Legal

Data Processing Agreement

Effective date: 5 March 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Traceable Digital ("Processor", "we", "us") and the entity agreeing to these terms ("Controller", "Customer", "you"). This DPA is entered into pursuant to Article 28 of Regulation (EU) 2016/679 (General Data Protection Regulation, "GDPR") and governs the processing of personal data by the Processor on behalf of the Controller in connection with the Traceable Digital Product Passport platform ("Platform").

By using the Platform, the Controller instructs the Processor to process personal data as described in this DPA. This DPA supplements and is incorporated into the Terms of Service. In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to the processing of personal data.

1. Definitions

In this DPA, the following terms have the meanings set out below. Terms not defined herein shall have the meanings given to them in the GDPR or the Terms of Service, as applicable.

  • Controller — The Customer entity that determines the purposes and means of the processing of personal data through the Platform, as defined in Article 4(7) GDPR.
  • Processor — Traceable Digital, which processes personal data on behalf of the Controller in connection with the Platform, as defined in Article 4(8) GDPR.
  • Personal Data — Any information relating to an identified or identifiable natural person ("data subject") that is processed by the Processor on behalf of the Controller through the Platform, as defined in Article 4(1) GDPR.
  • Processing — Any operation or set of operations performed on personal data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction, as defined in Article 4(2) GDPR.
  • Data Subject — An identified or identifiable natural person whose personal data is processed under this DPA, as defined in Article 4(1) GDPR.
  • Sub-processor — Any third party engaged by the Processor to process personal data on behalf of the Controller in connection with the Platform.
  • Standard Contractual Clauses (SCCs) — The standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission pursuant to Article 46(2)(c) GDPR, as set out in Commission Implementing Decision (EU) 2021/914.
  • Personal Data Breach — A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed, as defined in Article 4(12) GDPR.
  • Supervisory Authority — An independent public authority established by an EU Member State pursuant to Article 51 GDPR.
  • Data Protection Impact Assessment (DPIA) — An assessment of the impact of the envisaged processing operations on the protection of personal data, as described in Article 35 GDPR.
  • Platform — The Traceable Digital Product Passport SaaS platform, including all related APIs, web applications, supplier portals, and AI document intelligence features.
  • Digital Product Passport (DPP) — A structured set of product data created through the Platform in compliance with EU Battery Regulation 2023/1542 and/or ESPR Regulation 2024/1781.

2. Scope and Purpose of Processing

The Processor processes personal data on behalf of the Controller solely for the purpose of providing the Platform and related services, including:

  • Enabling the Controller to create, manage, and publish Digital Product Passports in compliance with EU Battery Regulation 2023/1542 and ESPR Regulation 2024/1781.
  • Processing product data uploaded by the Controller, including manufacturer details, product specifications, carbon footprint data, recycled content percentages, hazardous substance declarations, supply chain data, and test report data.
  • Operating AI document intelligence features that process uploaded documents (test reports, certificates, declarations of conformity) to extract structured data fields using the Anthropic Claude API.
  • Operating the supplier portal to collect data from third-party suppliers on behalf of the Controller.
  • Publishing Digital Product Passports that are publicly accessible via QR codes, as mandated by the applicable EU regulations.
  • Managing user accounts, authentication, and access control for the Controller and its authorised users.
  • Sending transactional emails related to account management, supplier data requests, and platform notifications.
  • Processing payments for Platform subscriptions.

The Processor shall not process personal data for any purpose other than those specified in this DPA and the Terms of Service, unless required to do so by European Union or Member State law to which the Processor is subject, in which case the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest (Article 28(3)(a) GDPR).

