Data Processing Agreement (DPA)

In accordance with Art. 28 of the General Data Protection Regulation (GDPR). Effective: 1 March 2026.

This Data Processing Agreement ('DPA') is entered into between Iten Media (operating as PassportLab), Im Winkel 8, 50189 Elsdorf, Germany ('Processor') and the customer who has accepted the PassportLab Terms of Service ('Controller'). This DPA supplements and forms part of the Terms of Service.

1. Subject Matter, Nature, and Duration

The Processor provides a Digital Product Passport (DPP) platform for EU ESPR compliance on behalf of the Controller. Processing takes place for the duration of the subscription and continues for the statutory 10-year DPP archival period required by the Ecodesign for Sustainable Products Regulation (ESPR). The Processor acts solely on documented instructions from the Controller.

2. Categories of Data and Data Subjects

The Processor may process the following categories of personal data on behalf of the Controller: (a) Account data — names, email addresses, and company details of the Controller's authorised users; (b) Product passport data — supplier names, manufacturer addresses, and any other personal data the Controller chooses to include in passport fields; (c) Usage and audit data — IP addresses, session identifiers, and access timestamps recorded in the audit log. Data subjects include the Controller's employees, administrators, and any natural persons whose data appears in product passport fields.

3. Obligations of the Controller

The Controller warrants that: (a) it has a valid legal basis for all personal data submitted to the platform; (b) it has provided all required notices to data subjects; (c) it will not submit special-category data (Art. 9 GDPR) without prior written agreement; (d) it will promptly notify the Processor of any instructions that, in the Controller's view, would infringe GDPR or applicable data protection law.

4. Obligations of the Processor

The Processor undertakes to: (a) process personal data only on documented instructions from the Controller; (b) ensure that authorised personnel are bound by appropriate confidentiality obligations; (c) implement and maintain the technical and organisational measures described in Section 6; (d) assist the Controller in fulfilling its obligations regarding data subject rights (Art. 15–22 GDPR) and data protection impact assessments (Art. 35 GDPR); (e) notify the Controller without undue delay, and in any case within 72 hours, upon becoming aware of a personal data breach; (f) delete or return all personal data at the termination of services, at the Controller's choice, unless Union or Member State law requires continued storage.

5. Sub-processors

The Controller grants general authorisation for the Processor to engage the following sub-processors: (a) Hetzner Online GmbH (Frankfurt, Germany) — cloud infrastructure and data hosting; (b) Stripe Payments Europe Ltd. (Dublin, Ireland) — payment processing; (c) Matomo (self-hosted, Germany) — privacy-preserving analytics. The Processor shall notify the Controller of any intended changes to sub-processors at least 30 days in advance. The Controller may object to a new sub-processor within 14 days; if no resolution is reached, the Controller may terminate the affected services. All sub-processors are bound by data protection obligations at least equivalent to those in this DPA.

6. Technical and Organisational Measures (TOMs)

The Processor implements and maintains the following measures: (a) Encryption at rest — all personal data encrypted at rest using AES-256; credentials and signing keys stored with Fernet symmetric encryption; (b) Encryption in transit — TLS 1.2+ enforced for all API and web traffic; HSTS headers applied; (c) Access controls — role-based access; multi-factor authentication (TOTP) available; API keys stored as SHA-256 hashes only; (d) Audit logging — immutable, hash-chained audit log for all data changes; MySQL-level triggers prevent tampering; (e) Data minimisation — stakeholder role-based field filtering; SD-JWT selective disclosure for third-party credential sharing; (f) Infrastructure — all data hosted exclusively on EU servers in Frankfurt, Germany; (g) Incident response — 72-hour breach notification procedure; on-call monitoring for API availability.

7. Data Subject Rights

Upon receiving a verified data subject request forwarded by the Controller, the Processor will assist by providing the relevant data in structured, machine-readable format (JSON/CSV) within 5 business days. The Processor will action erasure requests within 30 days, subject to statutory retention requirements under ESPR and German commercial law (HGB). Data portability is supported via the /org/export endpoint at any time.

8. Personal Data Breach Notification

In the event of a personal data breach affecting data processed under this DPA, the Processor shall notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach. The notification shall include: (a) the nature of the breach; (b) the categories and approximate number of data subjects and records affected; (c) the likely consequences of the breach; (d) the measures taken or proposed to address the breach. The Controller remains responsible for notifying the competent supervisory authority (the Landesbeauftragte für Datenschutz, NRW) and affected data subjects where required.

9. Audits and Inspections

The Controller may conduct audits of the Processor's data processing activities under this DPA no more than once per calendar year, with at least 14 days' prior written notice. Audits shall be conducted during normal business hours, at the Controller's expense, and shall not unreasonably disrupt operations. The Processor may satisfy audit requests by providing up-to-date third-party audit reports or certifications (e.g., ISO 27001) where available.

10. Governing Law

This DPA is governed by the laws of the Federal Republic of Germany. Any disputes arising under this DPA shall be subject to the exclusive jurisdiction of the courts of Köln, Germany. In the event of any conflict between this DPA and the Standard Contractual Clauses (SCCs) issued by the European Commission, the SCCs shall prevail with respect to cross-border data transfers.