Veri İşleme Sözleşmesi
Son güncelleme: 2026-06-24
Between:
PassportCraft LLC, a New York limited liability company, with its registered address at 418 Broadway, Ste N, Albany, NY 12207, USA, operating the platform at passportcraft.com ("Processor" or "PassportCraft")
and
The entity identified in the applicable service agreement ("Controller" or "Customer")
collectively referred to as the "Parties" and each individually as a "Party."
Effective Date: This Data Processing Agreement ("DPA") is effective as of the date the Customer accepts the PassportCraft Terms of Service or otherwise begins using the PassportCraft platform (the "Effective Date").
Article 1 — Definitions
1.1 In this DPA, the following terms shall have the meanings set out below. Capitalized terms not defined herein shall have the meanings ascribed to them in the Agreement or in Applicable Data Protection Law.
(a) "Agreement" means the Terms of Service or other written agreement between PassportCraft and Customer governing Customer's use of the PassportCraft platform.
(b) "Applicable Data Protection Law" means all laws and regulations relating to the processing of Personal Data that apply to the performance of this DPA, including (i) the General Data Protection Regulation (EU) 2016/679 ("GDPR"), (ii) the UK General Data Protection Regulation as defined by the Data Protection Act 2018 ("UK GDPR"), (iii) the Swiss Federal Act on Data Protection ("FADP"), and (iv) any other applicable data protection or privacy laws, in each case as amended, superseded, or replaced from time to time.
(c) "Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. For purposes of this DPA, the Customer is the Controller.
(d) "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed. A Data Breach does not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including (without limitation) unsuccessful log-in attempts, pings, port scans, denial-of-service attacks, and other network attacks on firewalls or networked systems.
(e) "Data Subject" means an identified or identifiable natural person whose Personal Data is Processed under this DPA, as further described in Annex A.
(f) "Data Protection Impact Assessment" or "DPIA" means an assessment as described in Article 35 GDPR.
(g) "EEA" means the European Economic Area.
(h) "Personal Data" means any information relating to a Data Subject that is Processed by PassportCraft on behalf of the Customer in connection with the provision of the platform, as further described in Annex A.
(i) "Processing" (and its cognates "Process," "Processed," "Processes") means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
(j) "Processor" means a natural or legal person, public authority, agency, or other body which Processes Personal Data on behalf of the Controller. For purposes of this DPA, PassportCraft is the Processor.
(k) "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission, as currently set out in Commission Implementing Decision (EU) 2021/914, or any successor clauses adopted by the European Commission.
(l) "Sub-processor" means any third party engaged by PassportCraft to Process Personal Data on behalf of the Customer.
(m) "Supervisory Authority" means an independent public authority established by an EU or EEA Member State pursuant to Article 51 GDPR, or any equivalent authority under Applicable Data Protection Law.
Article 2 — Scope and Purpose
2.1 This DPA applies to the Processing of Personal Data by PassportCraft on behalf of the Customer in connection with the provision of the PassportCraft platform, as described in the Agreement.
2.2 PassportCraft provides a software-as-a-service platform that enables Customers to create, manage, and publish Digital Product Passports ("DPPs"). In the course of providing the platform, PassportCraft Processes Personal Data on behalf of the Customer as described in Annex A.
2.3 This DPA is incorporated into and forms part of the Agreement. In the event of any conflict between this DPA and the Agreement with respect to the Processing of Personal Data, this DPA shall prevail.
2.4 The duration of the Processing shall be for the term of the Agreement, unless otherwise specified in this DPA or required by Applicable Data Protection Law.
Article 3 — Roles of the Parties
3.1 The Customer is the Controller of the Personal Data Processed under this DPA. The Customer determines the purposes and means of the Processing.
3.2 PassportCraft is the Processor of the Personal Data. PassportCraft Processes Personal Data solely on behalf of the Customer and in accordance with the Customer's documented instructions, as set out in this DPA and the Agreement.
3.3 Nothing in this DPA shall relieve either Party of its obligations under Applicable Data Protection Law.
3.4 Independent Controller Data. Notwithstanding Sections 3.1 and 3.2, PassportCraft acts as an independent Controller (not a Processor) with respect to a limited set of Personal Data it Processes for its own purposes — including account registration and authentication data, billing and transaction data, and platform usage and analytics data generated through operation of the platform. PassportCraft's Processing of such data is governed by its Privacy Policy rather than by this DPA.
3.5 US State Privacy Laws. To the extent the California Consumer Privacy Act (as amended by the CPRA) or a comparable US state privacy law applies to Personal Data Processed on behalf of the Customer, PassportCraft acts as a "service provider" (or "processor"/"contractor," as applicable). For the purposes of the CCPA and its implementing regulations:
(a) PassportCraft shall not: (i) sell or share such Personal Data; (ii) retain, use, or disclose it for any purpose other than performing the services specified in the Agreement (the "business purpose"), or as otherwise permitted by applicable law; (iii) retain, use, or disclose it outside the direct business relationship between PassportCraft and the Customer; or (iv) combine it with Personal Data from other sources except as permitted for a service provider.
(b) PassportCraft shall comply with the applicable obligations under the CCPA and shall provide the same level of privacy protection as is required of the Customer (the business) by the CCPA.
(c) The Customer has the right to take reasonable and appropriate steps to ensure that PassportCraft uses such Personal Data in a manner consistent with the Customer's obligations under the CCPA. The audit and information rights in Article 12, and the assistance obligations in Articles 5.5 to 5.8, satisfy this right.
(d) PassportCraft shall notify the Customer if it determines that it can no longer meet its obligations under the CCPA. The notification mechanism in Article 5.2 applies for this purpose.
(e) Upon notice (including a notice under Section 3.5(d)), the Customer has the right to take reasonable and appropriate steps to stop and remediate any unauthorized use of such Personal Data.
PassportCraft certifies that it understands and will comply with the restrictions and obligations set out in this Section 3.5.