3. Types of Personal Data Processed

The following categories of personal data may be processed by the Processor on behalf of the Controller:

3.1 User Account Data

  • Full name
  • Business email address
  • Job title and role
  • Telephone number (where provided)
  • Authentication credentials (hashed passwords, session tokens)
  • IP addresses and browser metadata for security and audit purposes

3.2 Economic Operator Contact Data

Personal data of natural persons named as economic operators in Digital Product Passports, as required by EU Battery Regulation 2023/1542 and ESPR 2024/1781:

  • Names of manufacturer representatives and authorised representatives
  • Business contact details (address, email, telephone)
  • Role or function within the economic operator organisation

Note: Published Digital Product Passports containing economic operator contact data are publicly accessible via QR codes. This public accessibility is mandated by the applicable EU regulations and is not within the discretion of the Processor.

3.3 Supplier Contact Data

Personal data of individuals at third-party supplier organisations who interact with the supplier portal:

  • Full name of supplier contact person
  • Business email address
  • Job title or function
  • Organisation name and address

3.4 Document Content Data

Documents uploaded by the Controller for AI document intelligence processing (test reports, certificates, declarations of conformity) may incidentally contain personal data such as names, signatures, and contact details of individuals who authored or signed such documents.

4. Categories of Data Subjects

The data subjects whose personal data may be processed under this DPA include:

  • Customer employees and authorised users — Individuals employed by or working on behalf of the Controller who have been granted access to the Platform.
  • Supplier contacts — Individuals at third-party supplier organisations who are invited to the supplier portal by the Controller to provide supply chain data.
  • Economic operators named in passports — Natural persons identified as economic operators (manufacturers, authorised representatives, importers) within Digital Product Passports, whose contact details are included as required by EU regulations.
  • Document signatories — Individuals whose names, signatures, or contact details are contained in documents uploaded to the Platform for AI document intelligence processing.

5. Duration of Processing

The Processor shall process personal data for the duration of the Terms of Service between the Controller and the Processor, unless otherwise agreed in writing or required by applicable law.

Upon termination of the Terms of Service, the provisions of Section 11 (Term and Termination) of this DPA shall apply regarding the deletion or return of personal data.

Published Digital Product Passports may remain publicly accessible after termination if required by applicable EU regulations. The Controller is responsible for determining whether published passports must remain accessible to satisfy regulatory obligations.

6. Obligations of the Processor

The Processor shall comply with the following obligations in accordance with Article 28(3) GDPR:

6.1 Processing on Documented Instructions

The Processor shall process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by European Union or Member State law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

The Controller's instructions are documented in this DPA, the Terms of Service, and through the Controller's use of the Platform features. The Controller may issue additional written instructions that are consistent with the terms of this DPA and the Terms of Service. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes the GDPR or other European Union or Member State data protection provisions.

6.2 Confidentiality

The Processor shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. This obligation shall survive the termination of this DPA and the individual's engagement with the Processor.

The Processor shall ensure that access to personal data is limited to those personnel who require such access to perform the services under the Terms of Service, and that all such personnel have received appropriate training on data protection obligations.

6.3 Technical and Organisational Security Measures

The Processor shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as required by Article 32 GDPR. These measures are described in detail in Section 9 (Security Measures) of this DPA and include, at a minimum:

  • Encryption of personal data at rest and in transit
  • Role-based access controls and multi-factor authentication
  • Comprehensive audit logging of all data access and modifications
  • Regular backup procedures with encrypted backup storage
  • Documented incident response procedures
  • Regular testing and evaluation of the effectiveness of technical and organisational measures

6.4 Sub-processor Management

The Controller hereby grants the Processor general written authorisation to engage sub-processors for the processing of personal data in connection with the Platform. The Processor shall:

  • Maintain a current list of sub-processors, including their names, registered addresses, and the nature of processing performed, which is published and kept up to date at /legal/subprocessors/.
  • Notify the Controller in writing (by email to the address associated with the Controller's account) at least 30 days before adding or replacing any sub-processor, providing the Controller with sufficient information to enable the Controller to exercise its right to object.
  • If the Controller objects to a new or replacement sub-processor on reasonable data protection grounds within 14 days of receiving notice, the Processor shall either not engage the sub-processor or offer the Controller the option to suspend or terminate the affected service without penalty.
  • Impose the same data protection obligations as set out in this DPA on each sub-processor by way of a written contract, in particular providing sufficient guarantees to implement appropriate technical and organisational measures so that the processing meets the requirements of the GDPR.
  • Remain fully liable to the Controller for the performance of each sub-processor's obligations in accordance with Article 28(4) GDPR.

