PASSR DATA PROCESSING AGREEMENT
Pursuant to Article 28 of Regulation (EU) 2016/679 (GDPR) Last updated: June 2026 Version: 1.0
Preamble
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between:
Data Controller: The Customer (the outdoor or activewear brand using the Passr platform), hereinafter “Controller”
Data Processor: Passr / Hisako Technologies OÜ, operating the Passr platform at app.passr.eu, hereinafter “Processor”
This DPA governs the processing of personal data by the Processor on behalf of the Controller in connection with the Processor’s provision of the Passr platform service (“Service”).
This DPA is incorporated into and forms part of the Terms of Service. In case of conflict between this DPA and the Terms of Service regarding data processing matters, this DPA shall prevail.
Article 1 — Definitions
For the purpose of this DPA:
“Personal Data” means any information relating to an identified or identifiable natural person as defined in GDPR Article 4(1).
“Processing” means any operation performed on personal data as defined in GDPR Article 4(2).
“Data Subject” means the identified or identifiable natural person to whom the personal data relates.
“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
“Sub-processor” means any third party engaged by the Processor to process personal data on behalf of the Controller.
“Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
Article 2 — Subject Matter, Duration, and Nature of Processing
2.1 Subject Matter: The Processor processes personal data on behalf of the Controller solely for the purpose of providing the Passr platform service as described in the Terms of Service.
2.2 Duration: The Processor shall process personal data for the duration of the Controller’s active subscription to the Service. Upon termination, the Processor shall cease processing and delete data as described in Article 8.
2.3 Nature of Processing: The Processor performs the following types of processing:
- Storage of personal data in EU-region database infrastructure
- Retrieval and display of personal data within the platform interface
- Transmission of personal data to authorised team members of the Controller
- Generation of exports and archives containing personal data upon Controller’s instruction
- Automated monitoring and alerting based on personal data (certificate expiry alerts)
2.4 Processing is on Controller’s Instructions Only: The Processor shall process personal data only on documented instructions from the Controller (which includes use of the platform features as intended) and shall not process personal data for any other purpose. If the Processor is required by EU or Member State law to process data beyond the Controller’s instructions, the Processor shall inform the Controller before processing unless prohibited by law.
Article 3 — Categories of Personal Data and Data Subjects
3.1 Categories of Data Subjects:
| Category | Description |
|---|---|
| Brand admin users | Individuals who create and manage the brand account |
| Brand team members | Individuals invited to the brand account as Editors or Viewers |
| Consumers (scan events only) | Members of the public who scan Digital Product Passport QR codes |
3.2 Categories of Personal Data:
| Data Subject Category | Personal Data Categories |
|---|---|
| Brand admin users | Name (if provided), email address, login timestamps, IP address (login only) |
| Brand team members | Email address, role, invitation timestamp |
| Consumers | Derived country from IP address (country-level only), device type, scan timestamp (no IP address stored) |
3.3 Special Category Data: The Processor does not intentionally process special category personal data as defined in GDPR Article 9. The Controller should not upload documents containing special category personal data about individuals. If such data is inadvertently included in uploaded documents, it is processed solely for storage purposes and the Processor has no visibility into the document contents.
Article 4 — Obligations of the Processor
4.1 Confidentiality: The Processor shall ensure that all personnel authorised to process the Controller’s personal data are bound by appropriate confidentiality obligations.
4.2 Security: The Processor shall implement and maintain the technical and organisational security measures described in Article 5 of this DPA.
4.3 Sub-processing: The Processor shall not engage a new sub-processor without informing the Controller at least 30 days in advance. The Controller may object to a new sub-processor within 14 days. If the Controller objects and the Processor cannot accommodate the objection, the Controller may terminate the Service with a full refund of unused subscription fees for the current month.
4.4 Data Subject Rights: Upon receiving a request from a data subject exercising their GDPR rights, the Processor shall notify the Controller within 72 hours. The Processor shall provide reasonable assistance to enable the Controller to respond to such requests. Where requests can be fulfilled directly by the Processor (such as data deletion or export), the Processor shall do so upon written instruction from the Controller.
4.5 Security Assistance: The Processor shall assist the Controller in ensuring compliance with the security obligations in GDPR Articles 32-36, taking into account the nature of the processing and the information available to the Processor.
4.6 Deletion or Return of Data: Upon termination of the Service, the Processor shall, at the Controller’s choice, delete or return all personal data and delete existing copies, unless EU or Member State law requires retention. See Article 8 for detailed deletion procedures.
4.7 Audit Rights: The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations in GDPR Article 28. The Processor shall allow for and contribute to audits conducted by the Controller or an auditor mandated by the Controller, with reasonable advance notice (minimum 30 days). The Controller agrees that such audits shall not unreasonably disrupt the Processor’s operations and shall be conducted during normal business hours.
