安全

最后更新:2026-06-19

Last updated: June 19, 2026

Operator: PassportCraft LLC, 418 Broadway, Ste N, Albany, NY 12207, USA

Security contact: security@passportcraft.com

We take the security of your data seriously. This page summarizes the technical and organizational measures we use to protect the PassportCraft platform. These measures are also reflected in Annex B of our Data Processing Agreement and are reviewed on an ongoing basis.

Encryption

  • All data in transit is encrypted using TLS 1.2 or higher.
  • Data at rest is encrypted using AES-256 (or equivalent) by our infrastructure providers.
  • Database connections are encrypted.

Data hosting and residency

  • Customer account and Digital Product Passport data is hosted in the EU (Ireland, AWS region eu-west-1) via our database provider's EU infrastructure.
  • The platform runs on professionally managed cloud infrastructure (Vercel and Supabase); we do not operate on-premises servers. See our Sub-processor list for the providers involved and their safeguards.

Access control

  • Role-based access control and row-level security are enforced in the application.
  • Access to production systems by PassportCraft personnel requires multi-factor authentication and is limited to those who need it; access is reviewed periodically.
  • For account sign-in, we support email/password as well as Google and Microsoft single sign-on, so you can apply your identity provider's own multi-factor protections.

Personnel security

  • Anyone who has access to customer data — whether founder or contractor — is bound by written confidentiality obligations.
  • Background screening is conducted for personnel with access to production systems, where permitted by applicable law.
  • Personnel receive data protection, security, and secure-development awareness guidance appropriate to their access.
  • Access to customer data is granted on a need-to-know, least-privilege basis (see also the Access control measures above).

These measures are set out as binding obligations in Annex B.8 of our Data Processing Agreement and are scaled to our size as an early-stage company.

Application and network security

  • We follow secure development practices, including code review and automated testing.
  • Dependencies are monitored for known vulnerabilities and updated promptly.
  • Input validation and output encoding are used to mitigate common web vulnerabilities.
  • Infrastructure is hosted in providers' secure, access-controlled data centers.
  • We perform regular internal security testing alongside ongoing, automated dependency and vulnerability monitoring on changes we ship, complemented by the provider-level vulnerability scanning and intrusion detection and prevention described in Annex B of our Data Processing Agreement. We have not yet commissioned a formal independent third-party penetration test; this is on our roadmap as we scale.

Logging and monitoring

  • Security-relevant application and infrastructure events are logged.
  • Activity is monitored for anomalies, including through intrusion detection and prevention and regular vulnerability scanning at our infrastructure providers.
  • Logs are access-restricted and are used to support incident detection and investigation. Further detail is set out in Annex B of our Data Processing Agreement.

Backups and continuity

  • Customer data is backed up on a regular, automated basis by our database provider.
  • Recovery procedures are documented, with defined recovery objectives.

Availability

  • The platform runs on resilient, professionally managed cloud infrastructure (Vercel and Supabase) rather than on-premises servers, which we rely on for redundancy and capacity.
  • We do not offer a binding uptime service-level agreement; the Service is provided on an "as is" and "as available" basis. We use commercially reasonable efforts to keep the platform available and give advance notice of planned maintenance where practicable, as described in our Terms of Service.
  • We communicate service-affecting incidents to customers by email and through the application.

AI features and data

  • When you use an AI-assisted feature, the input you provide is transmitted to our AI sub-processor (OpenAI) solely to generate the requested suggestion. OpenAI is listed on our Sub-processor list.
  • Customer data submitted through these features is not used to train or fine-tune AI models; OpenAI's API does not use such data for training by default.
  • The AI features do not perform automated profiling or decision-making, and special-category personal data must not be submitted to them.
  • AI output is assistive only and is intended to be reviewed by you before use. Full details are set out in Article 5.9 of our Data Processing Agreement.

Incident response and breach notification

  • We maintain an incident-response process and, acting as a processor, will notify affected customers without undue delay and, where feasible, within 72 hours of becoming aware of a personal-data breach affecting their data, as set out in Article 9 of our Data Processing Agreement.

Vulnerability disclosure

If you believe you have found a security vulnerability, please report it to security@passportcraft.com. We welcome good-faith reports and will acknowledge them. Please do not access or modify data that is not yours, and give us a reasonable opportunity to remediate before any public disclosure.

Certifications

PassportCraft is an early-stage company and does not yet hold SOC 2 or ISO 27001 certification. Formal third-party certification is on our roadmap. We are happy to answer security questionnaires and share details of our practices — contact security@passportcraft.com.

Your responsibilities

Security is a shared responsibility. While we secure the platform, you are responsible for:

  • Keeping your account credentials confidential and managing your own users and roles.
  • Enabling the multi-factor and single sign-on protections available to you through your identity provider.
  • The lawfulness and accuracy of the data you upload or publish, including obtaining any necessary consents and not submitting special-category data through AI features.

These responsibilities are described further in Article 4 of our Data Processing Agreement.

Data ownership, retention, and deletion

  • You retain ownership of and all rights in the content and data you put into the platform. For personal data, PassportCraft acts only as a processor on your documented instructions; you remain the controller.
  • You can export your passport and account data at any time in machine-readable formats.
  • On termination, there is a 30-day window during which you can export your data. After that window, your data is deleted from our active systems and from our sub-processors within 30 days, and residual copies in encrypted backups are overwritten through the normal backup rotation cycle, which does not exceed 90 days, subject to any retention required by law.

These commitments are binding and are set out in Article 11 of our Data Processing Agreement and Section 13 of our Terms of Service.

This page is provided for information only, describes our practices as of the date above, and may change as our platform evolves. It does not create contractual commitments; our binding security obligations are set out in our Data Processing Agreement (Annex B) and our Terms of Service.