The current sub-processors are listed in Section 8 (International Transfers) and the full sub-processor list is maintained at:

https://traceable.digital/legal/subprocessors/

6.5 Assistance with Data Subject Rights

The Processor shall assist the Controller by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising data subject rights under Chapter III of the GDPR, including:

  • Right of access (Article 15 GDPR)
  • Right to rectification (Article 16 GDPR)
  • Right to erasure (Article 17 GDPR)
  • Right to restriction of processing (Article 18 GDPR)
  • Right to data portability (Article 20 GDPR)
  • Right to object (Article 21 GDPR)

If the Processor receives a request from a data subject directly, the Processor shall promptly redirect the data subject to the Controller and notify the Controller of the request without undue delay. The Processor shall not respond to a data subject request directly unless instructed to do so by the Controller or required to do so by applicable law.

The Controller acknowledges that personal data contained in published Digital Product Passports that is required by EU regulations (such as economic operator contact details) may not be subject to erasure under Article 17(3)(b) GDPR where processing is necessary for compliance with a legal obligation.

6.6 Assistance with Data Protection Impact Assessments

The Processor shall assist the Controller in ensuring compliance with the obligations pursuant to Articles 35 and 36 GDPR, taking into account the nature of processing and the information available to the Processor. This assistance includes:

  • Providing information necessary for the Controller to carry out Data Protection Impact Assessments in relation to the Controller's use of the Platform.
  • Providing information necessary for the Controller to engage in prior consultation with a supervisory authority pursuant to Article 36 GDPR, where required.

6.7 Deletion or Return of Data

Upon termination of the Terms of Service, the Processor shall, at the choice of the Controller, delete or return all personal data to the Controller and delete existing copies unless European Union or Member State law requires storage of the personal data. The Controller must communicate its choice in writing within the data export period specified in Section 11 (Term and Termination).

Where the Controller requests the return of personal data, the Processor shall provide the data in a structured, commonly used, and machine-readable format (JSON or CSV). Where the Controller requests deletion, the Processor shall provide written certification of deletion upon request.

6.8 Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and this DPA, and shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

The following conditions apply to audits:

  • The Controller shall provide the Processor with at least 30 days' prior written notice of any audit, unless a shorter period is required by a supervisory authority.
  • Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's operations.
  • The Controller (or its mandated auditor) shall be bound by confidentiality obligations with respect to any information obtained during the audit.
  • Where the Processor engages an independent third-party auditor to conduct an audit of its processing activities (such as SOC 2 or ISO 27001), the Processor may satisfy the audit right by providing the Controller with a copy of the audit report, provided the report is no more than 12 months old.
  • The Controller shall bear its own costs of any audit, unless the audit reveals a material breach of this DPA by the Processor.

7. Obligations of the Controller

The Controller warrants and undertakes that:

  • It has a lawful basis for the processing of personal data as described in this DPA, including any necessary consent from data subjects or a legitimate interest assessment, as applicable.
  • It has provided appropriate notice to data subjects regarding the processing of their personal data through the Platform, including the involvement of the Processor and any sub-processors.
  • It has the right to transfer or provide access to the personal data to the Processor for processing in accordance with this DPA.
  • Its instructions to the Processor regarding the processing of personal data comply with all applicable data protection laws, including the GDPR.
  • It is responsible for determining the lawful basis for any personal data included in published Digital Product Passports that are publicly accessible, and for providing appropriate transparency notices to the relevant data subjects.
  • It shall respond to data subject requests in accordance with the GDPR and shall promptly inform the Processor of any data subject requests that require the Processor's assistance.
  • It shall ensure that all personal data provided to the Processor is accurate and up to date, and shall promptly notify the Processor of any corrections required.
  • It shall implement appropriate security measures for any personal data under its control, including strong passwords and multi-factor authentication for Platform access.