Article 5 — Technical and Organisational Measures
The Processor implements and maintains the following technical and organisational measures to ensure a level of security appropriate to the risk:
5.1 Encryption:
- Data in transit: All communications between the platform and users are encrypted using Transport Layer Security (TLS) version 1.3 or higher
- Data at rest: All database content is encrypted at rest using AES-256 encryption managed by Supabase
- File storage: All uploaded files (lab reports, certificates) are encrypted at rest
5.2 Access Control:
- Row-level security (RLS) policies at the database level ensure that each Controller can only access their own data
- Role-based access control within the platform (Admin, Editor, Viewer roles)
- All internal Processor access to production data is restricted to essential personnel
- Multi-factor authentication is required for all Processor personnel accessing production systems
5.3 Authentication:
- User sessions use short-lived JSON Web Tokens (1-hour expiry)
- Tokens are stored in httpOnly cookies not accessible to JavaScript
- Automatic session refresh without requiring re-authentication
- Rate limiting on all authentication endpoints (10 attempts per 15 minutes per IP)
5.4 Data Minimisation:
- Passport scan events record only derived country (not IP address), device type, and timestamp
- No personal data of consumers is stored beyond what is necessary for analytics reporting
5.5 Availability and Resilience:
- The platform is hosted on Vercel’s global edge network with automatic failover
- Database data is backed up daily by Supabase with point-in-time recovery
- Uploaded files are stored with redundancy in Supabase Storage (EU region)
5.6 Incident Detection and Response:
- Error monitoring via Sentry (EU region) detects anomalies in real time
- Incident response procedure: detection → containment → assessment → notification → remediation → review
- Security incidents affecting personal data are assessed within 24 hours of detection
5.7 Vendor Management:
- All sub-processors are assessed for GDPR compliance before engagement
- Data Processing Agreements are in place with all sub-processors
- Sub-processor list is maintained and updated (see Article 6)
Article 6 — Authorised Sub-Processors
The Controller hereby grants general authorisation for the Processor to engage the following sub-processors:
| Sub-processor | Country | Service | Data Categories Processed | GDPR Mechanism |
|---|---|---|---|---|
| Supabase Inc. | USA (data in EU-Frankfurt) | Database, authentication, file storage | All personal data categories | Standard Contractual Clauses + EU data residency |
| Vercel Inc. | USA (EU region available) | Application hosting, CDN | Request metadata, session data | Standard Contractual Clauses |
| Resend Inc. | USA | Transactional email | Email addresses, email content | Standard Contractual Clauses |
| Dodo Payments | — | Payment processing | Billing contact information | Their own GDPR compliance |
| Sentry | USA (EU region) | Error monitoring | Anonymised error logs, technical data | Standard Contractual Clauses + EU data residency |
| Posthog | EU Cloud | Product analytics | Feature usage events, device type | EU data residency |
The Processor shall:
- Notify the Controller at least 30 days before adding or replacing sub-processors
- Impose equivalent data protection obligations on all sub-processors
- Remain liable to the Controller for any failure of a sub-processor to fulfil their data protection obligations
Article 7 — International Data Transfers
7.1 Some sub-processors listed in Article 6 are based in or transfer data to countries outside the European Economic Area (EEA).
7.2 For all transfers of personal data outside the EEA, the Processor relies on one or more of the following transfer mechanisms:
- Standard Contractual Clauses (SCCs) adopted by the European Commission pursuant to GDPR Article 46(2)(c)
- An adequacy decision by the European Commission pursuant to GDPR Article 45
- EU-region data residency configuration that keeps personal data within the EEA
7.3 The Processor shall maintain records of all international transfers and the transfer mechanisms relied upon, and shall make these available to the Controller upon request.
Article 8 — Data Deletion and Return
8.1 Upon termination of the Controller’s subscription:
- The Controller retains the ability to download their complete data archive for 30 days following termination
- After the 30-day window, the Processor shall permanently delete all personal data belonging to the Controller, including backup copies, within a further 30 days (total 60 days from termination)
- The Processor shall provide written confirmation of deletion upon the Controller’s request
8.2 During the active subscription, the Controller may:
- Delete individual products, materials, certificates, or other data records at any time via the platform interface. Such deletions are permanent and immediate.
- Delete their entire account via Settings → Brand Profile → Delete Account. Account deletion initiates permanent deletion of all data within 30 days.
8.3 The Processor shall retain certain data beyond the deletion period where required by law:
- Invoice and billing records: 7 years (tax law)
- Security incident logs: 3 years (legitimate interest for security management)
Article 9 — Security Incident Notification
9.1 In the event of a Security Incident involving the Controller’s personal data, the Processor shall:
- Notify the Controller without undue delay and within 72 hours of becoming aware of the incident
- Provide the following information (or as much as is available at the time):
- Nature of the incident and categories and approximate number of data subjects affected
- Categories and approximate number of personal data records affected
- Name and contact details of the data protection contact point
- Likely consequences of the incident
- Measures taken or proposed to address the incident, including mitigation measures
9.2 Security incident notifications shall be sent to the email address associated with the Controller’s Admin account and to legal@passr.eu.
9.3 The Processor shall cooperate fully with the Controller in managing the response to a Security Incident.
Article 10 — Liability
10.1 Each party shall be liable to the other party for damages caused by any breach of the obligations under this DPA.
10.2 The liability of each party under this DPA is subject to the limitations of liability set out in the Terms of Service.
10.3 Where both parties are responsible for damage caused by a processing operation, both parties shall be held liable for the entire damage unless they can prove that they are not responsible for the part of the damage that caused the harm.
Article 11 — Execution
This DPA is incorporated into and forms part of the Terms of Service accepted by the Controller upon account creation.
For Controllers who require a separately executed DPA (for example, for enterprise procurement requirements):
Email legal@passr.eu with:
- Your company name
- VAT number
- Name and title of the authorised signatory
- Preferred signature method (digital or wet signature)
We will return a countersigned copy within 5 business days.
Article 12 — Governing Law
This DPA is governed by the laws applicable to the Terms of Service as stated therein, except where GDPR provides mandatory rules that cannot be derogated from by contract, in which case those mandatory rules shall apply.