Skip to content

DATA SUPPLY CHAINS

Archive-grade provenance for sub-processor data-handling — above GDPR Art. 28 and DORA Art. 30.

A cryptographically verifiable chain of custody for data that crosses processor boundaries. Operator-independent. Regulator-grade. Survives the boundary between trust domains.

The problem

What today's M2M auth can't deliver in data supply chains.

A regulated EU data controller signs a Data Processing Agreement with a prime vendor. The DPA, per GDPR Article 28(3), lists eight obligations the processor must meet. The DPA also lists the authorised sub-processors (Article 28(2)/28(4)). The controller signs, the vendor signs, and the relationship is presumed to be evidence-bearing. In production it is not. The prime vendor runs on a cloud platform that uses managed sub-services that rely on internal sub-processors that ship data across regions and reload their own sub-processor lists quarterly through a PDF the controller has never seen. The chain extends two or three further hops than the DPA enumerates.

What the current stack can deliver is contractual, not evidentiary. Data Processing Agreements define obligations; they do not produce evidence those obligations were met. SOC 2 and ISO 27001 reports audit the prime processor, not the chain. Sub-processor lists are quarterly snapshots of who is authorised, not what they did. Transfer Impact Assessments are paper exercises. Indemnity clauses trigger after a failure. What gets stored downstream from a sub-processor data-handling event is, almost universally, a normal log line in a normal database, in the operator's format, on the operator's terms. The controller cannot verify it without the operator's cooperation. The regulator cannot verify it without trusting both the operator and any auditor in the middle.

The post-2024 regulatory stack has stopped treating that as enough. NIS2 (in force October 2024) requires Essential Entities to demonstrate supply-chain security including ICT providers. DORA (in force January 2025) requires the register of information (Art. 28(3)) to enumerate sub-contracting chains and operational evidence of contractual oversight, with audit rights at scale (Art. 30(3)) for CIF-supporting arrangements. None of those obligations can be discharged by paper alone any more.

How EdSSA addresses it

What EdSSA does differently here.

EdSSA Supply Chain runs an attestor at each processor and sub-processor boundary. When data crosses the boundary — ingress, processing transition, egress to the next link, cross-region transfer, third-party API call — the attestor emits a cryptographically signed record describing what happened. The record commits to the data-handling event without exposing the data itself. Each attestor's records anchor into a Tier-4 Merkle-anchored audit chain with a seven-year retention floor. The chain is operator-independent: it can be replicated to mirror stores held by the controller, by a third-party transparency-log operator, or by the regulator directly. Verification does not require the cooperation of the party whose record is being verified.

The chain composes across processor boundaries by design. A prime vendor's chain references its sub-processors' chains by cryptographic anchor; verifying the prime vendor's record at the boundary verifies the link to the sub-processor's record. A controller asking what touched this dataset can walk the chain through every link, in any order, without coordinating with the parties involved. The attestor is light enough to ship on commodity hardware — there is no operational excuse for a sub-processor to refuse adoption on cost grounds.

The point is not that EdSSA enforces sub-processor behaviour, replaces the DPA contract, or certifies any party as trustworthy. EdSSA produces what the current stack does not: a durable, operator-independent, archive-grade record of every boundary event in the sub-processor chain, independently verifiable by the controller, the regulator, the next link in the chain, and any third party with the public verification key. A controller cannot truthfully claim EdSSA guarantees their sub-processors behave well. A controller can truthfully claim EdSSA produces the cryptographic evidence of what their sub-processors reported — and that this evidence is independently verifiable, in regulator-grade form, on demand.

Use cases

Concrete operational scenarios.

  • Sub-processor chain attestation that the controller verifies without trusting the prime vendor
  • DORA Art. 28(3) ICT register-of-information entries linked to verifiable chain segments
  • GDPR Art. 30 records of processing activities backed by operational evidence, not paper
  • Subject access and erasure responses that walk the chain in days, not weeks
  • Insurer-grade evidence for cyber-liability and indemnity-clause scoping
  • Per-boundary residency enforcement with cross-region anchor evidence

Compliance & standards

Standards and regulatory regimes.

GDPR Art. 28 + Art. 30 processor obligations and records of processing activities. NIS2 Art. 21(2)(d) supply-chain security for Essential and Important Entities. DORA Art. 28(3) ICT register of information and Art. 30(3) audit rights at scale for CIF-supporting arrangements. ISO 27001 §A.5.19–23 supplier relationships. Standards-track posture is royalty-free for conforming implementations — structurally adoptable by hyperscalers and managed-service providers without vendor lock-in.

Audit emission

Per-boundary attestation records into the Tier-4 chain. edssa-admin compliance-export produces a regulator-grade evidence bundle scoped to controller, time window, and fleet. Recipients verify independently with edssa-admin verify-anchor against the exported snapshot or the public transparency log. No operator cooperation required after the archive handover.

Customers

Operators in this vertical.

[CUSTOMER LOGO 1]
[CUSTOMER LOGO 2]
[CUSTOMER LOGO 3]
[CUSTOMER LOGO 4]
[CUSTOMER LOGO 5]
[CUSTOMER LOGO 6]
We can now answer the controller's question of what our sub-processors actually did with their data with an artefact they verify in their own browser, without our cooperation.
[CUSTOMER ROLE], [CUSTOMER COMPANY][PLACEHOLDER]

Operating in data supply chains?

Set up an NDA call. We’ll walk through how EdSSA fits your specific operational envelope.

Set up an NDA call →