8. International Transfers

The Controller's personal data is primarily hosted within the European Union. The Processor's primary infrastructure is hosted by Amazon Web Services (AWS) in the eu-west-1 region (Ireland).

Certain sub-processors are established outside the European Economic Area. Where personal data is transferred to a sub-processor in a third country, the Processor ensures that appropriate safeguards are in place in accordance with Chapter V of the GDPR. The current sub-processors and applicable transfer mechanisms are:

Sub-processor Purpose Location Transfer Mechanism
Amazon Web Services (AWS) Infrastructure hosting, database, storage, compute EU (eu-west-1, Ireland) Data remains within the EU
Cloudflare Content delivery network, DDoS protection, web application firewall Global (EU primary) EU Adequacy Decision / SCCs
Anthropic AI document intelligence processing (data extraction from uploaded documents) United States Standard Contractual Clauses (SCCs)
Resend Transactional email delivery (account notifications, supplier data requests) United States (SCCs in place) Standard Contractual Clauses (SCCs)
Stripe Payment processing for Platform subscriptions United States Standard Contractual Clauses (SCCs)

For sub-processors located in the United States, the Processor has entered into Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) with each sub-processor to provide appropriate safeguards for the transfer of personal data. The Processor has conducted transfer impact assessments for each third-country transfer and has implemented supplementary measures where necessary.

The Processor shall not transfer personal data to any third country or international organisation without appropriate safeguards in accordance with Chapter V of the GDPR, and shall promptly notify the Controller of any change in the location of processing.

9. Security Measures

The Processor implements and maintains the following technical and organisational measures pursuant to Article 32 GDPR, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons:

9.1 Encryption

  • All data in transit is encrypted using TLS 1.2 or higher.
  • All data at rest is encrypted using AES-256 encryption, including database storage, file storage, and backups.
  • Encryption keys are managed through AWS Key Management Service (KMS) with automatic key rotation.

9.2 Access Controls

  • Role-based access control (RBAC) ensures that personnel access only the data necessary for their role.
  • Multi-factor authentication (MFA) is required for all administrative access to production systems.
  • Access to production databases is restricted to authorised operations personnel and requires VPN access with individual credentials.
  • User access is reviewed quarterly and revoked promptly upon role change or termination of engagement.
  • Principle of least privilege is applied across all systems and services.

9.3 Audit Logging

  • All access to personal data is logged, including the identity of the accessor, the timestamp, and the nature of the access.
  • All modifications to personal data are logged with before and after values.
  • Audit logs are stored in tamper-resistant storage and retained for a minimum of 12 months.
  • Logs are monitored for anomalous access patterns.

9.4 Backup and Recovery

  • Automated daily backups of all databases and file storage.
  • Backups are encrypted using AES-256 and stored in a geographically separate AWS availability zone within the eu-central-1 region.
  • Backup restoration procedures are tested at least quarterly.
  • Point-in-time recovery capability with a recovery point objective (RPO) of 24 hours.

9.5 Network Security

  • Web application firewall (WAF) provided by Cloudflare to protect against common web application vulnerabilities.
  • DDoS protection at the network and application layers.
  • Network segmentation between production, staging, and development environments.
  • Intrusion detection and prevention systems monitoring network traffic.

9.6 Incident Response

  • Documented incident response plan with defined roles, responsibilities, and escalation procedures.
  • Incident response team trained and available to respond to security incidents.
  • Post-incident review conducted after every security incident with lessons learned documented and implemented.

