PassPer / How it works
How it works · Under the hood

From supplier chaos to a signed, resolvable passport.

A Digital Product Passport is not a form you fill in once — it's a living, signed record built from data that mostly lives with your suppliers. Here is exactly how PassPer gets you from that reality to an audit-ready passport, and what runs underneath.

The workflow

Five steps. The regulation becomes a guided pipeline.

1

Ingest anything

Upload BOMs, spec sheets, certificates, test reports — PDF, spreadsheet or scan. The AI extraction pipeline reads them, maps every value to the right passport field with a confidence score and a source reference, and detects language (10 languages covered, EU-normalised output). Nothing is auto-published: a human reviews and applies.

multi-provider LLM extraction · confidence + provenance per field · human review gate
2

Collect what you don't have

The fields you can't extract live up your supply chain. Send suppliers a single tokenised link — no account, no login, mobile-friendly, in their language. Responses flow back into the passport for one-click review-and-apply, auto-chase sequences handle the silence, and verified declarations are reusable across products and buyers.

no-account supplier portal · auto-chase · reusable verified declarations
3

Check against the regulation

Every sector runs through the same Regulation Profile engine — the battery profile alone carries 110 fields aligned to DIN DKE SPEC 99100. Rules validate values, the readiness score updates live, and the reviewer/approver workflow signs off before anything goes public. When a delegated act changes, the profile updates as data — you don't redeploy.

sectors-as-data · live readiness score · reviewer workflow
4

Seal & publish

Publishing creates a SHA-256 version snapshot and writes a signed, hash-chained event to the passport's audit log — every lifecycle transition is tamper-evident. The passport goes live behind a GS1 Digital Link QR, and the public resolver shows each audience its access-tier-appropriate slice: consumer, professional, authority.

SHA-256 snapshots · HMAC-signed hash-chained events · GS1 Digital Link · 3 access tiers
5

Register & persist

Identifiers are prepared for the EU DPP Registry — the submission pipeline is built and validates today, and connects the day the official API opens. Persistence is designed in: EU-hosted storage plus an independent backup-custody path, because the regulation requires your passport to outlive both the product and, if necessary, you.

EU Registry pipeline (live transport when the API opens) · backup custody · 15-year availability
Under the hood

Standards-native architecture, not a form builder.

Regulation Profiles

Sectors as data

Fields, rules, access tiers and legal bases are data, not code. Battery, textiles, electronics, furniture — one engine, zero sector-specific application code, versioned profiles with diff-aware change impact.

GS1 Digital Link

Real resolver, real identifiers

Passports resolve at /01/{gtin} and /01/{gtin}/21/{serial} — GTIN-keyed, serial-aware, carrier-agnostic (QR, Data Matrix ISO/IEC 16022, NFC/RFID payloads). Print-safety checks block labels that would point at an unreachable host.

Access tiers

ESPR-mandated audiences

Every field carries its access tier. The same passport serves the public view, the professional view (repairers, recyclers) and the authority view — enforced at the resolver, not painted on in the UI.

Cryptographic trail

Signed, hash-chained events

Every lifecycle transition writes an HMAC-signed event chained to the previous one; every publish creates a SHA-256 content snapshot. Tampering breaks the chain visibly. eIDAS advanced seals are on the 2026 roadmap.

Interoperability

JSON-LD + AAS export

Passports serialise as W3C JSON-LD with layered context, and project into Asset Administration Shell submodels (application/aas+json) for Industry-4.0 ecosystems. CSV and API access included.

EU sovereignty

EU-hosted, exportable, no lock-in

All data on EU infrastructure under EU jurisdiction. Export everything at any time — JSON-LD, CSV, AAS. Your compliance record is yours; we just run it. See standards & sovereignty.

Why not just a signing tool?

Signing a document is easy. Getting a compliant one to sign is the job.

Several platforms will hash, seal and publish whatever data you hand them — and quietly assume you already have it. But the passport fields live with your suppliers, in PDFs, in ten languages, behind email threads. That's the actual work of DPP compliance, and it's the part PassPer is built around: AI extraction, supplier collection, evidence with provenance — and then the sealing and publishing too.

Start free See sample passports