Acuerdo de tratamiento de datos
Última actualización: 2026-02-08
Between:
PassportCraft LLC, a Delaware limited liability company, with its registered address at [PLACEHOLDER ADDRESS], operating the platform at passportcraft.com ("Processor" or "PassportCraft")
and
The entity identified in the applicable service agreement ("Controller" or "Customer")
collectively referred to as the "Parties" and each individually as a "Party."
Effective Date: This Data Processing Agreement ("DPA") is effective as of the date the Customer accepts the PassportCraft Terms of Service or otherwise begins using the PassportCraft platform (the "Effective Date").
Article 1 — Definitions
1.1 In this DPA, the following terms shall have the meanings set out below. Capitalized terms not defined herein shall have the meanings ascribed to them in the Agreement or in Applicable Data Protection Law.
(a) "Agreement" means the Terms of Service or other written agreement between PassportCraft and Customer governing Customer's use of the PassportCraft platform.
(b) "Applicable Data Protection Law" means all laws and regulations relating to the processing of Personal Data that apply to the performance of this DPA, including (i) the General Data Protection Regulation (EU) 2016/679 ("GDPR"), (ii) the UK General Data Protection Regulation as defined by the Data Protection Act 2018 ("UK GDPR"), (iii) the Swiss Federal Act on Data Protection ("FADP"), and (iv) any other applicable data protection or privacy laws, in each case as amended, superseded, or replaced from time to time.
(c) "Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. For purposes of this DPA, the Customer is the Controller.
(d) "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed.
(e) "Data Subject" means an identified or identifiable natural person whose Personal Data is Processed under this DPA, as further described in Annex A.
(f) "Data Protection Impact Assessment" or "DPIA" means an assessment as described in Article 35 GDPR.
(g) "EEA" means the European Economic Area.
(h) "Personal Data" means any information relating to a Data Subject that is Processed by PassportCraft on behalf of the Customer in connection with the provision of the platform, as further described in Annex A.
(i) "Processing" (and its cognates "Process," "Processed," "Processes") means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
(j) "Processor" means a natural or legal person, public authority, agency, or other body which Processes Personal Data on behalf of the Controller. For purposes of this DPA, PassportCraft is the Processor.
(k) "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission, as currently set out in Commission Implementing Decision (EU) 2021/914, or any successor clauses adopted by the European Commission.
(l) "Sub-processor" means any third party engaged by PassportCraft to Process Personal Data on behalf of the Customer.
(m) "Supervisory Authority" means an independent public authority established by an EU or EEA Member State pursuant to Article 51 GDPR, or any equivalent authority under Applicable Data Protection Law.
Article 2 — Scope and Purpose
2.1 This DPA applies to the Processing of Personal Data by PassportCraft on behalf of the Customer in connection with the provision of the PassportCraft platform, as described in the Agreement.
2.2 PassportCraft provides a software-as-a-service platform that enables Customers to create, manage, and publish Digital Product Passports ("DPPs"). In the course of providing the platform, PassportCraft Processes Personal Data on behalf of the Customer as described in Annex A.
2.3 This DPA is incorporated into and forms part of the Agreement. In the event of any conflict between this DPA and the Agreement with respect to the Processing of Personal Data, this DPA shall prevail.
2.4 The duration of the Processing shall be for the term of the Agreement, unless otherwise specified in this DPA or required by Applicable Data Protection Law.
Article 3 — Roles of the Parties
3.1 The Customer is the Controller of the Personal Data Processed under this DPA. The Customer determines the purposes and means of the Processing.
3.2 PassportCraft is the Processor of the Personal Data. PassportCraft Processes Personal Data solely on behalf of the Customer and in accordance with the Customer's documented instructions, as set out in this DPA and the Agreement.
3.3 Nothing in this DPA shall relieve either Party of its obligations under Applicable Data Protection Law.
Article 4 — Customer Obligations
4.1 The Customer warrants and represents that:
(a) It has a lawful basis under Applicable Data Protection Law for the Processing of Personal Data as contemplated by this DPA, including where necessary the collection and transfer of Personal Data to PassportCraft.
