---
title: Trust & security — what we run, where we run it
description: "Procurement reference: EU data residency, sub-processor register with DPA links, security, liability, GS1 Digital Link / Schema.org / CIRPASS conformance."
canonical: "https://www.tracepass.eu/trust"
locale: en
source: "https://www.tracepass.eu/trust"
---

# Trust & security — what we run, where we run it

> Procurement reference: EU data residency, sub-processor register with DPA links, security, liability, GS1 Digital Link / Schema.org / CIRPASS conformance.

Procurement-grade reference for data residency, sub-processor disclosures, security posture, liability, and interoperability conformance. Items not yet in place are flagged so readers see what's done versus what's in flight — the buyer's guide cites this page as the single source of truth for both.

## Overview

TracePass is a Bulgarian-registered company building a Digital Product Passport platform for EU compliance. We process customer product data on EU infrastructure with documented sub-processors. Customer is the data controller; TracePass is the processor.

This page is the single procurement reference for our data path, security controls, liability terms, and interoperability conformance. Updated on every meaningful change; see the date stamp at the foot.

## Data residency

Production data resides on EU infrastructure. The application back-end runs on Hetzner Falkenstein; the marketing front-end on Vercel EU edge regions; the primary database is self-hosted MongoDB on the same Hetzner Falkenstein server; file storage on Cloudflare R2 EU regions.

AI processing for category extraction and translations is invoked on customer demand only and is governed by an explicit DPA with Anthropic. No customer data is shared with third parties outside the documented sub-processor list.

- Application back-end: Hetzner CX22, Falkenstein, Germany
- Marketing front-end: Vercel EU edge regions
- Primary database: Self-hosted MongoDB 7, Hetzner Falkenstein, Germany
- File storage: Cloudflare R2, EU regions

## Security posture

Default-secure infrastructure choices plus application-level controls. Encryption at rest is provided by every storage sub-processor; TLS 1.3 is enforced for all customer traffic. Identity is custom JWT + bcrypt + single-use refresh-token rotation; access controls are role-based (owner, admin, editor, viewer) with rate limiting on every authentication path.

- Encryption at rest: File storage (Cloudflare R2) — AES-256. Application database — volume-level disk encryption on the database server is being rolled out.
- Encryption in transit: TLS 1.3
- Authentication: JWT (HS256, 15 min) + refresh-token rotation (30 d, single-use, max 5 per user)
- Role-based access control: owner > admin > editor > viewer; per-route enforcement
- Rate limiting: Login (5/15min/IP), registration (5/min/IP), file upload (60/min/company), v1 API (per plan)
- Database backups: Daily automated logical backup to an encrypted EU bucket (Cloudflare R2), 7-day retention, stored off the database server
- Audit logs: Every passport edit recorded with timestamp, actor, and field-level diff; surfaced in the dashboard timeline
- Security headers: X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy
- ISO 27001 certification: Not yet held. The controls above (encryption, access control, backups, audit logging) are the substance an ISO 27001 ISMS formalises, but no certificate has been issued and no audit is in progress. We will pursue certification when enterprise customer demand justifies the audit cost; we won't claim it before a certificate exists. Ask us for the current control documentation in the meantime.
- SOC 2 report: Not yet held, no audit window scheduled. SOC 2 (Type II in particular) requires an observation period a company of our age and stage has not yet run. Same honesty rule as ISO 27001: we will not represent a SOC 2 report until an auditor has issued one. EU customers are typically served first by our EU data residency + GDPR processor terms, which are documented above and in the DPA.

## Liability & insurance

Standard liability cap is 12× monthly fees. Enterprise customers can negotiate a 24× rider for higher exposure profiles. Indemnification carve-outs cover third-party intellectual-property claims and regulatory penalties traceable to vendor error.

Errors & Omissions (E&O) insurance is in progress — quote in flight, expected to close shortly. Cap will be published here once the policy binds.

- Standard liability cap: 12× monthly fees
- Enterprise rider: 24× monthly fees, available on Enterprise contracts
- E&O insurance: Quote in flight; cap will be published here once policy binds
- [Master Services Agreement](/terms): Substantive clauses live in our public Terms of Service (§10 cancellation + 30-day resolver grace, §11 split SLA, §12 customer-as-controller, §13 source-code escrow on Enterprise). Enterprise customers can negotiate addenda (custom SLA, liability rider, escrow triggers) on top of the standard ToS.