9.7 Personnel Security

  • All personnel with access to personal data are subject to confidentiality obligations.
  • Security awareness training is provided to all personnel upon onboarding and annually thereafter.
  • Access credentials are revoked immediately upon termination of engagement.

9.8 Vulnerability Management

  • Regular vulnerability scanning of all production systems.
  • Critical security patches applied within 48 hours of release.
  • Dependencies monitored for known vulnerabilities with automated alerting.
  • Secure software development lifecycle (SDLC) practices followed for all Platform code.

10. Data Breach Notification

The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach affecting personal data processed on behalf of the Controller. The Processor shall use best efforts to provide such notification within 72 hours of becoming aware of the breach, to enable the Controller to comply with its notification obligations under Article 33 GDPR.

The notification shall include, to the extent available at the time of notification:

  • A description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned.
  • The name and contact details of the Processor's data protection point of contact from whom further information can be obtained.
  • A description of the likely consequences of the personal data breach.
  • A description of the measures taken or proposed to be taken by the Processor to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Where, and insofar as, it is not possible to provide all information at the same time, the Processor shall provide the information in phases without further undue delay. The Processor shall document all personal data breaches, comprising the facts relating to the breach, its effects, and the remedial action taken, and shall make such documentation available to the Controller upon request.

The Processor shall cooperate with and assist the Controller in the investigation and remediation of any personal data breach, and in the Controller's compliance with its obligations under Articles 33 and 34 GDPR.

Data breach notifications shall be sent to the Controller's designated contact email address. The Controller may also contact the Processor's privacy team at privacy@traceable.digital.

11. Term and Termination

This DPA shall come into effect on the date the Controller first uses the Platform and shall continue in effect for the duration of the Terms of Service. This DPA shall automatically terminate upon termination of the Terms of Service, subject to the provisions below regarding data deletion or return.

11.1 Data Export Period

Upon termination of the Terms of Service, the Controller shall have a period of 30 calendar days ("Data Export Period") during which the Controller may export its data from the Platform. During the Data Export Period, the Controller shall have read-only access to its data and may download it in structured, commonly used, and machine-readable formats (JSON, CSV).

11.2 Deletion of Data

Upon expiry of the Data Export Period, the Processor shall delete all personal data processed on behalf of the Controller within 30 calendar days, unless:

  • European Union or Member State law requires the Processor to retain certain personal data, in which case the Processor shall isolate and protect such data from any further processing except to the extent required by applicable law.
  • Published Digital Product Passports must remain accessible to satisfy the Controller's regulatory obligations under EU Battery Regulation 2023/1542 or ESPR 2024/1781. The Controller is responsible for instructing the Processor regarding the continued publication or withdrawal of published passports.

Deletion includes all copies of personal data in production systems, backups, and logs, except where retention is required by applicable law. Backup copies shall be deleted in accordance with the Processor's standard backup rotation schedule, which shall not exceed 90 calendar days from the date of deletion from production systems.

11.3 Surviving Provisions

The provisions of this DPA relating to confidentiality (Section 6.2), audit rights (Section 6.8), data breach notification (Section 10), and liability shall survive the termination of this DPA.

12. Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws of Ireland, without regard to its conflict of laws provisions. The parties submit to the exclusive jurisdiction of the courts of Ireland for the resolution of any disputes arising out of or in connection with this DPA.

This choice of governing law is without prejudice to the mandatory provisions of the GDPR or any other applicable data protection legislation, which shall apply regardless of the governing law chosen by the parties.

13. Amendments

The Processor may update this DPA from time to time to reflect changes in its processing activities, sub-processors, or applicable law. The Processor shall notify the Controller of any material changes to this DPA at least 30 days before the changes take effect. Continued use of the Platform after the effective date of such changes constitutes acceptance of the updated DPA.

14. Contact

For questions, requests, or complaints regarding this DPA or the processing of personal data:

Traceable Digital
EU Hosted — Ireland (AWS eu-west-1)