(b) It has provided all necessary notices to, and obtained all necessary consents or authorizations from, Data Subjects as required by Applicable Data Protection Law, prior to transferring Personal Data to PassportCraft.
(c) It has the right to share any supplier or third-party personal data uploaded to the platform, and has obtained any required permissions from such third parties.
(d) It shall not upload, submit, or otherwise make available to PassportCraft any special categories of personal data as defined in Article 9 GDPR (including but not limited to data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning a person's sex life or sexual orientation).
(e) Its instructions to PassportCraft regarding the Processing of Personal Data comply with Applicable Data Protection Law.
4.2 The Customer is solely responsible for the accuracy, quality, and legality of the Personal Data it provides to PassportCraft, and for the means by which it acquired such data.
4.3 The Customer shall promptly inform PassportCraft if it becomes aware that any of its Processing instructions may violate Applicable Data Protection Law.
Article 5 — PassportCraft Obligations as Processor
5.1 Documented Instructions. PassportCraft shall Process Personal Data only on the documented instructions of the Customer, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by European Union or Member State law to which PassportCraft is subject. In such a case, PassportCraft shall inform the Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.
5.2 Notification of Potentially Unlawful Instructions. If PassportCraft believes that an instruction from the Customer infringes Applicable Data Protection Law, PassportCraft shall promptly notify the Customer. PassportCraft shall not be required to assess the legality of the Customer's instructions but shall bring to the Customer's attention any instruction that, in PassportCraft's reasonable opinion, may violate Applicable Data Protection Law.
5.3 Confidentiality. PassportCraft shall ensure that all personnel authorized to Process Personal Data under this DPA:
(a) Have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
(b) Process Personal Data only as necessary to perform their duties in connection with the provision of the platform.
5.4 Security Measures. PassportCraft shall implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful Processing, accidental loss, destruction, or damage, as required by Article 32 GDPR. These measures are described in Annex B and shall, at a minimum, ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing.
5.5 Assistance with Data Subject Requests. PassportCraft shall, taking into account the nature of the Processing, assist the Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer's obligation to respond to requests for exercising the Data Subject's rights under Chapter III of the GDPR (including rights of access, rectification, erasure, restriction, portability, and objection). If PassportCraft receives a request directly from a Data Subject regarding Personal Data Processed on behalf of the Customer, PassportCraft shall promptly forward the request to the Customer and shall not respond to the Data Subject directly unless instructed to do so by the Customer.
5.6 Assistance with Data Protection Obligations. PassportCraft shall assist the Customer, taking into account the nature of the Processing and the information available to PassportCraft, with:
(a) The Customer's obligations under Articles 32 to 36 GDPR, including obligations relating to security of Processing, notification of Data Breaches to Supervisory Authorities and Data Subjects, and Data Protection Impact Assessments.
(b) The Customer's obligations to respond to inquiries from Supervisory Authorities relating to the Processing of Personal Data under this DPA.
5.7 Deletion and Return of Data. Upon termination or expiration of the Agreement, and subject to Article 11, PassportCraft shall, at the Customer's choice:
(a) Delete all Personal Data Processed on behalf of the Customer, including all existing copies, unless European Union or Member State law requires further storage of the Personal Data; or
(b) Return all Personal Data to the Customer in a structured, commonly used, and machine-readable format.
PassportCraft shall certify the deletion of Personal Data in writing upon the Customer's request.
5.8 Audit and Information. PassportCraft shall make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in this DPA and in Article 28 GDPR, and shall allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer, subject to Article 12 of this DPA.
Article 6 — Sub-processors
6.1 Authorization. The Customer provides PassportCraft with general written authorization to engage Sub-processors for the Processing of Personal Data on behalf of the Customer, subject to the requirements of this Article 6.
6.2 Current Sub-processors. The Sub-processors engaged by PassportCraft as of the Effective Date are listed in Annex C. PassportCraft maintains an up-to-date list of Sub-processors at https://passportcraft.com/dpa#annex-c--sub-processor-list.
6.3 Obligations on Sub-processors. PassportCraft shall:
(a) Enter into a written agreement with each Sub-processor that imposes data protection obligations no less protective than those set out in this DPA.
(b) Remain fully liable to the Customer for the performance of the Sub-processor's obligations.