## Interoperability conformance

Conformance against published interoperability standards — what's tested, what's documented, what's still pending. "We follow the spec" is not a conformance claim; published test results and documented field-level alignment are.

- GS1 Digital Link conformance: Functional resolver behaviour self-tested against the GS1 Digital Link v2.0 spec — service-description endpoint, GTIN/serial path resolution, JSON-LD content negotiation, linkset+json output, Vary headers, 404 on unknown URLs. Reproducible script ships at scripts/gs1-conformance-check.ts (committed to the platform repo); customers and auditors can run it against any TracePass-hosted resolver. External test against GS1's hosted reference suite is scheduled separately.
- Schema.org JSON-LD: Emitted on every public page (home, category, resources, regulatory matrices, buyer's guide). Validated against Google Rich Results Test.
- JSON-LD content negotiation on passport URLs: Public passport URLs return application/ld+json when the request Accept header explicitly prefers it; HTML otherwise. Same URL contract — no separate endpoint to discover. Implemented via Next.js middleware rewriting to a JSON-LD route handler that serves the same payload as the embedded <script> tag.
- CIRPASS vocabulary alignment: Per-template field-level alignment documented; gaps named explicitly with target version.
- GS1 GLN structural support — multi-role economic operators: Every passport carries a structural parties block keyed by economic-operator role (manufacturer / importer / authorised representative / distributor / recycler / producer-responsibility organisation). GLNs are validated 13-digit GS1 identifiers (mod-10 check digit) and emitted in both gs1:partyGLN (GS1 Web Vocabulary) and schema:identifier propertyID GS1:GLN (schema.org mirror). Per-category required-role enforcement matches each regulation (Battery 2023/1542 Articles 47–50: manufacturer + recycler + PRO; PPWR 2025/40 Article 11: manufacturer + PRO; Toy Safety Article 4: manufacturer + importer for non-EU). Suppliers without a GLN can record a legacyOperatorId (VAT / EORI / national tax ID) instead — every party stays traceable. Available via dashboard editor, v1 API (PATCH /api/v1/passports/:id/parties/:role), and CSV bulk import (dotted-key columns).
- [Public OpenAPI 3.1 specification](/docs): Hand-written OpenAPI 3.1 spec covering every v1 REST endpoint (23 paths, 27 operations across passports, products, exports, EPCIS). Published at /openapi.yaml with a JSON mirror at /openapi.json — no NDA, no signup wall. Drops directly into Postman / Insomnia / Bruno or any openapi-generator client target. Worked examples in curl / TypeScript / Python live alongside each endpoint at /docs. Read-and-write coverage is symmetrical with the dashboard — anything you can do in the UI you can drive through the API.
- [GS1 EPCIS 2.0 — supply-chain event export, capture and query](/docs/epcis): Full GS1 EPCIS 2.0 — export, capture and query — included on every paid plan. Any passport's supply-chain, service, and ownership events serialise as a standards-valid EPCIS 2.0 JSON-LD document, advertised on the GS1 Digital Link resolver as the gs1:traceability linkType, so an EPCIS-aware system that scans the QR discovers the event history without prior knowledge of the URL. Production steps that GS1's Core Business Vocabulary doesn't define (smelting, rolling, finishing) use TracePass-owned vocabulary URIs under tracepass.eu/voc/cbv/bizstep/ — the GS1-sanctioned industry-extension pattern — each resolving to its own published definition. Capture accepts events POSTed by suppliers and ERP systems, and the AI agent drafts events from datasheets for human review; query proxies to a self-hosted OpenEPCIS node that implements the EPCIS 2.0 Query interface in full. Volume meter scales by tier (1,000 events/mo on Basic up to 10,000,000 on Pro, unlimited on Enterprise; Free gets 10 as an evaluation guardrail). A reproducible self-test ships at scripts/epcis-conformance-check.ts. EPCIS is the recommended traceability vehicle for ESPR Article 5(5)(o).

## EU DPP ecosystem participation

Memberships and ecosystem affiliations that anchor TracePass in the EU Digital Product Passport infrastructure. There is no official EU "approved DPP vendor" registry today — the EU Central DPP Registry is scheduled to go live 19 July 2026 alongside ESPR full application, and the technical specification for vendor integration is still being published in tranches. Until then, the legitimate signals are: GS1 (the identifier-allocation authority), CIRPASS / CIRPASS-2 (the EU-funded coordination action preparing the registry), and the Battery Pass project (industry consortium for the 2027 battery-passport deadline).

