Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") forms an integral part of the Terms of Service or Master Subscription Agreement between [Customer Company Name] (the "Data Controller" or "Data Exporter") and TraceApi LLC, located at 632 N 2nd St #72, Philadelphia, PA, 19123, United States (the "Data Processor" or "Data Importer").

1. Purpose and Scope

This DPA governs the processing of personal data by TraceAPI on behalf of the Data Controller in the context of providing the TraceAPI SaaS platform and Digital Product Passport (DPP) infrastructure (the "Services").

2. Roles of the Parties

Under the General Data Protection Regulation (GDPR):

  • The Customer acts as the Data Controller and maintains control and ownership over the supply chain and user data uploaded to the Services.
  • TraceAPI acts as the Data Processor and processes personal data strictly on the documented instructions of the Controller to provide the Services.

3. Sub-Processors

The Controller authorizes TraceAPI to engage third-party sub-processors to fulfill its contractual obligations. TraceAPI remains fully liable for the acts and omissions of its sub-processors.

A current list of sub-processors is maintained in Annex III. TraceAPI will notify the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object.

4. International Data Transfers (Standard Contractual Clauses)

TraceAPI physically hosts all primary databases and user data within the European Union (Frankfurt, Germany).

However, because TraceApi LLC is a United States corporate entity, accessing the system for technical support or administration constitutes an international data transfer.

To ensure GDPR compliance, the parties agree that the European Commission's Standard Contractual Clauses (SCCs) for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, specifically Module 2 (Controller to Processor), are incorporated by reference into this DPA and legally binding. The Annexes required by the SCCs are completed at the end of this document.

5. Security of Processing

Taking into account the state of the art and the risks involved, TraceAPI implements appropriate Technical and Organizational Measures (TOMs) to ensure a level of security appropriate to the risk, including encryption in transit and at rest, and Role-Based Access Control (RBAC) via our identity provider. Details are provided in Annex II.

6. Data Subject Rights & Incident Management

  • Data Subject Requests: TraceAPI shall promptly assist the Controller, using technical measures, to fulfill the Controller's obligation to respond to requests from individuals exercising their GDPR rights (e.g., data deletion or access).
  • Breach Notification: TraceAPI shall notify the Controller without undue delay (and no later than 48 hours) after becoming aware of a personal data breach affecting the Controller's data.

7. Deletion or Return of Data

Upon termination of the Services, TraceAPI shall, at the choice of the Controller, delete or return all personal data processed on behalf of the Controller, unless applicable law requires continued storage.

ANNEX I: Details of Processing (SCC Module 2)

A. LIST OF PARTIES

  • Data Exporter: The Customer using the TraceAPI platform.
  • Data Importer: TraceApi LLC (Providing SaaS Digital Product Passport infrastructure).

B. DESCRIPTION OF TRANSFER

  • Categories of Data Subjects: The Controller's employees, authorized users, contractors, and supply chain partners whose information is entered into the TraceAPI platform.
  • Categories of Personal Data: Names, business email addresses, business contact details, authentication tokens, and any personal data inadvertently included in supply chain metadata (e.g., supplier contact info).
  • Sensitive Data: TraceAPI does not intentionally collect or process special categories of personal data (e.g., health, biometric, or political data).
  • Nature and Purpose of Processing: Processing is performed solely to provide the TraceAPI cloud infrastructure, authenticate users, generate QR codes, and host Digital Product Passports on behalf of the Controller.
  • Duration: Data is processed for the duration of the active subscription agreement, plus a 30-day grace period for final deletion.

C. COMPETENT SUPERVISORY AUTHORITY

The competent supervisory authority shall be the data protection authority of the EU Member State where the Data Exporter is established.

ANNEX II: Technical and Organizational Measures (TOMs)

The Data Importer (TraceAPI) has implemented the following measures to secure the data:

  • Data Residency: All core application databases and identity provider (Keycloak) data volumes are hosted in ISO 27001-certified data centers located in Frankfurt, Germany.
  • Encryption:
    • In Transit: All data transmitted between the client and TraceAPI servers, and internally between microservices, is encrypted using TLS 1.2 or higher.
    • At Rest: Persistent storage volumes containing database backups and passport metadata are encrypted using AES-256.
  • Access Control: System-level access to the Frankfurt infrastructure is restricted via SSH keys to authorized TraceApi LLC engineers only. Application-level access is strictly governed by Role-Based Access Control (RBAC) separating "Manufacturers" from authorized "Inspectors" and public consumers.
  • Data Isolation: Tenant data is logically separated within the database to ensure cross-tenant data leakage cannot occur.

ANNEX III: Authorized Sub-Processors

  • Hetzner Online GmbH / Oracle Cloud: Cloud infrastructure hosting (Location: EU/Germany).
  • Stripe, Inc: B2B Subscription payment processing (Location: US/Global).

(Note: Add or remove cloud providers here depending on exactly who you migrate the Docker containers to).