6.4 Notification of New Sub-processors. PassportCraft shall notify the Customer at least thirty (30) days in advance of any intended addition or replacement of a Sub-processor, by email to the address associated with the Customer's account or by notice posted on the PassportCraft website. The notification shall include the name of the Sub-processor, the nature of the Processing to be carried out, and the Sub-processor's location.
6.5 Objection Right. The Customer may object to a new or replacement Sub-processor by notifying PassportCraft in writing within thirty (30) days of receiving the notification under Article 6.4. The objection must be based on reasonable grounds relating to data protection. Upon receiving an objection, PassportCraft shall use commercially reasonable efforts to:
(a) Make available a change in the platform or recommend a commercially reasonable alternative to avoid the Processing of Personal Data by the objected-to Sub-processor; or
(b) Engage in good faith discussions with the Customer to resolve the objection.
If PassportCraft is unable to resolve the Customer's objection within thirty (30) days, the Customer may terminate the Agreement and this DPA by providing written notice to PassportCraft. Upon such termination, PassportCraft shall refund the Customer any prepaid fees for the period following the effective date of termination.
Article 7 — International Data Transfers
7.1 The Customer acknowledges that PassportCraft and certain Sub-processors are located in the United States of America. Personal Data may be transferred to and Processed in the United States and other jurisdictions outside the EEA, United Kingdom, or Switzerland.
7.2 PassportCraft shall ensure that any transfer of Personal Data to a third country or international organization is subject to appropriate safeguards as required by Applicable Data Protection Law, including:
(a) An adequacy decision by the European Commission pursuant to Article 45 GDPR.
(b) The EU-US Data Privacy Framework, the UK Extension to the EU-US Data Privacy Framework, or the Swiss-US Data Privacy Framework, as applicable, where the recipient is a certified participant.
(c) The Standard Contractual Clauses adopted by the European Commission, supplemented by additional safeguards where necessary.
(d) Any other valid transfer mechanism recognized under Applicable Data Protection Law.
7.3 To the extent that PassportCraft relies on the Standard Contractual Clauses for international transfers:
(a) For transfers from the EEA, the SCCs set out in Commission Implementing Decision (EU) 2021/914 shall apply, with PassportCraft acting as the data importer (Module 2: Controller to Processor).
(b) For transfers from the United Kingdom, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (issued by the UK Information Commissioner under Section 119A of the Data Protection Act 2018) shall apply.
(c) For transfers from Switzerland, the SCCs shall apply with the modifications necessary to comply with the FADP.
7.4 PassportCraft shall ensure that each Sub-processor engaged in accordance with Article 6 that Processes Personal Data outside the EEA, United Kingdom, or Switzerland is subject to an adequate transfer mechanism as described in this Article 7.
7.5 Upon the Customer's request, PassportCraft shall provide copies of the relevant transfer mechanism documentation.
Article 8 — Security Measures
8.1 PassportCraft shall implement and maintain the technical and organizational security measures described in Annex B. PassportCraft may update these measures from time to time, provided that such updates do not materially diminish the overall level of protection afforded to Personal Data.
8.2 The Customer acknowledges that the security measures are subject to technical progress and development, and that PassportCraft may update or modify such measures provided that the modifications do not result in a material degradation of the protection provided.
8.3 PassportCraft shall regularly assess the risks to the rights and freedoms of Data Subjects and shall ensure that the security measures remain appropriate to the level of risk.
Article 9 — Data Breach Notification
9.1 PassportCraft shall notify the Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Data Breach affecting Personal Data Processed on behalf of the Customer.
9.2 The notification under Article 9.1 shall include, to the extent reasonably available at the time of notification:
(a) A description of the nature of the Data Breach, including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned.
(b) The name and contact details of PassportCraft's point of contact from whom more information can be obtained.
(c) A description of the likely consequences of the Data Breach.
(d) A description of the measures taken or proposed to be taken by PassportCraft to address the Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
9.3 Where it is not possible to provide all the information required under Article 9.2 at the time of the initial notification, PassportCraft shall provide such information in phases without further undue delay as it becomes available.
9.4 PassportCraft shall cooperate with and assist the Customer in the investigation and remediation of any Data Breach, and in the Customer's fulfillment of its obligations under Articles 33 and 34 GDPR to notify Supervisory Authorities and Data Subjects, as applicable.
