Security, Privacy & Compliance Center
OpenDPP operates under a robust, audited security framework. By utilizing industry-leading cloud hosts and strict privacy policies, we ensure that every Digital Product Passport (DPP) is securely stored, sealed, and audited in compliance with strict EU regulations.
Infrastructure & Hosting Compliance
OpenDPP leverages certified digital infrastructure providers within the European Economic Area to fulfill strict security certifications and data residency mandates.
Google Cloud Platform
The OpenDPP application nodes are deployed in the Google Cloud Belgium region, guaranteeing that our active compute nodes reside completely within EU borders. This infrastructure inherits world-class physical security controls, biometric access restrictions, and hardware lifecycle protections.
Neon PostgreSQL
All relational registry information is securely stored in a specialized serverless Postgres database on Neon, hosted within the AWS Frankfurt (eu-central-1) region. Data is logically isolated, encrypted at rest using AES-256 keys, and encrypted in transit using TLS 1.3 protocols.
GDPR & Consent Management
OpenDPP enforces user privacy rights under the EU General Data Protection Regulation (GDPR) and ePrivacy Directives.
We integrate a compliant **Iubenda Cookie Banner** that operates automatic cookie and script blocking. Tracking scripts (including Google Analytics) are dynamically held back and only executed after the visitor grants explicit, granular consent.
Privacy-By-Default CoreNo trackers are loaded on the standard JSON-LD data layers served to machine crawlers and EU customs surveillance bots, maintaining a clean, data-efficient compliance resolver.
Access Log Anonymization
While OpenDPP logs query events in our database AccessAuditLog to audit passport integrity, we prevent the accumulation of Personal Identifiable Information (PII) through strict IP anonymization.
The system strips the host identifier by zeroing out the last octet of the IPv4 address (e.g., 192.168.1.123 is recorded as 192.168.1.0), rendering it non-traceable to a specific individual.
For IPv6 connections, we truncate the address using a /48 subnet mask, retaining general regional metadata for legal compliance while scrubbing the unique device and interface identifiers.
Enterprise SSO & Granular Access Control
OpenDPP is engineered for corporate environments. We implement a fine-grained, secure access control layer that easily integrates with standard enterprise directory systems while keeping supplier operations securely isolated.
Connect your existing corporate Identity Providers (IdPs) like Okta, Keycloak, Ping Identity, or Azure AD. We dynamically verify signatures on OIDC tokens utilizing JWKS (JSON Web Key Sets) endpoints for stateless, cryptographically secure verification.
Avoid broad, insecure roles. OpenDPP uses a precise permission schema check on every endpoint query, supporting 8 specialized roles—including dedicated Compliance Officers (for eIDAS key operations) and Surveillance Officers (read-only verification audits).
Supply chain security is paramount. Facility Agents representing external suppliers are securely restricted to their assigned operator identifiers. The node programmatically blocks cross-operator requests at the API gateway layer, preventing industrial espionage or competitive data leaks.
NIS2 Directive & Supply Chain Integrity
The EU NIS2 Directive (Network and Information Systems Directive 2) places critical emphasis on the security and resilience of digital supply chains. OpenDPP fulfills these stringent demands through structured infrastructure controls:
EU Sovereign Boundaries
All application nodes, API gateways, database engines, and backup systems are located strictly within the European Union (Belgium and Germany). No client data leaves these geographic borders, ensuring full GDPR compliance and sovereign security protection.
End-to-End Encryption
Circularity data, manufacturer metadata, and verification events are encrypted in transit using modern TLS 1.3 cryptographic suites and encrypted at rest with industry-standard AES-256 encryption.
UNTP Supply Chain Trace Verification
OpenDPP enforces supply chain integrity under NIS2 Article 21 by cryptographically verifying custody transfers and transaction events. Ingested events are wrapped inside signed W3C Verifiable Credentials following the UN Transparency Protocol (UNTP), resolving publisher DIDs and checking secure eIDAS certificate chains.
Supply Chain Verified
By leveraging Google Cloud and Neon Postgres as infrastructure partners, OpenDPP passes standard supply chain risk assessments with top-tier marks. Both infrastructure entities qualify as highly secure digital services.
✓ 100% GDPR Data Privacy Conformance
The Shared Responsibility Model
Maintaining robust security requires a collaborative division of tasks between our underlying infrastructure hosts and the OpenDPP application layers.
Infrastructure Hosts (GCP & Neon)
Biometric security gates, surveillance systems, round-the-clock physical guards, and data center perimeter fencing.
Virtualization layer boundaries, logical host network separation, hardware updates, and hardware lifecycle destruction.
High-capacity network tier traffic mitigation, edge rate limiting, and core backbone network filters.
OpenDPP Application Layer
Secure custody of asymmetric ECC signing keys within simulated and isolated Hardware Security Modules (HSMs).
Enterprise Single Sign-On integration via JWKS verification, mapping 8 standard platform roles to fine-grained permission scopes, and enforcing strict row-level supplier boundaries for Facility Agents.
Automatic verification of JSON-LD structures to prevent payload injection and maintain registry conformance.