3.6 ESPR Roles. This Section 3.6 allocates the Parties' roles under Regulation (EU) 2024/1781 (the Ecodesign for Sustainable Products Regulation, "ESPR") and its delegated acts, as those obligations relate to the Processing of Personal Data under this DPA. The Customer is the economic operator (such as the manufacturer, importer, or authorised representative) and the responsible person for each Digital Product Passport it creates and publishes through the platform, and is the sole party responsible for compliance with ESPR, including the content, accuracy, completeness, legality, and ongoing availability of DPP data. PassportCraft acts only as a software and hosting provider that makes the platform available to the Customer; PassportCraft does not assume, and the Customer shall not represent that PassportCraft assumes, any economic-operator or responsible-person obligation under ESPR. PassportCraft does not act as a "digital product passport service provider" within the meaning of Article 2(32) ESPR (an independent third party authorised by the economic operator to process DPP data for the purpose of making it available), and the Customer does not appoint PassportCraft to that role, unless the Parties expressly agree otherwise in writing. PassportCraft does not sell, or reuse for its own purposes, DPP data beyond what is necessary to provide the platform under the Agreement. This Section 3.6 allocates regulatory roles only and does not alter the GDPR Controller and Processor roles set out in Sections 3.1 to 3.4.
Article 4 — Customer Obligations
4.1 The Customer warrants and represents that:
(a) It has a lawful basis under Applicable Data Protection Law for the Processing of Personal Data as contemplated by this DPA, including where necessary the collection and transfer of Personal Data to PassportCraft.
(b) It has provided all necessary notices to, and obtained all necessary consents or authorizations from, Data Subjects as required by Applicable Data Protection Law, prior to transferring Personal Data to PassportCraft.
(c) It has the right to share any supplier or third-party personal data uploaded to the platform, and has obtained any required permissions from such third parties.
(d) The platform is not designed or intended to Process special categories of personal data, and the Customer shall not upload, submit, or otherwise make available to PassportCraft any special categories of personal data as defined in Article 9 GDPR (including but not limited to data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning a person's sex life or sexual orientation), or personal data relating to criminal convictions and offences within the meaning of Article 10 GDPR (together, "Sensitive Data"). PassportCraft's technical and organizational measures in Annex B are designed for the categories of Personal Data described in Annex A and not for Sensitive Data; the Customer is solely responsible for any consequences of submitting Sensitive Data in breach of this Section.
(e) Its instructions to PassportCraft regarding the Processing of Personal Data comply with Applicable Data Protection Law.
4.2 The Customer is solely responsible for the accuracy, quality, and legality of the Personal Data it provides to PassportCraft, and for the means by which it acquired such data.
4.3 The Customer shall promptly inform PassportCraft if it becomes aware that any of its Processing instructions may violate Applicable Data Protection Law.
Article 5 — PassportCraft Obligations as Processor
5.1 Documented Instructions.
(a) PassportCraft shall Process Personal Data only on the documented instructions of the Customer, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by European Union or Member State law to which PassportCraft is subject. In such a case, PassportCraft shall inform the Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.
(b) Scope of Documented Instructions. This DPA and the Agreement (including the configuration options PassportCraft makes available through the platform) constitute the Customer's complete documented instructions for the Processing of Personal Data (the "Documented Instructions"). Any instruction outside the scope of the Documented Instructions requires the prior written agreement of both Parties, including agreement on any additional fees payable for carrying it out, and PassportCraft is not obliged to act on any such out-of-scope instruction until that agreement is reached. This Section 5.1(b) does not limit PassportCraft's obligations under Section 5.2 or the statutory minimum cooperation PassportCraft provides at no charge under Section 5.11.
5.2 Notification of Potentially Unlawful Instructions.
(a) If PassportCraft believes that an instruction from the Customer infringes Applicable Data Protection Law, PassportCraft shall promptly notify the Customer. PassportCraft shall not be required to assess the legality of the Customer's instructions but shall bring to the Customer's attention any instruction that, in PassportCraft's reasonable opinion, may violate Applicable Data Protection Law.
(b) Inability to Comply. If PassportCraft is unable to comply with the Customer's instructions or with its obligations under this DPA or the Standard Contractual Clauses referenced in Article 7 — including because Union or Member State law, or other law applicable to PassportCraft, prevents such compliance — PassportCraft shall promptly inform the Customer. In that event, the Customer is entitled to suspend the transfer of Personal Data and/or to terminate the Agreement and this DPA insofar as they concern the affected Processing, in accordance with the data exporter's rights under Clause 16 of the Standard Contractual Clauses referenced in Article 7. Separately, and without prejudice to and in addition to the Customer's rights under that Clause 16, PassportCraft may suspend the affected Processing until the Customer issues compliant instructions or the conflict is otherwise resolved, without liability to the Customer for that operational suspension. This Article 5.2(b) gives effect to the obligations of the data importer to inform the data exporter under Clause 16 of the Standard Contractual Clauses referenced in Article 7; the data importer's obligations in respect of local laws and access by public authorities are addressed in Articles 7 and 5.10 (which give effect to Clauses 14 and 15 of those Standard Contractual Clauses).
5.3 Confidentiality. PassportCraft shall ensure that all personnel authorized to Process Personal Data under this DPA:
(a) Have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
(b) Process Personal Data only as necessary to perform their duties in connection with the provision of the platform.
5.4 Security Measures. PassportCraft shall implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful Processing, accidental loss, destruction, or damage, as required by Article 32 GDPR. These measures are described in Annex B and shall, at a minimum, ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing.
5.5 Assistance with Data Subject Requests. PassportCraft shall, taking into account the nature of the Processing, assist the Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer's obligation to respond to requests for exercising the Data Subject's rights under Chapter III of the GDPR (including rights of access, rectification, erasure, restriction, portability, and objection). If PassportCraft receives a request directly from a Data Subject regarding Personal Data Processed on behalf of the Customer, PassportCraft shall promptly forward the request to the Customer and shall not respond to the Data Subject directly unless instructed to do so by the Customer.
5.6 Assistance with Data Protection Obligations. PassportCraft shall assist the Customer, taking into account the nature of the Processing and the information available to PassportCraft, with:
(a) The Customer's obligations under Articles 32 to 36 GDPR, including obligations relating to security of Processing, notification of Data Breaches to Supervisory Authorities and Data Subjects, and Data Protection Impact Assessments.