9.5 PassportCraft shall document all Data Breaches, including the facts relating to the Data Breach, its effects, and the remedial action taken, and shall make such documentation available to the Customer upon request.
Article 10 — Data Protection Impact Assessments
10.1 PassportCraft shall provide reasonable assistance to the Customer with any Data Protection Impact Assessments the Customer is required to carry out under Article 35 GDPR, taking into account the nature of the Processing and the information available to PassportCraft.
10.2 PassportCraft shall provide reasonable assistance to the Customer with any prior consultations with Supervisory Authorities that the Customer is required to engage in under Article 36 GDPR, to the extent that such consultation relates to the Processing carried out by PassportCraft under this DPA.
Article 11 — Data Retention and Deletion
11.1 PassportCraft shall Process Personal Data only for the duration of the Agreement, unless otherwise required by Applicable Data Protection Law.
11.2 Upon termination or expiration of the Agreement, the Customer shall have a period of thirty (30) days (the "Export Period") to export or retrieve its Personal Data from the platform using the export functionalities provided by PassportCraft.
11.3 Following the expiration of the Export Period, PassportCraft shall delete all Personal Data Processed on behalf of the Customer, including all copies in its systems and those of its Sub-processors, unless:
(a) European Union or Member State law, or any other Applicable Data Protection Law, requires retention of such Personal Data; or
(b) The Personal Data has been anonymized in accordance with Applicable Data Protection Law such that it can no longer be attributed to a Data Subject.
11.4 PassportCraft shall provide written certification of the deletion of Personal Data upon the Customer's written request.
11.5 Any Personal Data retained pursuant to Article 11.3(a) shall continue to be protected in accordance with this DPA and shall be Processed only for the purpose required by the applicable legal obligation.
Article 12 — Audit Rights
12.1 PassportCraft shall make available to the Customer, upon reasonable request, all information necessary to demonstrate compliance with PassportCraft's obligations under this DPA and under Article 28 GDPR.
12.2 The Customer, or a qualified third-party auditor appointed by the Customer (subject to reasonable confidentiality obligations), may conduct an audit of PassportCraft's Processing activities and compliance with this DPA, subject to the following conditions:
(a) The Customer shall provide PassportCraft with at least thirty (30) days' prior written notice of any audit.
(b) Audits shall be conducted during PassportCraft's normal business hours and shall not unreasonably disrupt PassportCraft's operations.
(c) The Customer may conduct no more than one (1) audit per twelve (12) month period, unless a Data Breach has occurred or a Supervisory Authority requires or requests an additional audit.
(d) The Customer shall bear all costs associated with the audit, including any fees charged by third-party auditors.
(e) The Customer shall promptly provide PassportCraft with the results of any audit and shall treat all information obtained during the audit as confidential.
12.3 PassportCraft may satisfy the Customer's audit rights under this Article 12 by providing:
(a) A current SOC 2 Type II report, ISO 27001 certificate, or equivalent third-party security certification or audit report; and/or
(b) Written responses to reasonable information requests from the Customer regarding PassportCraft's data protection practices.
12.4 If an audit reveals material non-compliance by PassportCraft with its obligations under this DPA, PassportCraft shall promptly remediate the non-compliance at its own expense and shall inform the Customer of the remedial actions taken.
Article 13 — Liability
13.1 Each Party's liability under this DPA shall be subject to the limitations and exclusions of liability set forth in the Agreement, except to the extent that Applicable Data Protection Law prohibits such limitations.
13.2 Nothing in this DPA shall limit either Party's liability for:
(a) Its obligations under Article 82 GDPR (right to compensation for data subjects).
(b) Any liability that cannot be limited or excluded under Applicable Data Protection Law.
13.3 Where a Party has paid compensation to a Data Subject for damages caused by a violation of Applicable Data Protection Law, that Party may seek to recover from the other Party the portion of the compensation corresponding to the other Party's share of responsibility for the damage, in accordance with Article 82(5) GDPR.
