At DPPA, earning and maintaining our users’ trust is paramount. We take data security seriously and are committed to being transparent and clear about how we safeguard and manage your information.
If you have any questions or concerns, please contact our team.
Security Framework
Our security practices are aligned with the ISO/IEC 27001 framework. We maintain a documented Information Security Management System (ISMS) covering risk assessment, incident response, access control, and regular security reviews.
Vulnerability Reporting
If you would like to report a security concern or a potential vulnerability, please contact security@dppa.no.
Incident Response
DPPA maintains a documented incident response plan with defined severity levels, escalation procedures, and communication protocols. In the event of a data breach involving personal data, affected customers and relevant authorities will be notified in accordance with GDPR Articles 33 and 34.
GDPR and CCPA Compliance
DPPA AS is committed to data privacy and is fully compliant with the General Data Protection Regulation (GDPR). We follow industry best practices for security and privacy, and we handle our customers’ personal data with great care. Our third-party processors are carefully selected and also fully compliant.
Infrastructure Compliance and Security
Microsoft Azure
DPPA is hosted on Microsoft Azure. Azure complies with numerous IT standards and is a global leader in cloud computing services.
For a comprehensive list of certifications and compliance programs, please see the Microsoft Azure Compliance Documentation.
DPPA do not have physical access to Azure data centers, nor do they have access to underlying Azure infrastructure.
Details on physical, boundaries, network, database, and data protection can be found on the Infrastructure Security.
PostgreSQL
We rely on PostgreSQL, a robust and trusted open-source relational database, to power our Tenant API and platform services with secure access control. PostgreSQL is known for its reliability, extensibility, and ACID-compliant architecture, making it ideal for managing structured data and supporting complex queries across multiple tenants. Hosted within a secure, compliant environment on Azure Database for PostgreSQL, it meets key regulatory standards such as ISO 27001, SOC 1, 2, and 3, and GDPR, ensuring the confidentiality and integrity of customer data. This enables us to deliver consistent performance, data isolation, and secure access for each tenant—ensuring a stable and compliant foundation for all interactions with the DPPA platform.
Please, visit https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-security for more information.
CosmosDB
We use Azure Cosmos DB to power the public querying of Digital Product Passports from our platform. Cosmos DB is a globally distributed, multi-model database service designed for ultra-low latency and high availability, making it ideal for serving millions of end users simultaneously. It is compliant with key international standards, including ISO 27001, GDPR, HIPAA, FedRAMP, and SOC 1, 2, and 3, ensuring robust data security, privacy, and regulatory adherence. By leveraging Cosmos DB, we deliver a fast, reliable, and secure experience for users accessing product passport data in real time across the globe.
For more details visit https://learn.microsoft.com/en-us/azure/cosmos-db/compliance
ApplicatStandards and Industry Engagemention Security
DPPA is an active member of Standard Norway’s national DPP standardization committee (SN/K 624) and contributes to the European standardization committee CEN/CLC/JTC 24. This ensures our platform stays aligned with evolving DPP requirements as they are defined.
Application Security
We prioritize keeping your data confidential and secure.
Authentication
DPPA login is managed through Microsoft Entra ID, Microsoft’s cloud identity platform. User passwords are never transferred to DPPA, nor do we gain access to any external resources linked to user accounts.
Access Control Management
Access to our infrastructure follows the principle of least privilege. Only authorized team members have access to production infrastructure. Access rights are reviewed quarterly and revoked promptly in accordance with our access control policy and team member lifecycle management.
Encryption
All communication with the DPPA user interface and APIs is encrypted using HTTPS with TLS. This ensures that your data and credentials are protected from unauthorized third-party access.
Backups
All data, including databases and file storage, is backed up automatically with multiple retention tiers through Azure’s built-in backup services. Backup integrity is verified through regular restore testing.
Development and Releases
We enforce strict testing procedures, both automated and manual, for every release. Our developers follow industry best practices for secure software development, including OWASP guidelines.
Corporate Security
Non-Disclosure
All DPPA team members and partners sign confidentiality agreements.
Access
Data access is highly restricted. Team members receive system access only as required for their roles, with rigorous onboarding and offboarding controls.
No plaintext passwords are stored in any tools we use. We utilize 1password as our password manager, securing credentials within encrypted vaults. Additionally, we leverage Azure Key Vault for secure handling and storage of secrets and keys within our Azure environment.
Multi-factor authentication (MFA) is mandatory across all critical services used by DPPA staff.
Code Quality Assurance
Our development workflow follows a strict Git flow with Azure Repos pull requests. Azure Pipelines, Continuous Integration/Continuous Deployment (CI/CD), help prevent regressions, and all code changes go through pull request reviews before merging to minimize bugs and vulnerabilities.
New features are first deployed to test environment (which contain no production data) for thorough QA and testing.