(b) The Customer's obligations to respond to inquiries from Supervisory Authorities relating to the Processing of Personal Data under this DPA.
5.7 Deletion and Return of Data. Upon termination or expiration of the Agreement, and subject to Article 11, PassportCraft shall, at the Customer's choice:
(a) Delete all Personal Data Processed on behalf of the Customer, including all existing copies, unless European Union or Member State law requires further storage of the Personal Data; or
(b) Return all Personal Data to the Customer in a structured, commonly used, and machine-readable format.
PassportCraft shall certify the deletion of Personal Data in writing upon the Customer's request.
5.8 Audit and Information. PassportCraft shall make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in this DPA and in Article 28 GDPR, and shall allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer, subject to Article 12 of this DPA.
5.9 Artificial Intelligence Sub-Processing. Where the Customer or its users invoke AI-assisted features of the platform, PassportCraft transmits the input text to its AI sub-processor (OpenAI) solely to generate the requested suggestion. PassportCraft does not use Customer Personal Data to train, fine-tune, or otherwise improve any machine-learning model, and does not use Personal Data for automated profiling of Data Subjects. PassportCraft's AI sub-processor does not use data submitted via its API to train its models by default. The prohibition on Sensitive Data in Article 4.1(d) applies equally to any data submitted to AI features.
5.10 Government and Law Enforcement Requests. If PassportCraft receives a legally binding request from a public authority, including a judicial or law enforcement authority, for the disclosure of Personal Data Processed on behalf of the Customer, PassportCraft shall, unless otherwise prohibited by law:
(a) Promptly notify the Customer of the request to enable the Customer to take any necessary measures and, where PassportCraft is prohibited from notifying the Customer, use reasonable efforts to obtain a waiver of that prohibition so as to be able to communicate as much information as possible, as soon as possible.
(b) Not disclose Personal Data Processed on behalf of the Customer unless legally compelled to do so.
(c) Review the legality of the request and, where there are reasonable grounds to consider the request unlawful under Applicable Data Protection Law or other applicable law, challenge the request, pursuing available avenues of appeal and seeking interim measures with a view to suspending the effects of the request until a competent authority has decided on its merits.
(d) In responding to any such request, provide only the minimum amount of Personal Data permissible when responding, based on a reasonable interpretation of the request.
PassportCraft shall document any such requests and the responses provided and make that documentation available to the Customer upon request, to the extent permitted by applicable law. This Article 5.10 reflects the obligations of the data importer under Clause 15 of the Standard Contractual Clauses referenced in Article 7.
5.11 Cost of Assistance. The cooperation and assistance that PassportCraft provides under Articles 5.5, 5.6, 10, and information requests under Article 12.1 is included at no additional charge to the extent it can be accommodated through the platform's standard self-service functionality or otherwise requires no more than commercially reasonable, de minimis effort. Where such assistance requires effort materially beyond that standard — including bespoke engineering, legal, or analytical work — PassportCraft may charge its reasonable costs at its then-prevailing rates, provided that PassportCraft first gives the Customer advance written notice and a good-faith estimate and the Customer confirms it wishes to proceed. Notwithstanding the foregoing, PassportCraft shall provide the statutory minimum cooperation required under Applicable Data Protection Law — including Data Breach notification under Article 9, the provision of information reasonably necessary to demonstrate compliance with Article 28 GDPR, and any Data Subject request and Article 35–36 GDPR (DPIA and prior consultation) assistance to the extent required by Applicable Data Protection Law and the SCCs — at no charge.
Article 6 — Sub-processors
6.1 Authorization. The Customer provides PassportCraft with general written authorization to engage Sub-processors for the Processing of Personal Data on behalf of the Customer, subject to the requirements of this Article 6.
6.2 Current Sub-processors. The Sub-processors engaged by PassportCraft as of the Effective Date are listed in Annex C. PassportCraft maintains an up-to-date list of Sub-processors at https://passportcraft.com/dpa#annex-c--sub-processor-list.
6.3 Obligations on Sub-processors. PassportCraft shall:
(a) Enter into a written agreement with each Sub-processor that imposes data protection obligations no less protective than those set out in this DPA.
(b) Remain fully liable to the Customer for the performance of the Sub-processor's obligations.
(c) Ensure that each Sub-processor agreement includes a third-party-beneficiary clause under which, in the event that PassportCraft has factually disappeared, ceased to exist in law, or become insolvent, the Customer may terminate the Sub-processor agreement and instruct the Sub-processor to erase or return the Personal Data.
(d) Upon the Customer's reasonable written request, provide a copy of the relevant Sub-processor's data protection terms (with commercial terms redacted).
6.4 Notification of New Sub-processors. PassportCraft shall notify the Customer at least thirty (30) days in advance of any intended addition or replacement of a Sub-processor, by email to the address associated with the Customer's account or by notice posted on the PassportCraft website. The notification shall include the name of the Sub-processor, the nature of the Processing to be carried out, and the Sub-processor's location.
6.5 Objection Right. The Customer may object to a new or replacement Sub-processor by notifying PassportCraft in writing within thirty (30) days of receiving the notification under Article 6.4. The objection must be based on reasonable grounds relating to data protection. Upon receiving an objection, PassportCraft shall use commercially reasonable efforts to:
(a) Make available a change in the platform or recommend a commercially reasonable alternative to avoid the Processing of Personal Data by the objected-to Sub-processor; or
(b) Engage in good faith discussions with the Customer to resolve the objection.
If PassportCraft is unable to resolve the Customer's objection within thirty (30) days, the Customer may terminate the Agreement and this DPA by providing written notice to PassportCraft. Upon such termination, PassportCraft shall refund the Customer any prepaid fees for the period following the effective date of termination.
Article 7 — International Data Transfers
7.1 The Customer acknowledges that PassportCraft and certain Sub-processors are located in the United States of America. Personal Data may be transferred to and Processed in the United States and other jurisdictions outside the EEA, United Kingdom, or Switzerland.
7.2 PassportCraft shall ensure that any transfer of Personal Data to a third country or international organization is subject to appropriate safeguards as required by Applicable Data Protection Law, including:
(a) An adequacy decision by the European Commission pursuant to Article 45 GDPR.