Article 14 — Duration and Termination
14.1 This DPA shall become effective on the Effective Date and shall remain in force for the duration of the Agreement.
14.2 This DPA shall automatically terminate upon the termination or expiration of the Agreement, subject to PassportCraft's obligations regarding data retention and deletion under Article 11.
14.3 The provisions of this DPA that by their nature should survive termination (including, without limitation, Articles 5.7, 9, 11, 12, and 13) shall survive the termination or expiration of this DPA.
Article 15 — Governing Law and Dispute Resolution
15.1 This DPA shall be governed by and construed in accordance with the laws governing the Agreement.
15.2 Any disputes arising out of or in connection with this DPA shall be resolved in accordance with the dispute resolution provisions set forth in the Agreement.
Article 16 — General Provisions
16.1 Entire Agreement. This DPA, together with the Agreement and its annexes, constitutes the entire agreement between the Parties regarding the Processing of Personal Data and supersedes all prior or contemporaneous agreements, understandings, or representations relating to such Processing.
16.2 Amendments. This DPA may only be amended in writing, signed by authorized representatives of both Parties. Notwithstanding the foregoing, PassportCraft may update the Annexes to this DPA (including the Sub-processor list) in accordance with the procedures set out in this DPA.
16.3 Severability. If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall remain in full force and effect. The Parties shall negotiate in good faith to replace any invalid or unenforceable provision with a valid and enforceable provision that achieves, to the greatest extent possible, the economic, legal, and commercial objectives of the invalid or unenforceable provision.
16.4 No Waiver. No waiver of any provision of this DPA shall be effective unless made in writing and signed by the waiving Party. A failure or delay in exercising any right under this DPA shall not operate as a waiver of such right.
16.5 Notices. All notices under this DPA shall be in writing and shall be sent to:
- PassportCraft: privacy@passportcraft.com
- Customer: The email address associated with the Customer's PassportCraft account, or such other address as the Customer may designate in writing.
16.6 EU Representative. [PLACEHOLDER: PassportCraft's EU Representative details to be added upon appointment pursuant to Article 27 GDPR.]
Annex A — Description of Processing
A.1 Categories of Data Subjects
| Category | Description |
|---|---|
| Customer employees / team members | Individuals who access and use the PassportCraft platform on behalf of the Customer |
| Supplier contacts | Contact persons at the Customer's suppliers whose personal data is included in product or supply chain records |
| End consumers | Individuals who scan QR codes on Digital Product Passports (limited to anonymous or pseudonymous scan data) |
A.2 Categories of Personal Data
| Category | Data Elements |
|---|---|
| Account / user data | Names, email addresses, job titles, profile information of Customer's team members |
| Supplier contact data | Names, email addresses, phone numbers, job titles, and business addresses of supplier contact persons |
| Product-related data | Product names, descriptions, materials, certifications, and compliance documents (to the extent they contain personal data) |
| DPP page data | Generated Digital Product Passport pages accessible via QR codes, which may contain supplier contact information |
| Scan analytics | Anonymized or pseudonymized data about QR code scans, including approximate geographic location, device type, and timestamp |
A.3 Processing Activities
| Activity | Description |
|---|---|
| Account management | Creation and administration of Customer team member accounts, authentication, and access control |
| Product data management | Storage, organization, and retrieval of product data and associated personal data entered by the Customer |
| DPP generation and hosting | Generation, publication, and hosting of Digital Product Passport pages |
| QR code scan analytics | Collection and aggregation of anonymized or pseudonymous scan data |
| Communication | Sending platform notifications, service updates, and transactional emails to Customer's team members |
| Customer support | Processing personal data as necessary to respond to Customer support requests |
| Backup and recovery | Creation and maintenance of data backups for disaster recovery and business continuity |
A.4 Purpose of Processing
PassportCraft Processes Personal Data solely for the purpose of providing, maintaining, and improving the PassportCraft platform in accordance with the Agreement, including:
- Enabling the Customer to create and manage Digital Product Passports
- Hosting and making DPP pages publicly accessible via QR codes
- Providing platform functionality, including user authentication and access control
- Providing analytics regarding QR code scans
- Providing customer support
- Ensuring platform security and integrity
A.5 Retention Period
Personal Data shall be Processed for the duration of the Agreement. Upon termination, the Customer has a thirty (30) day Export Period, after which Personal Data shall be deleted in accordance with Article 11 of this DPA.