We list each affiliation honestly: in-place means the membership / participation is active and verifiable; in-progress means we've applied and are waiting on confirmation; pending means we plan to apply but haven't started. Procurement buyers should treat "pending" the same way they treat any roadmap claim — a stated intent, not a delivered result.

- [GS1 Bulgaria — national GS1 member organisation](https://gs1bg.org/): GS1 is the global standards organisation that allocates GTINs and maintains the GS1 Digital Link URI shape that every TracePass passport QR code uses (/p/01/<GTIN>/21/<serial>). Becoming a GS1 Bulgaria member is the legitimate path to allocating real GTIN ranges for our customers' products at scale, and grants reciprocal access to GS1 Germany / GS1 Italy / etc. when operating across the EU. Application pending.
- [CIRPASS-2 — EU-funded Coordination and Support Action](https://cirpass2.eu/): CIRPASS-2 is the EU Horizon-funded coordination action preparing the technical infrastructure, governance framework, and pilot deployments for the EU Digital Product Passport ecosystem. TracePass applied 2026-05-16 for both the Stakeholder Community (newsletter, events, public consultations) and the Community of Practice (CoP) — the active engagement tier reserved for DPP service providers and PLM/ERP/PIM software vendors. CoP membership requires ~5-10 person-days/year, a signed MoU with the project coordinator (CEA), and contribution to the upcoming DPP Stakeholder Exchange Forum. Subject to CIRPASS-2 evaluation procedure.
- [CIRPASS-2 DPP Stakeholder Exchange Forum — circular-data.org](https://circular-data.org/o/892486cd-c05d-4c74-97ca-c18e70bfb934): circular-data.org is the CIRPASS-2 DPP Stakeholder Exchange Forum — the matchmaking and knowledge-exchange platform (hosted by Ekodenge on Clusterly) that connects DPP solution providers, manufacturers, and standards bodies across the EU. TracePass registered its organisation profile in May 2026 as an SME DPP-as-a-Service provider; the profile was reviewed, approved, and is publicly listed. This is a distinct registration from CIRPASS-2 Stakeholder Community and Community of Practice membership, which are evaluated separately.
- [Battery Pass project — industry consortium](https://thebatterypass.eu/): BMWK-funded German industry consortium publishing content guidance and reference architecture for the EU Battery Passport (mandatory February 2027 under Regulation (EU) 2023/1542). Member network includes VDMA, Audi, BASF, Circulor and others. Relevant primarily when our customer mix includes EV / industrial / LMT battery manufacturers. Engagement pending — will outreach when our battery-category customer pipeline justifies the membership fees.
- EU Central DPP Registry integration: The EU Central DPP Registry is scheduled to go live 19 July 2026 alongside the full application of ESPR (Regulation (EU) 2024/1781). It will at minimum hold a list of unique product identifiers and data carrier URLs to enable cross-border passport resolution. TracePass will integrate as a service provider on behalf of customers — writing UPIs and resolver URLs to the registry. The technical API specification has not yet been published; integration work is gated on that publication. Watch the European Commission's DPP page for the spec release.

## Sub-processors

Every entity that processes customer data on our behalf is listed below. Additions to this list trigger advance notification per Article 28 GDPR with a reasonable window for objection. Removals (a sub-processor sunsets) are documented retrospectively here and through customer email.

| Provider | Role | Jurisdiction | DPA |
| --- | --- | --- | --- |
| Hetzner Online GmbH | Application back-end hosting (compute, primary file system) | Falkenstein, Germany (DE) | https://www.hetzner.com/legal/data-processing-agreement/ |
| Vercel Inc. | Marketing site hosting + edge runtime | EU regions (data residency configured) | https://vercel.com/legal/dpa |
| Cloudflare, Inc. (R2) | Object storage for uploads, documents, generated PDFs | EU regions (R2 jurisdictional restrictions enabled) | https://www.cloudflare.com/cloudflare-customer-dpa/ |
| Resend, Inc. | Transactional email (account verification, supplier requests, alerts) | EU region when configured; US fallback otherwise | https://resend.com/legal/dpa |
| Anthropic, PBC | AI processing for category extraction + translation (on-demand only) | United States (DPA in place) | https://www.anthropic.com/legal/data-processing-addendum |
| Stripe Payments Europe, Ltd | Payment processing for plan subscriptions | Ireland (IE) for EU customers | https://stripe.com/legal/dpa |

Standard processor DPA available on request before customer data flows. Breach notification SLA: 72 hours from confirmed incident.