(b) The EU-US Data Privacy Framework, the UK Extension to the EU-US Data Privacy Framework, or the Swiss-US Data Privacy Framework, as applicable, where the recipient is a certified participant.
(c) The Standard Contractual Clauses adopted by the European Commission, supplemented by additional safeguards where necessary.
(d) Any other valid transfer mechanism recognized under Applicable Data Protection Law.
7.3 To the extent that PassportCraft relies on the Standard Contractual Clauses for international transfers:
(a) For transfers from the EEA, the SCCs set out in Commission Implementing Decision (EU) 2021/914 shall apply, with PassportCraft acting as the data importer (Module 2: Controller to Processor).
(b) For transfers from the United Kingdom, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (issued by the UK Information Commissioner under Section 119A of the Data Protection Act 2018) shall apply, as completed in Section 7.8.
(c) For transfers from Switzerland, the SCCs shall apply with the modifications necessary to comply with the FADP, as set out in Section 7.9.
(d) Incorporation of the EU Standard Contractual Clauses. For transfers described in Section 7.3(a), the Parties are deemed to have entered into the Standard Contractual Clauses (Module Two: Controller to Processor), which are incorporated into this DPA by reference and form an integral part of it, with PassportCraft as the data importer and the Customer as the data exporter. Where the Customer is itself a processor acting on behalf of a third-party controller, Module Three (Processor to Processor) applies in place of Module Two, with the necessary changes. The Parties agree that completion of this DPA and the Agreement, and the Customer's acceptance of them, constitute signature of the Standard Contractual Clauses for the purposes of Clause 1 and the Appendix.
(e) Module 2 elections. The following elections apply to the Standard Contractual Clauses incorporated under Section 7.3(d):
- Clause 7 (Docking clause): The optional docking clause applies, so that an entity that is not a Party may accede to the Standard Contractual Clauses as a data exporter or data importer by completing the Appendix and signing Annex I.A.
- Clause 9 (Use of sub-processors): Option 2 (general written authorisation) applies. The time period for prior notice of Sub-processor changes is thirty (30) days, as set out in Article 6.4 of this DPA, and the list of authorised Sub-processors is set out in Annex C.
- Clause 11 (Redress): The optional language providing for an independent dispute resolution body does not apply.
- Clause 13 (Supervision): The competent supervisory authority is determined in accordance with Clause 13 and Annex I.C.
- Clause 17 (Governing law): The Standard Contractual Clauses are governed by the law of the Republic of Ireland. This choice of law applies to the Standard Contractual Clauses only and does not displace the governing law of the Agreement set out in Article 15.
- Clause 18 (Choice of forum and jurisdiction): Disputes arising from the Standard Contractual Clauses shall be resolved before the courts of the Republic of Ireland. This applies to the Standard Contractual Clauses only and does not displace the dispute-resolution provisions of the Agreement referred to in Article 15 for other matters.
(f) Mapping of Annexes to the SCC Appendix. Annex A, Annex B, and Annex C of this DPA constitute, respectively, Annex I (Annex I.A — List of Parties from the Agreement and the account record; Annex I.B — Description of Transfer; Annex I.C — Competent Supervisory Authority, determined under Clause 13), Annex II (Technical and Organisational Measures), and Annex III (List of Sub-processors) of the Appendix to the Standard Contractual Clauses.
7.4 PassportCraft shall ensure that each Sub-processor engaged in accordance with Article 6 that Processes Personal Data outside the EEA, United Kingdom, or Switzerland is subject to an adequate transfer mechanism as described in this Article 7.
7.5 Upon the Customer's request, PassportCraft shall provide copies of the relevant transfer mechanism documentation.
7.6 Where a transfer of Personal Data relies on the Standard Contractual Clauses, PassportCraft's obligations in respect of legally binding requests by public authorities for disclosure of transferred Personal Data are set out in Article 5.10 (Government and Law Enforcement Requests), which gives effect to Clause 15 of those Standard Contractual Clauses.
7.7 Order of Precedence. In the event of any conflict or inconsistency between the Standard Contractual Clauses incorporated under this Article 7 and any other term of this DPA or the Agreement, the Standard Contractual Clauses shall prevail. Read together with Article 2.3, the order of precedence with respect to the Processing of Personal Data is: (a) the Standard Contractual Clauses; (b) this DPA; and (c) the Agreement.
7.8 UK International Data Transfer Addendum. For transfers described in Section 7.3(b), the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (the "UK Addendum") is incorporated into this DPA by reference and completed as follows:
- Table 1 (Parties): The exporter is the Customer and the importer is PassportCraft, with the details, roles, and contact points set out in the Agreement, the account record, and Annex C of this DPA.
- Table 2 (Addendum EU SCCs): The "Approved EU SCCs" are the Standard Contractual Clauses incorporated under Section 7.3(d), with the Module 2 elections set out in Section 7.3(e).
- Table 3 (Appendix Information): Annex I, Annex II, and Annex III to the Appendix of the Approved EU SCCs are as mapped in Section 7.3(f) (Annexes A, B, and C of this DPA).
- Table 4 (Ending the Addendum): Either Party may end the UK Addendum as set out in Section 19 of the UK Addendum when the Approved Addendum changes, to the extent permitted by the UK Addendum.
References in the Approved EU SCCs are read in accordance with the UK Addendum so as to protect transfers subject to the UK GDPR. Where the UK Addendum conflicts with the Approved EU SCCs in respect of a UK transfer, the UK Addendum prevails for that transfer.
7.9 Swiss adaptations. For transfers described in Section 7.3(c) that are subject to the FADP, the Standard Contractual Clauses incorporated under Section 7.3(d) apply with the following modifications: (a) references to the GDPR are understood as references to the FADP insofar as the transfer is governed by the FADP; (b) the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner insofar as the transfer is governed by the FADP; (c) the term "Member State" is not interpreted so as to exclude Data Subjects in Switzerland from bringing proceedings at their place of habitual residence (Clause 18(c)); and (d) until the FADP's protection of legal entities is no longer in force, the Standard Contractual Clauses also protect the data of legal entities to the extent required by the FADP.
Article 8 — Security Measures
8.1 PassportCraft shall implement and maintain the technical and organizational security measures described in Annex B. PassportCraft may update these measures from time to time, provided that such updates do not materially diminish the overall level of protection afforded to Personal Data.
