Data Processing Agreement. Signed in minutes.

In our standard engagement the customer acts as the data controller and DPP Automate acts as the data processor. Where we engage a third party to perform processing on our behalf — for example our authentication provider or our database host — that third party acts as a sub-processor. The DPA sets out the contractual relationship between controller and processor and binds our sub-processors to equivalent obligations through back-to-back agreements. The agreement applies to all personal data the customer entrusts to us through the platform, the API, our support channels and any structured data import we ingest on the customer’s behalf.

The DPA opens with the disclosures required by Article 28(3): the subject matter (operating the Digital Product Passport platform for the customer), the duration (the term of the underlying services agreement), the nature and purpose of the processing (storing, querying and serving product and compliance data), the categories of personal data and categories of data subjects, and the obligations and rights of the controller. These are the five tiles every regulator and procurement reviewer scans for first; we keep them on the front page of the annex, not buried in a schedule, so they are easy to verify before signature.

The categories of data subjects are typically the customer’s own employees who operate the platform, the customer’s suppliers who respond to material declaration questionnaires, and — only where applicable to a regulation in scope — named individuals referenced in compliance documentation. The categories of personal data are limited to account identifiers, business contact data and the operational metadata required to attribute actions in the audit log. We do not process special-category data, criminal-conviction data or data from children. Anything outside this list requires a written variation to the DPA before it may be ingested.

The DPA grants general written authorisation for the use of sub-processors and lists the current set in an annex updated in real time on this page below. We notify customers in writing at least thirty days before adding or replacing a sub-processor. The customer may object on reasonable data-protection grounds during that window, in which case we will either revoke the change or, where the change is essential to operating the service, give the customer a right to terminate the affected portion of the services without penalty. Every sub-processor is bound to data-protection obligations equivalent to those imposed on us.

Our default position is full EU data residency. Customer personal data is hosted in Frankfurt with an Amsterdam replica; we do not route customer data outside the EU/EEA in normal operation. Where a sub-processor is established outside the EU — for example our US-based authentication provider — the transfer is governed by the EU Standard Contractual Clauses (Commission Implementing Decision 2021/914), Module Two, supplemented by a documented Transfer Impact Assessment. The SCCs are attached as an annex to the DPA so the controller has the binding text in their own counter-signed copy.

Personnel with access to customer personal data are bound to written confidentiality obligations that survive the end of their engagement. The technical and organisational measures are documented in a dedicated annex and align with the controls validated in our annual SOC 2 Type II report and our ISO 27001 certification. The control set covers access management with role-based authorisation and short-lived tokens, encryption in transit and at rest, network segmentation, vulnerability management, logging and monitoring, and a documented incident response plan. The annex is updated whenever the underlying control set changes.

Data subjects address their rights requests to the controller, not to us. Where a request is routed to us in error we forward it to the customer without acting on it. We provide tooling and documented APIs that let the controller satisfy the rights of access, rectification, erasure, restriction, portability and objection without having to file a manual support ticket. Where a controller still needs human assistance — for example to locate an artefact across multiple environments — we respond within the timeline the controller specifies in writing, at no additional cost.

We notify the controller of any personal-data breach affecting their data without undue delay and in any case within twenty-four hours of becoming aware of it. The initial notification contains the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences and the measures taken or proposed. Where the full information is not yet available, the initial notification names the single point of contact and commits to a follow-up cadence. Our incident response runbook is reviewed and rehearsed quarterly and is available to the controller under NDA.

Compliance is demonstrated in the first instance through our annual third-party attestations — SOC 2 Type II and ISO 27001 — made available to the controller under NDA. Where the controller’s own regulator or internal ISMS requires an on-site or remote audit beyond the third-party attestations, we accommodate one audit per twelve-month period at no additional cost, with a reasonable cost-recovery for additional audits. Audits are coordinated with reasonable notice and conducted in a way that does not compromise the confidentiality of other customers or the integrity of the production environment.

On termination or expiry of the services agreement, we return or delete all customer personal data within thirty days of a written request from the controller. The controller chooses which option applies. After the chosen option has been carried out we issue a written deletion certificate confirming the data, the environments and the systems affected. Backup tapes and immutable audit logs are retained for the period set by the underlying regulation in scope — typically ten years for ESPR — after which they are deleted on the same documented schedule. These retention obligations survive the termination of the agreement.