), and the platform’s standard Data Processing Addendum. Custom DPA negotiation with your own template is accommodated.
Vulnerability disclosure and security correspondence: security@eudigitalpassportprocessor.com. Acknowledgement within one business day. Responsible-disclosure conventions; disclosure-coordinator details on request.