8.2 The Customer acknowledges that the security measures are subject to technical progress and development, and that PassportCraft may update or modify such measures provided that the modifications do not result in a material degradation of the protection provided.
8.3 PassportCraft shall regularly assess the risks to the rights and freedoms of Data Subjects and shall ensure that the security measures remain appropriate to the level of risk.
Article 9 — Data Breach Notification
9.1 PassportCraft shall notify the Customer without undue delay and, where feasible, no later than seventy-two (72) hours after becoming aware of a Data Breach affecting Personal Data Processed on behalf of the Customer. For the purposes of this Article 9, PassportCraft becomes "aware" of a Data Breach once it has a reasonable degree of certainty that a Data Breach has occurred; PassportCraft is not required to complete its full investigation or forensic analysis before the awareness standard is met or before notifying the Customer. For the avoidance of doubt, and consistent with Article 1(d), this notification obligation does not arise from unsuccessful attempts or activities that do not compromise the security of Personal Data.
9.2 The notification under Article 9.1 shall include, to the extent reasonably available at the time of notification:
(a) A description of the nature of the Data Breach, including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned.
(b) The name and contact details of PassportCraft's point of contact from whom more information can be obtained.
(c) A description of the likely consequences of the Data Breach.
(d) A description of the measures taken or proposed to be taken by PassportCraft to address the Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
9.3 Where it is not possible to provide all the information required under Article 9.2 at the time of the initial notification, PassportCraft shall provide such information in phases without further undue delay as it becomes available.
9.4 PassportCraft shall cooperate with and assist the Customer in the investigation and remediation of any Data Breach, and in the Customer's fulfillment of its obligations under Articles 33 and 34 GDPR to notify Supervisory Authorities and Data Subjects, as applicable.
9.5 PassportCraft shall document all Data Breaches, including the facts relating to the Data Breach, its effects, and the remedial action taken, and shall make such documentation available to the Customer upon request.
Article 10 — Data Protection Impact Assessments
10.1 PassportCraft shall provide reasonable assistance to the Customer with any Data Protection Impact Assessments the Customer is required to carry out under Article 35 GDPR, taking into account the nature of the Processing and the information available to PassportCraft.
10.2 PassportCraft shall provide reasonable assistance to the Customer with any prior consultations with Supervisory Authorities that the Customer is required to engage in under Article 36 GDPR, to the extent that such consultation relates to the Processing carried out by PassportCraft under this DPA.
Article 11 — Data Retention and Deletion
11.1 PassportCraft shall Process Personal Data only for the duration of the Agreement, unless otherwise required by Applicable Data Protection Law.
11.2 Upon termination or expiration of the Agreement, the Customer shall have a period of thirty (30) days (the "Export Period") to export or retrieve its Personal Data from the platform using the export functionalities provided by PassportCraft. This self-service export right is in addition to, and not a substitute for, the Customer's right under Article 5.7 to have PassportCraft delete or return the Personal Data at the Customer's choice.
11.3 Following the expiration of the Export Period, and unless the Customer has elected return of its Personal Data under Article 5.7(b) (in which case PassportCraft shall first return the Personal Data in accordance with that election before deleting it), PassportCraft shall delete all Personal Data Processed on behalf of the Customer, including all copies in its systems and those of its Sub-processors, unless:
(a) European Union or Member State law, or any other Applicable Data Protection Law, requires retention of such Personal Data; or
(b) The Personal Data has been anonymized in accordance with Applicable Data Protection Law such that it can no longer be attributed to a Data Subject.
Personal Data residing on routine encrypted backups will be deleted in accordance with PassportCraft's backup rotation schedule, and until such deletion will remain securely isolated and protected from any further active Processing.
11.4 PassportCraft shall provide written certification of the deletion of Personal Data upon the Customer's written request.
11.5 Any Personal Data retained pursuant to Article 11.3(a) shall continue to be protected in accordance with this DPA and shall be Processed only for the purpose required by the applicable legal obligation.
11.6 Public DPP Page Lifecycle on Suspension, Downgrade, or Termination. Because Digital Product Passport pages are published to the public and resolved through GS1 Digital Link URLs (which may be physically printed on the Customer's products), the following describes what happens to those public pages and their resolvable URLs, distinct from the deletion of Personal Data under Articles 11.1 to 11.5:
(a) Only a passport that is in a "published" state renders publicly. The platform fails closed: where a passport is not published — including following suspension, downgrade, or termination — its public page does not display product or Personal Data and instead shows a neutral notice that the passport is no longer available, and is de-indexed from search engines. The page does not return live DPP data.
(b) On cancellation or downgrade of the Customer's plan, any published passports in excess of the new plan's limit remain live for a grace period of thirty (30) days, after which they are unpublished and revert to the neutral "no longer available" notice described in Section 11.6(a). This page-continuity grace period is separate from, and runs concurrently with, the thirty (30) day Export Period in Article 11.2.
(c) PassportCraft does not offer a paid continued-hosting service for public DPP pages after the Service ends, and does not provide a customer-controlled redirect of the PassportCraft-hosted resolvable URL. The Customer is responsible for any reprinting, re-labelling, or migration of data carriers required if it ceases to use the platform.
11.7 Customer Responsibility for ESPR-Compliant Availability. Consistent with the allocation of ESPR roles in Section 3.6, the Customer is solely responsible for maintaining ESPR-compliant availability of its DPP data — including, where required, a backup copy held with the Customer or through an independent provider — both during and after the term of the Agreement. The Customer acknowledges that, following suspension, downgrade, or termination, its public DPP pages will behave as described in Section 11.6, and the Customer is responsible for using the Export Period in Article 11.2 to retrieve its data and for any consumer-facing consequences of a passport ceasing to be publicly available through the platform. PassportCraft bears no responsibility for the Customer's continued compliance with its own ESPR availability obligations after the Service ends.
11.8 Business Continuity and Wind-Down. This Section 11.8 applies where PassportCraft makes a decision to cease operating the platform, or becomes subject to insolvency, receivership, administration, dissolution, or a comparable proceeding (a "Wind-Down Event"). It addresses the orderly handover of Personal Data and is distinct from the discontinuation, export, and transition provisions of the Agreement, which presume PassportCraft to be operating as a going concern.
