Compliance, in plain language.

Yes. Every field in every sector schema carries a per-audience access tier. The consumer view shows only fields tagged "public"; an auditor, recycler, repairer, or notified-body credential unlocks the fields tagged for that audience (the Battery Annex XIII §1/§2/§3/§4 split is the model). Both views resolve from the same /p/{code} URL via Accept-header negotiation.

Yes. Same URL, content negotiated by the Accept header (HTML for humans, JSON-LD for machines) and gated by the credential the visitor presents. We never fork URLs per audience — ESPR Article 10 requires the URL to be permanent.

A short-lived signed credential issued through a vetted application flow. Five roles are recognised: manufacturer, auditor, recycler, repairer, notified body. Credentials are revocable from a single admin surface; revocation takes effect on the very next request. Until a Member State's eIDAS-for-DPP integration spec lands, vetting is manual — single-digit issuances per month at pilot scale.

Today the passport carries one End-of-Life block. Per-jurisdiction blocks (resolved via query param, language cookie, or geo-IP, falling back to the manufacturer's default) are queued for the next release; the data shape and the resolver are designed and the per-market content packs are scoped. Until that ships, manufacturers exporting to several countries publish a default block written to be acceptable EU-wide.

Already shipped. EN, DE, DA, FR, IT, ES, and PL render natively on every page including the consumer-facing /p/{code} viewer; reciprocal hreflang tags emit on every variant; Accept-Language autodetects for visitors arriving at the bare /p/{code} URL.

Yes. Every save writes a passport_revisions row with hash_before, hash_after, and a structured diff. The chain is served at /p/{code}/audit as JSON, with restricted-tier diff paths stripped for anonymous callers and unlocked for credentialed auditors. Chain validity is verifiable client-side without trusting our infrastructure.

Each passport has a passport_hash (SHA-256 over the canonical JSON-LD). The hash appears on the HTML view, in the JSON-LD response, and in the offline PDF — three independent surfaces a regulator can cross-check without trusting any of them in isolation.

No. ESPR Article 10(4) requires lifetime persistence; DELETE on a passport returns 403. Battery passports flip to is_active=False (Article 77(8)) when the unit reaches the waste stream — the viewer returns 410 Gone for human readers, the row stays in the database for audit.

Built to the ESPR architecture. Several delegated acts (textile, electronics) aren't yet final, so no platform on Earth can claim full sectoral compliance today. Our schemas track the working drafts; when each delegated act publishes, we re-tag the schema fields — we don't rebuild.

ESPR Article 13 mandates the registry from 19 July 2026. Our integration is abstracted behind a single module with a stub today; when the Commission publishes the LinkSet API and provider credentials, we flip three environment variables — no code changes elsewhere. Contenza K/S is a CIRPASS-2 consortium member, so we track the same working documents the Commission is drafting against.

Battery (2023/1542), textile (ESPR delegated act + 2024/3015), construction (CPR 305/2011), electronics (ESPR + Right-to-Repair 2024/1799 + WEEE), tyre (2020/740), and a general fallback for products without a sectoral act. Machinery (2023/1230) is intentionally out of scope — it mandates CE technical documentation, not a DPP.

EU. PostgreSQL + MinIO on EU hardware, in Denmark. The Annex III(l) backup-copy provider field is captured on every passport so a regulator can identify the data custodian without asking us.

Yes. The JSON-LD machine endpoint is the export — same canonical shape the integrity hash is computed over. CORS-enabled (Access-Control-Allow-Origin: *) so any tool can fetch it cross-origin. A full-account ZIP bundle plus a portable resolver template are queued for the next release; the per-passport JSON-LD is already a complete, machine-verifiable export today.

Yes. Caddy on-demand TLS provisions a certificate per verified domain on first request. Domain ownership is verified via a TXT record before a certificate is issued; rogue-domain hijack is not possible.

Yes — that's part of the design. Bulk CSV upload (Professional+ tier) brings existing SKUs into compliance; the QR can be printed on labels, hangtags, or the next packaging batch. Retroactive passporting is exactly the case the regulation envisions for the transition period.