Skip to main content

Compliance Audit Completion — EV, LMT & Industrial Batteries

Internal compliance audit for EV, LMT, and Industrial battery DPP requirements completed, along with a combined GDPR and security audit covering data handling, access controls, and infrastructure. All critical and high-priority findings resolved prior to platform launch.

Compliance

  • EV battery DPP audit completed — Full field-level review of EV battery DPP requirements against EU Regulation 2023/1542. All mandatory fields for EV batteries (carbon footprint, recycled content, state of health, supply chain due diligence, electrochemical performance, safety certifications) verified as implemented and aligned with Annex XIII requirements.

  • LMT battery DPP audit completed — Field-level review of Light Means of Transport battery DPP requirements. DPP form coverage confirmed for LMT-specific fields under the 2026 enforcement timeline.

  • Industrial battery (Annex XIII) audit completed — Comprehensive audit of Industrial battery DPP data requirements against Annex XIII of EU Regulation 2023/1542. All ten data categories (identification, electrochemical performance, carbon footprint, recycled content, safety, supply chain due diligence, materials, end of life, composition, and conformity) verified as supported in the platform.

  • Regulatory field mapping verified — All Traceable DPP fields mapped to their source articles in EU Regulation 2023/1542. Mapping documented in the compliance reference section of this documentation site.

Security & GDPR

  • GDPR audit completed — Data flow mapping, lawful basis documentation, and data subject rights tooling (Articles 15, 17, 20) reviewed and confirmed as implemented. Data Processing Agreement template finalised.

  • Security audit completed — Infrastructure review covering data encryption at rest (AES-256) and in transit (TLS 1.3), authentication mechanisms, RBAC access controls, audit logging completeness, and rate limiting. All critical findings resolved.

  • Sub-processor register finalised — Supabase (database, EU Ireland), Vercel (edge/hosting, EU Frankfurt), Resend (transactional email, EU), Sentry (error monitoring, EU), and Upstash (rate limiting, EU) confirmed as EU-resident. No data leaves EU infrastructure.

  • Data retention policy implemented — Automated cron-based data cleanup aligned with documented retention windows. Account deletion triggers 30-day erasure workflow for all personal data associated with the account.

Infrastructure

  • Rate limiting hardened — Per-IP limits on public endpoints and per-API-key limits on authenticated endpoints active at the edge via Upstash Redis.

  • Audit trail completeness verified — All create, update, delete, publish, and PoLI access events confirmed as captured with timestamp, actor identity, and resource reference.