(a) Notice and continued export. On a Wind-Down Event, PassportCraft shall use commercially reasonable efforts to give the Customer as much advance written notice as is practicable in the circumstances, and to keep the self-service export functionality referenced in Article 11.2 available to the Customer for the duration of the Export Period before the platform is shut down, so that the Customer can retrieve its Personal Data and associated product identifiers.
(b) Bulk-export path. PassportCraft maintains a documented bulk-export capability designed so that Customer Personal Data and product identifiers can be retrieved with minimal manual intervention. On a Wind-Down Event, PassportCraft shall use commercially reasonable efforts to make that capability, or an export of the Customer's Personal Data in a structured, commonly used, and machine-readable format, available to the Customer in accordance with Article 5.7(b).
(c) No escrow. PassportCraft does not provide, and is not obliged to provide, source-code or data escrow, or any third-party continuity, hosting, or trustee arrangement. The Customer's continuity protection under this Section 11.8 is the export and handover commitment described in this Section, and not the survival of the platform itself.
(d) Limits and interaction with ESPR availability. The commitments in this Section 11.8 are best-efforts obligations appropriate to PassportCraft's nature and resources, and do not guarantee uninterrupted availability of the platform or of any public DPP page. The Customer acknowledges that, following a Wind-Down Event, public DPP pages and the PassportCraft-hosted resolvable URLs printed on the Customer's products may cease to resolve, as described in Sections 11.6 and 11.7. Nothing in this Section 11.8 transfers to PassportCraft any of the Customer's ESPR availability or other regulatory obligations, which remain solely the Customer's responsibility under Sections 3.6 and 11.7. This Section 11.8 reinforces, and does not limit, the third-party-beneficiary protection in Article 6.3(c) concerning Sub-processors.
Article 12 — Audit Rights
12.1 PassportCraft shall make available to the Customer, upon reasonable request, all information necessary to demonstrate compliance with PassportCraft's obligations under this DPA and under Article 28 GDPR.
12.2 The Customer, or a qualified third-party auditor appointed by the Customer (subject to reasonable confidentiality obligations), may conduct an audit of PassportCraft's Processing activities and compliance with this DPA, subject to the following conditions:
(a) The Customer shall provide PassportCraft with at least thirty (30) days' prior written notice of any audit.
(b) Audits shall be conducted during PassportCraft's normal business hours and shall not unreasonably disrupt PassportCraft's operations.
(c) The Customer may conduct no more than one (1) audit per twelve (12) month period, unless a Data Breach has occurred or a Supervisory Authority requires or requests an additional audit.
(d) The Customer shall bear all costs associated with the audit, including any fees charged by third-party auditors. The Customer shall also reimburse PassportCraft, at PassportCraft's reasonable cost, for the time its personnel reasonably expend in connection with the audit, of which PassportCraft will give the Customer a good-faith estimate in advance. This reimbursement covers PassportCraft's incremental time in hosting the audit only and does not apply to the statutory minimum cooperation and information PassportCraft furnishes at no charge under Section 5.11 and Article 28(3)(h) GDPR.
(e) The Customer shall promptly provide PassportCraft with the results of any audit and shall treat all information obtained during the audit as confidential.
(f) The Customer may exercise the on-site audit and inspection right in this Section 12.2 only where (i) PassportCraft has not made available the information or third-party report described in Section 12.3 within a reasonable time, (ii) such information is not reasonably sufficient to demonstrate PassportCraft's compliance with this DPA, or (iii) a Supervisory Authority requires an on-site audit. Where PassportCraft makes available a current report or written responses under Section 12.3 that reasonably address the Customer's concern, that shall satisfy the Customer's audit and inspection rights under grounds (i) and (ii) of this Section 12.2(f); nothing in this Section limits an on-site audit required by a Supervisory Authority under ground (iii), or the Customer's rights under Clause 8.9 of the Standard Contractual Clauses and Article 28(3)(h) GDPR.
12.3 PassportCraft may satisfy the Customer's audit rights under this Article 12 by providing:
(a) A current SOC 2 Type II report, ISO 27001 certificate, or equivalent third-party security certification or audit report; and/or
(b) Written responses to reasonable information requests from the Customer regarding PassportCraft's data protection practices.
12.4 If an audit reveals material non-compliance by PassportCraft with its obligations under this DPA, PassportCraft shall promptly remediate the non-compliance at its own expense and shall inform the Customer of the remedial actions taken.
Article 13 — Liability
13.1 Each Party's liability under this DPA is subject to the limitations and exclusions of liability set forth in the Agreement (including the monetary cap, the exclusion of indirect and consequential damages, and the exceptions and carve-outs that allocate which of those apply), and only to the same extent that the Agreement applies them to that Party, except to the extent that Applicable Data Protection Law prohibits such limitations. Accordingly: (a) PassportCraft's liability under this DPA is limited as, and to the extent, the Agreement limits PassportCraft's liability — including the application of the monetary cap to PassportCraft's own liability (such as its own gross negligence) and to its indemnification obligations, except for liabilities that cannot be limited under applicable law or Applicable Data Protection Law; and (b) nothing in this DPA caps or otherwise limits any obligation of the Customer (including its payment obligations and its indemnification obligations, such as the indemnity in Section 13.5) that the Agreement does not cap. This DPA does not create any separate, additional, or higher cap, and the liability arising out of or related to the Agreement and this DPA together is subject to a single cap (not a separate cap for each document); where the same loss could be claimed under both the Agreement and this DPA, it is not recovered or counted twice. Nothing in this Section 13.1 displaces any liability that cannot be limited or excluded under Applicable Data Protection Law as set out in Section 13.2.
13.2 Nothing in this DPA shall limit either Party's liability for:
(a) Its obligations under Article 82 GDPR (right to compensation for data subjects).
(b) Any liability that cannot be limited or excluded under Applicable Data Protection Law.
13.3 Where a Party has paid compensation to a Data Subject for damages caused by a violation of Applicable Data Protection Law, that Party may seek to recover from the other Party the portion of the compensation corresponding to the other Party's share of responsibility for the damage, in accordance with Article 82(5) GDPR.