Annex B — Technical and Organizational Measures
PassportCraft implements and maintains the following technical and organizational measures to protect Personal Data in accordance with Article 32 GDPR. These measures are subject to ongoing review and improvement.
B.1 Encryption
- All data in transit is encrypted using TLS 1.2 or higher.
- All data at rest is encrypted using AES-256 or equivalent encryption standards.
- Database connections are encrypted end-to-end.
- Encryption keys are managed using industry-standard key management practices.
B.2 Access Control
- Role-based access control (RBAC) is enforced across all platform systems.
- Multi-factor authentication (MFA) is required for all PassportCraft personnel accessing production systems.
- Access to Personal Data is limited to personnel who require it for the performance of their duties.
- Access rights are reviewed periodically and revoked promptly upon change of role or termination of employment.
- Unique user accounts are assigned to each authorized individual; shared accounts are prohibited.
B.3 Network Security
- Production infrastructure is hosted in secure, professionally managed data centers operated by Sub-processors.
- Network segmentation is used to isolate production environments from development and testing environments.
- Firewall rules and intrusion detection/prevention systems are maintained.
- Regular vulnerability scanning is performed on internet-facing systems.
B.4 Application Security
- Secure software development practices are followed, including code review and security testing.
- Dependencies are regularly monitored for known vulnerabilities and updated promptly.
- Input validation and output encoding are implemented to prevent common web application vulnerabilities (e.g., injection attacks, cross-site scripting).
- Application logs are maintained for security monitoring and incident investigation.
B.5 Data Minimization and Pseudonymization
- Personal Data collection is limited to what is necessary for the purposes of Processing.
- QR code scan analytics are collected on an anonymized or pseudonymized basis.
- Personal Data is not used for purposes beyond those described in this DPA and the Agreement.
B.6 Incident Response
- A documented incident response plan is maintained and tested periodically.
- Designated personnel are responsible for managing security incidents.
- Data Breach notification procedures are established in accordance with Article 9 of this DPA.
- Post-incident reviews are conducted to identify root causes and implement preventive measures.
B.7 Business Continuity and Disaster Recovery
- Regular automated backups of Personal Data are maintained.
- Backups are encrypted and stored in geographically separate locations.
- Recovery procedures are documented and tested periodically.
- Recovery time and recovery point objectives are defined and maintained.
B.8 Personnel Security
- All PassportCraft personnel with access to Personal Data are bound by confidentiality obligations.
- Personnel receive data protection and security awareness training.
- Background checks are conducted for personnel with access to production systems, where permitted by applicable law.
B.9 Physical Security
- Production infrastructure is hosted in data centers operated by Sub-processors that maintain physical security measures, including access controls, surveillance, and environmental protections.
- PassportCraft does not maintain on-premises servers or data centers.
B.10 Vendor Management
- Sub-processors are subject to due diligence assessments before engagement.
- Sub-processor agreements include data protection obligations no less protective than this DPA.
- Sub-processor compliance is reviewed periodically.
Annex C — Sub-processor List
Last updated: February 8, 2026
The following Sub-processors are authorized to Process Personal Data on behalf of the Customer:
| Sub-processor | Purpose | Location | Data Processed |
|---|---|---|---|
| Vercel Inc. | Platform hosting, content delivery, and edge computing | United States | All platform data transmitted and served through the hosting infrastructure |
| Supabase Inc. | Database hosting, user authentication, and file storage | United States | Account data, product data, supplier data, DPP content, and uploaded files |
| Stripe Inc. | Payment processing and subscription management | United States | Customer billing contact information (name, email, payment-related identifiers) |
| Resend Inc. | Transactional and notification email delivery | United States | Names and email addresses of Customer team members receiving platform emails |
| Amplitude Inc. | Product analytics and usage tracking | United States | Pseudonymized usage data, device and session information |
PassportCraft maintains an up-to-date version of this Sub-processor list at https://passportcraft.com/dpa#annex-c--sub-processor-list.
Changes to this list are subject to the notification and objection procedures set out in Article 6 of this DPA.
This Data Processing Agreement was last updated on February 8, 2026.