Built to protect compliance data.
Passr handles sensitive product and supply chain data on behalf of outdoor brands. This page documents how that data is stored, protected, and accessed — and how to report a security concern.
Last updated: June 2026Infrastructure
Hosting & delivery
The Passr platform, including the application dashboard (app.passr.eu), marketing site, and API endpoints, is hosted on Vercel's global edge network. Static pages are prerendered and served from edge locations. Dynamic API endpoints and platform serverless routes run on Node.js.
Database & storage
Application data is stored in PostgreSQL hosted on Supabase. Row-Level Security (RLS) policies enforce strict multi-tenant data isolation at the database level — each brand's data is isolated by brand_id and inaccessible to other tenants. File assets are stored in Supabase Storage across two buckets: a public bucket for passport assets and a private vault bucket for sensitive supply chain records.
Email infrastructure
Transactional emails — including waitlist confirmations, contact form routing, and platform notifications — are sent via Resend through the verified domain notify.passr.eu.
Error monitoring
The Passr platform uses Sentry for real-time crash reporting and error telemetry. Analytics on passr.eu are handled by Plausible Analytics — a privacy-focused, cookieless analytics provider with no cross-site tracking.
Data handling
Data is encrypted at rest and in transit using industry-standard encryption. All connections to the Passr platform are served over HTTPS.
Access to brand data within the Passr platform is controlled at the database level through Row-Level Security policies. No brand can access another brand's products, passports, suppliers, or certificates. Platform administrators access production data only when required for support, and all such access is logged.
Passr is designed for EU data residency. Database infrastructure is operated within the EU on Supabase. Passr is registered in Estonia as Hisako Technologies OÜ and operates under EU GDPR obligations. A full Data Processing Agreement is available at passr.eu/legal/dpa.
Passr uses the following third-party sub-processors to deliver the platform: Vercel (hosting and serverless functions), Supabase (database and storage), Resend (transactional email), Dodo Payments (subscription billing), Sentry (error monitoring), and Plausible Analytics (privacy-focused web analytics). Each processor is contractually bound to handle data in accordance with GDPR requirements.
Authentication
Passr uses passwordless authentication as the primary login method. Users authenticate via a magic link sent to their verified email address — no passwords are stored. Google OAuth is supported as a secondary authentication method.
Sessions are managed server-side. The platform does not store authentication credentials in client-accessible storage. All authenticated routes are protected by server-side session validation on every request.
Payments
Subscription billing is handled by Dodo Payments. Passr does not store, process, or transmit payment card data. All payment information is handled directly by Dodo Payments and is subject to their PCI-DSS compliance controls. Passr receives only subscription status and billing metadata.
Responsible disclosure
If you discover a security vulnerability in Passr — including the marketing site, the platform, or the public passport pages — we ask that you report it to us privately before any public disclosure. We take all security reports seriously and will respond promptly.
We do not currently operate a formal bug bounty programme, but we will acknowledge and act on legitimate reports. We ask that researchers act in good faith, avoid accessing or modifying data that is not their own, and give us reasonable time to investigate and remediate before disclosure.
Report a security issue
Email our security contact directly. Please include a description of the issue, steps to reproduce, and any relevant technical detail.
privacy@passr.euFor general enquiries, use hello@passr.eu or the contact form.