13.4 PassportCraft shall not be liable for any claim brought by a Data Subject arising from or related to PassportCraft's acts or omissions to the extent PassportCraft was acting in accordance with the Customer's documented instructions. This Article 13.4 does not displace any liability that cannot be limited or excluded under Applicable Data Protection Law as set out in Article 13.2.
13.5 Customer Indemnity. The Customer shall indemnify and hold harmless PassportCraft from and against any third-party claims, regulatory fines or penalties, and reasonable defense costs to the extent arising from the Customer's breach of its warranties and obligations under Article 4, including the upload of special categories of personal data in breach of Article 4.1(d) or the absence of a lawful basis, notice, or consent required under Article 4.1(a) and 4.1(b). The Customer's indemnification obligations under this Section 13.5 are not subject to, and do not count toward, the monetary cap referred to in Section 13.1, consistent with the treatment of the Customer's indemnification obligations under the Agreement (which the Agreement does not cap). This Section 13.5 is in addition to, and does not limit, the Customer's indemnification obligations under the Agreement; where the same loss is covered by both, it is not recovered twice.
Article 14 — Duration and Termination
14.1 This DPA shall become effective on the Effective Date and shall remain in force for the duration of the Agreement.
14.2 This DPA shall automatically terminate upon the termination or expiration of the Agreement, subject to PassportCraft's obligations regarding data retention and deletion under Article 11.
14.3 The provisions of this DPA that by their nature should survive termination (including, without limitation, Articles 5.7, 9, 11 (including the Business Continuity and Wind-Down provisions of Section 11.8), 12, and 13) shall survive the termination or expiration of this DPA.
Article 15 — Governing Law and Dispute Resolution
15.1 This DPA shall be governed by and construed in accordance with the laws governing the Agreement.
15.2 Any disputes arising out of or in connection with this DPA shall be resolved in accordance with the dispute resolution provisions set forth in the Agreement.
Article 16 — General Provisions
16.1 Entire Agreement. This DPA, together with the Agreement and its annexes, constitutes the entire agreement between the Parties regarding the Processing of Personal Data and supersedes all prior or contemporaneous agreements, understandings, or representations relating to such Processing.
16.2 Amendments. This DPA may only be amended in writing, signed by authorized representatives of both Parties. Notwithstanding the foregoing, PassportCraft may update the Annexes to this DPA (including the Sub-processor list) in accordance with the procedures set out in this DPA.
16.3 Severability. If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall remain in full force and effect. The Parties shall negotiate in good faith to replace any invalid or unenforceable provision with a valid and enforceable provision that achieves, to the greatest extent possible, the economic, legal, and commercial objectives of the invalid or unenforceable provision.
16.4 No Waiver. No waiver of any provision of this DPA shall be effective unless made in writing and signed by the waiving Party. A failure or delay in exercising any right under this DPA shall not operate as a waiver of such right.
16.5 Notices. All notices under this DPA shall be in writing and shall be sent to:
- PassportCraft: privacy@passportcraft.com
- Customer: The email address associated with the Customer's PassportCraft account, or such other address as the Customer may designate in writing.
16.6 EU Representative. PassportCraft has appointed Data Protection Representative Limited (trading as DataRep) as its Data Protection Representative under Article 27 of the EU GDPR (for the EEA) and under the UK GDPR and the Data Protection Act 2018 (for the UK). Data subjects may contact DataRep by email at datarequest@datarep.com (quoting "PassportCraft LLC" in the subject line), via the online form at www.datarep.com/data-request, or by post addressed to "DataRep" (not PassportCraft LLC) at any of its local offices across the EEA and the UK (registered office: 77 Camden Street Lower, Dublin D02 XE80, Ireland). Further contact details are set out in PassportCraft's Privacy Policy.
Annex A — Description of Processing
This Annex A describes the Processing that PassportCraft carries out as a Processor on the Customer's behalf and on the Customer's documented instructions. It does not cover the data for which PassportCraft acts as an independent Controller under Section 3.4 (including account registration and authentication data, billing and transaction data, and platform usage and analytics data generated through operation of the platform, such as the QR-code scan analytics described in the Privacy Policy). That independent-Controller data is governed by PassportCraft's Privacy Policy rather than by this DPA, is not Processed on the Customer's documented instructions, and is not subject to the Customer's instruction, deletion, or audit rights under this DPA or Article 28 GDPR. The scan-analytics row below is included for transparency only, to identify the underlying interaction, and not to bring that processing within this DPA.
A.1 Categories of Data Subjects
| Category | Description |
|---|---|
| Customer employees / team members | Individuals who access and use the PassportCraft platform on behalf of the Customer |
| Supplier contacts | Contact persons at the Customer's suppliers whose personal data is included in product or supply chain records |
| End consumers (for transparency only — not Processor data) | Individuals who scan QR codes on Digital Product Passports. The resulting scan analytics is Processed by PassportCraft as an independent Controller under Section 3.4 and the Privacy Policy, not on the Customer's documented instructions under this DPA. |
A.2 Categories of Personal Data
| Category | Data Elements |
|---|---|
| Account / user data | Names, email addresses, job titles, profile information of Customer's team members |
| Supplier contact data | Names, email addresses, phone numbers, job titles, and business addresses of supplier contact persons |
| Product-related data | Product names, descriptions, materials, certifications, and compliance documents (to the extent they contain personal data) |
| DPP page data | Generated Digital Product Passport pages accessible via QR codes, which may contain supplier contact information |
| Scan analytics (for transparency only — independent-Controller data, not Processed under this DPA) | Anonymized or pseudonymized data about QR code scans, including approximate geographic location, device type, and timestamp. Processed by PassportCraft as an independent Controller under Section 3.4 and the Privacy Policy. |
A.3 Processing Activities
| Activity | Description |
|---|---|
| Account management | Creation and administration of Customer team member accounts, authentication, and access control |
| Product data management | Storage, organization, and retrieval of product data and associated personal data entered by the Customer |
| DPP generation and hosting | Generation, publication, and hosting of Digital Product Passport pages |
| QR code scan analytics (for transparency only — independent-Controller activity, not Processed under this DPA) | Collection and aggregation of anonymized or pseudonymous scan data, carried out by PassportCraft as an independent Controller under Section 3.4 and the Privacy Policy |
| Communication | Sending platform notifications, service updates, and transactional emails to Customer's team members |
| Customer support | Processing personal data as necessary to respond to Customer support requests |
| Backup and recovery | Creation and maintenance of data backups for disaster recovery and business continuity |
A.4 Purpose of Processing
PassportCraft Processes Personal Data solely for the purpose of providing, maintaining, and improving the PassportCraft platform in accordance with the Agreement, including:
- Enabling the Customer to create and manage Digital Product Passports
- Hosting and making DPP pages publicly accessible via QR codes
- Providing platform functionality, including user authentication and access control
- Providing customer support
- Ensuring platform security and integrity
QR-code scan analytics is not a purpose for which PassportCraft Processes Personal Data on the Customer's behalf under this DPA; PassportCraft carries out that processing as an independent Controller under Section 3.4 and the Privacy Policy.
