The Digital Product Passport touches sensitive data: proprietary chemistries, supply chains, supplier prices, manufacturing parameters. It is no surprise, then, that the deployment model of a DPP platform is one of the most common questions. Here are the criteria that matter.
The two main models
🖥️ On-premise (local server / behind the corporate firewall)
The entire platform runs on your own infrastructure. Sensitive product and material data never leaves the internal network.
When is it ideal?
- For factories and gigafactories, where industrial espionage is a real risk.
- Where an air-gapped environment is required.
- Where direct, secure integration with the internal ERP is the goal.
Benefit: 100% data sovereignty. The eIDAS-authenticated DPP can be published and selectively shared without handing over the underlying data.
☁️ Dedicated enterprise cloud
Hosted in an EU data centre, with strict tenant isolation, on dedicated instances (not a shared database), GDPR-compliant.
When is it ideal?
- For importers and mid-sized manufacturers who prefer managed operation, automatic regulatory updates and a fast start.
Decision criteria
| Criterion | On-premise | Dedicated cloud |
|---|---|---|
| Data sovereignty | absolute (internal network) | high (isolated tenant) |
| Operational burden | yours | managed |
| ERP integration | direct, internal | API |
| Time to launch | slower (deployment) | fast |
| Updates | you deploy them | automatic |
| Typical profile | factory, gigafactory | importer, mid-sized manufacturer |
The "third way": DPPaaS
DPP as a service (DPPaaS) sits in between: bespoke workflows, API connectors, continuous compliance monitoring — tailored to your manufacturing reality. It is a good fit when the process is unique and you would rather not operate everything yourself.
GDPR and data protection
The consumer view of the DPP is accessible without login — so it is important that no personal data appears there. Behind the scenes (manufacturing, supplier data), however, there may be trade secrets, which the deployment model protects. On-premise is the strictest guarantee here.
What to ask your vendor
1. Does the sensitive data leave my infrastructure? 2. Can it run without internet (offline demo, air-gap)? 3. Where are the data centres (EU?), and what is the tenant isolation? 4. How is the signing key handled (local HSM, cloud)? 5. How can it later be migrated to the other model?
Frequently asked questions
Is on-premise more expensive?
The licence/operating structure is different, but the risk reduction (IP protection) is worth it for many factories.
Is the cloud less secure?
Not necessarily — a dedicated, isolated EU cloud offers strong guarantees; the question is the sensitivity of the data and the internal policy.
Can the two be combined?
Yes: for example, on-premise for the back-end data and publishing from the cloud — the key is that the back-end data does not leave.
Your data, your rules. ReadyPass offers on-premise, dedicated-cloud and DPPaaS models alike — so data sovereignty never has to be a compromise.
Sources: GDPR; ESPR (EU) 2024/1781. Informational decision support.
