At DPPA, earning and maintaining our users’ trust is paramount. We take data security seriously and are committed to being transparent and clear about how we safeguard and manage your information.
If you have any questions or concerns, please contact our team.
Vulnerability Reporting
If you would like to report a security concern or a potential vulnerability, please contact security@dppa.no.
GDPR and CCPA Compliance
DPPA AS is fully compliant with the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). We follow industry best practices for security and privacy, and we handle our customers’ personal data with great care, as detailed in our Data Processing Agreement. Our third-party processors are carefully selected and also fully compliant.
Infrastructure Compliance and Security
Microsoft Azure
DPPA is hosted on Microsoft Azure. Azure complies with numerous IT standards and is a global leader in cloud computing services.
For a comprehensive list of certifications and compliance programs, please see the Microsoft Azure Compliance Documentation.
DPPA do not have physical access to Azure data centers, nor do they have access to underlying Azure infrastructure.
Details on physical, boundaries, network, database, and data protection can be found on the Infrastructure Security.
PostgreSQL
We rely on PostgreSQL, a robust and trusted open-source relational database, to power our Tenant API and platform services with secure access control. PostgreSQL is known for its reliability, extensibility, and ACID-compliant architecture, making it ideal for managing structured data and supporting complex queries across multiple tenants. Hosted within a secure, compliant environment on Azure Database for PostgreSQL, it meets key regulatory standards such as ISO 27001, SOC 1, 2, and 3, and GDPR, ensuring the confidentiality and integrity of customer data. This enables us to deliver consistent performance, data isolation, and secure access for each tenant—ensuring a stable and compliant foundation for all interactions with the DPPA platform.
Please, visit https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-security for more information.
CosmosDB
We use Azure Cosmos DB to power the public querying of Digital Product Passports from our platform. Cosmos DB is a globally distributed, multi-model database service designed for ultra-low latency and high availability, making it ideal for serving millions of end users simultaneously. It is compliant with key international standards, including ISO 27001, GDPR, HIPAA, FedRAMP, and SOC 1, 2, and 3, ensuring robust data security, privacy, and regulatory adherence. By leveraging Cosmos DB, we deliver a fast, reliable, and secure experience for users accessing product passport data in real time across the globe.
For more details visit https://learn.microsoft.com/en-us/azure/cosmos-db/compliance
Application Security
We prioritize keeping your data confidential and secure.
Authentication
DPPA login is managed through external authentication providers. Currently, we use Azure Active Directory B2C for authentication management. User passwords are never transferred to DPPA, nor do we gain access to any external resources linked to user accounts.
Access Control Management
Access to our infrastructure follows the principle of least privilege. Only a select group of experienced employees has access to production servers. Access rights are regularly reviewed and revoked in accordance with employee lifecycle management policies.
Encryption
All communication with the DPPA user interface and APIs is encrypted using HTTPS with TLS. This ensures that your data and credentials are protected from unauthorized third-party access.
Backups
We back up all data, including Azure Blob Storage and databases:
- Hourly backups retained for 24 hours
- Daily backups retained for 7 days
- Weekly backups retained for 30 days
- Monthly backups retained for 1 year
Development and Releases
We enforce strict testing procedures, both automated and manual, for every release. Our developers follow industry best practices for secure software development, including OWASP guidelines.
Corporate Security
Non-Disclosure
All DPPA employees and partners sign confidentiality agreements.
Access
Data access is highly restricted. Employees receive system access only as required for their roles, with rigorous onboarding and offboarding controls.
No plaintext passwords are stored in any tools we use. We utilize 1password as our password manager, securing credentials within encrypted vaults.
Multi-factor authentication (MFA) is mandatory across all critical services used by DPPA staff.
Code Quality Assurance
Our development workflow follows a strict Git flow with Azure Repos pull requests. Azure Pipelines, Continuous Integration/Continuous Deployment (CI/CD), help prevent regressions, and engineers perform pair programming reviews to minimize bugs and vulnerabilities.
New features are first deployed to test environment (which contain no production data) for thorough QA and testing.