A.5 Retention Period
Personal Data shall be Processed for the duration of the Agreement. Upon termination, the Customer has a thirty (30) day Export Period, after which Personal Data shall be deleted in accordance with Article 11 of this DPA.
A.6 Frequency of Transfer
Personal Data is transferred and Processed on a continuous basis for the duration of the Agreement.
Annex B — Technical and Organizational Measures
PassportCraft implements and maintains the following technical and organizational measures to protect Personal Data in accordance with Article 32 GDPR. These measures are subject to ongoing review and improvement.
B.1 Encryption
- All data in transit is encrypted using TLS 1.2 or higher.
- All data at rest is encrypted using AES-256 or equivalent encryption standards.
- Database connections are encrypted end-to-end.
- Encryption keys are managed using industry-standard key management practices.
B.2 Access Control
- Role-based access control (RBAC) is enforced across all platform systems.
- Multi-factor authentication (MFA) is required for all PassportCraft personnel accessing production systems.
- Access to Personal Data is limited to personnel who require it for the performance of their duties.
- Access rights are reviewed periodically and revoked promptly upon change of role or termination of employment.
- Unique user accounts are assigned to each authorized individual; shared accounts are prohibited.
B.3 Network Security
- Production infrastructure is hosted in secure, professionally managed data centers operated by Sub-processors.
- Production environments are separated from development and testing environments.
- Firewall protection, intrusion detection/prevention, and regular vulnerability scanning of the underlying infrastructure are provided and maintained by our infrastructure Sub-processors (such as Vercel and Supabase).
B.4 Application Security
- Secure software development practices are followed, including code review and security testing.
- Dependencies are regularly monitored for known vulnerabilities and updated promptly.
- Input validation and output encoding are implemented to prevent common web application vulnerabilities (e.g., injection attacks, cross-site scripting).
- Application logs are maintained for security monitoring and incident investigation.
B.5 Data Minimization and Pseudonymization
- Personal Data collection is limited to what is necessary for the purposes of Processing.
- QR code scan analytics are collected on an anonymized or pseudonymized basis.
- Personal Data is not used for purposes beyond those described in this DPA and the Agreement.
B.6 Incident Response
- A documented incident response plan is maintained and reviewed periodically.
- Designated personnel are responsible for managing security incidents.
- Data Breach notification procedures are established in accordance with Article 9 of this DPA.
- Post-incident reviews are conducted to identify root causes and implement preventive measures.
B.7 Business Continuity and Disaster Recovery
- Regular automated backups of Personal Data are maintained by our infrastructure provider.
- Backups are encrypted.
- Recovery procedures are documented, with defined recovery time and recovery point objectives; recovery is tested on a periodic basis as the operation matures.
B.8 Personnel Security
- Everyone with access to Personal Data — currently the founder, and any contractor engaged — is bound by written confidentiality obligations.
- Access to Personal Data is limited to those who need it for their work (see Annex B.2).
- As PassportCraft adds personnel, it will introduce formal data-protection and security-awareness training and, where permitted by applicable law, background screening for personnel with access to production systems.
B.9 Physical Security
- Production infrastructure is hosted in data centers operated by Sub-processors that maintain physical security measures, including access controls, surveillance, and environmental protections.
- PassportCraft does not maintain on-premises servers or data centers.
B.10 Vendor Management
- Sub-processors are subject to due diligence assessments before engagement.
- Sub-processor agreements include data protection obligations no less protective than this DPA.
- Sub-processor compliance is reviewed periodically.
Annex C — Sub-processor List
Last updated: June 24, 2026
The following Sub-processors are authorized to Process Personal Data on behalf of the Customer:
| Sub-processor | Purpose | Location | Data Processed |
|---|---|---|---|
| Vercel Inc. | Platform hosting, content delivery, and edge computing | United States | All platform data transmitted and served through the hosting infrastructure |
| Supabase Inc. | Database hosting, user authentication, and file storage | United States (company); customer data hosted in the EU (Ireland, AWS eu-west-1) | Account data, product data, supplier data, DPP content, and uploaded files |
| Stripe Inc. | Payment processing and subscription management | United States / Ireland | Customer billing contact information (name, email, payment-related identifiers) |
| Resend Inc. | Transactional and notification email delivery | United States | Names and email addresses of Customer team members receiving platform emails |
| Google LLC | Website and product analytics (Google Analytics 4); optional Google sign-in | United States | Pseudonymized usage data, device and session information, anonymized IP address; authentication identifiers for users choosing Google sign-in |
| OpenAI, L.L.C. | AI-assisted content features (sustainability-claim rewriting, care-symbol suggestions) | United States | Text submitted by Customer users to AI features; not used to train OpenAI's models by default |
| Microsoft Corporation | Optional Microsoft sign-in (Microsoft Entra ID) | United States / EU | Authentication identifiers (email, name) for users choosing Microsoft sign-in |
PassportCraft maintains an up-to-date version of this Sub-processor list at https://passportcraft.com/dpa#annex-c--sub-processor-list.
Changes to this list are subject to the notification and objection procedures set out in Article 6 of this DPA.
This Data Processing Agreement was last updated on June 24, 2026.