Step 8
Procurement guide
A vendor-neutral framework for selecting a DPP service. Use as a starting point — adjust weights to your priorities.
Must-have capabilities
- CIRPASS-aligned data model with sector extensions for your categories.
- GS1 Digital Link and at least one DID method supported.
- Layered access (public / professional / authority) with auditable authentication.
- Versioning with stable URLs for prior versions.
- W3C Verifiable Credentials issuance and verification.
- Documented SLAs for resolver uptime (> 99.9%) and response time.
- Data-export and data-portability clauses — avoid lock-in.
- Hosting in the EEA with demonstrated GDPR compliance.
- Published security certifications (ISO 27001 minimum; SOC 2 Type II preferred).
Scoring rubric (suggested weights)
| Dimension | Weight |
|---|---|
| Regulatory fit (your sectors) | 25% |
| Interoperability (CIRPASS, GS1, Catena-X) | 20% |
| Data portability & exit plan | 15% |
| Security & compliance certifications | 15% |
| Total cost of ownership (5-year) | 15% |
| References & case studies | 10% |
Red flags
- Proprietary data format with no documented export path.
- "Standards-compliant" claims with no specific version or conformance test results.
- Resolver on a domain controlled by the vendor — if you churn, your links break.
- No published pricing or a per-scan fee model that grows with your sales volume.
- Promises to own the DPP on your behalf — the legal responsibility cannot be outsourced.