Choosing a DPP platform: 12 questions to ask

There are perhaps a dozen vendors selling Digital Product Passport software to textile brands in mid-2026. By the time the textile delegated act publishes and the 2028 deadline lands, there will be fifty. Most of them will not survive past the first ESPR audit.

This is a procurement guide for the buyer side: the founder, the head of operations, or the compliance owner trying to figure out which DPP platform to commit to. Not a pitch for Filovera. A practical list of twelve questions every vendor should answer, with the right answer and the wrong answer for each.

If you are evaluating us, ask us these too. If we cannot answer any of them clearly, you should walk.

Why these twelve

The Digital Product Passport sits at the intersection of three problems most SaaS vendors have never solved together:

1. A regulatory artifact (your passport has to satisfy ESPR and the textile delegated act when it lands)
2. A consumer-facing surface (the QR code on the garment label has to scan and render anywhere)
3. A supplier data-collection pipeline (most of your passport content lives in your tier-1 and tier-2 suppliers' inboxes, not your CAD system)

A platform that gets two of those right but fumbles the third will land you in the worst version of the work: a passport that technically renders but cannot prove provenance, or a beautifully verified passport whose supplier data took six months to collect.

The twelve questions below cover all three. Ask them in order.

1. What standards does the platform implement, by name?

The right answer names at least these three:

• GS1 Digital Link (ISO/IEC 18975), the standard that turns a QR scan into a permanent URL the European Commission will accept
• W3C Verifiable Credentials, the standard for the tamper-evident signature layer that lets an auditor verify the passport's claims have not been altered
• CEN/CENELEC TC 442 specifications, the technical schemas the EU Central DPP Registry uses

A vendor who answers "we use QR codes and blockchain" is bluffing. QR is a format, not a standard; "blockchain" without a specific protocol name means nothing.

2. Show me a passport rendering live, right now, on my phone

The right answer is: yes, here is a URL, scan this QR code with your camera app. The passport opens, in English, in under two seconds, with the materials, origin, and care information rendered cleanly.

A vendor who needs to schedule a demo before they can show you a live passport is selling vapor.

Pay attention during the demo:

• Did the QR code work in your phone's native camera app, or did it need a special app? It must work natively. Consumers will not install an app.
• Was the page mobile-optimised? More than half of passport views will be on mobile.
• Did the page load over a Nigerian, Turkish, or Indonesian-quality mobile connection? Your audience is global; your audience's bandwidth is not what it is in central London.

3. How does supplier data get into the platform?

This is the question that catches out most vendors. The passport content is mostly supplier-generated: fibre composition, country of origin per processing stage, supplier certifications, dyestuff data, durability test results. Your CAD system does not have it. Your spreadsheet has half of it. Your supplier's invoice has the rest.

The right answer describes a structured supplier data-collection workflow:

• A supplier portal your suppliers actually log into
• Spreadsheet upload or CSV templates pre-formatted to the data fields ESPR needs
• An email-based collection workflow for suppliers who refuse to log in (which is most of them)
• A dashboard showing which fields are missing per SKU, per supplier

The wrong answer is "we import your existing data" without explaining how the supplier-side problem is solved. Existing data is not enough.

4. What happens if a supplier refuses to disclose tier-2 data?

ESPR expects traceability to raw-material origin. Cotton tracked back to the farm, polyester tracked back to the recycling facility. Many tier-1 suppliers will not voluntarily disclose their upstream chain. That information is commercially sensitive.

The right answer acknowledges this and offers two paths:

• A confidential disclosure mode where tier-2 data is shared with the platform under NDA but does not appear publicly in the passport
• A "supplier-blank" mode that lets you publish a passport with declared gaps while you renegotiate with the supplier

The wrong answer is "all suppliers must disclose everything." That platform will be unusable for 80% of SMB brands.

5. What does the audit trail look like?

ESPR Article 7 expects a tamper-evident record of every change to a published passport. The right architecture is a cryptographic chain. Every edit signed with a key, every signature verifiable independently.

Ask for:

• A view of the full audit log for a sample SKU
• Confirmation that the signature is W3C Verifiable Credentials compliant (so an auditor can verify it without trusting the vendor)
• Confirmation that if a record is altered after publication, the chain breaks visibly and a "Verified history" badge in the consumer view changes

If the audit log is "we keep a database table," you do not have a tamper-evident audit trail. You have a database table.

6. Where is the passport data hosted, and under whose jurisdiction?

This matters more than most buyers realise. Your suppliers may be in countries with data-localisation laws. Your customers (and the EU Central DPP Registry) expect data hosted in a stable jurisdiction. Some vendors host on infrastructure subject to FISA Section 702 or its equivalents, meaning the data can be subpoenaed by a foreign government without you knowing.

The right answer names a specific region (EU, UK, or a jurisdiction with adequate data-protection laws) and a specific cloud provider. Ask for a sub-processor list.

7. What is the GS1 Digital Link resolver setup?

The QR code on a garment encodes a GS1 Digital Link URL. That URL resolves to your passport content. Two architectural choices matter:

• Who hosts the resolver? The vendor's domain, your brand's domain, or a GS1-registered resolver? The right answer for an SMB is usually "the vendor's domain, with a CNAME you can point at your own subdomain later." That gives you a clean migration path if you ever switch vendors.
• Does it serve different content per language? A French consumer scanning a passport on a UK-sold garment should get French content. The GS1 Digital Link standard supports this; some implementations do not.

8. What is the cost over three years, all-in?

DPP vendors price differently. Some charge per-SKU, some per-passport-view, some flat per-month. Get a three-year total cost projection that includes:

• Platform licence
• Per-SKU or per-passport fees (if applicable)
• Per-view fees (if applicable; this is the dangerous one)
• Supplier portal seats (some vendors charge per-supplier-user)
• Onboarding and migration
• Year-two and year-three escalation

Watch out for per-view pricing. If your products go viral, you do not want a surprise invoice.

The right answer is a single page with the three-year total broken down by line item. The wrong answer is "talk to sales."

9. What does the export look like if I leave?

The DPP is data about your products. That data belongs to you, not the vendor. Before you sign:

• Ask for a sample export from a real customer (sanitised if needed). Format should be machine-readable JSON or CSV plus the rendered HTML.
• Confirm there is no exit fee.
• Confirm the export contains the audit log, not just the current state.
• Confirm consumer-facing QR codes can be re-pointed at a new resolver if you migrate. You do not want to reprint physical labels.

10. What is the integration story with my existing systems?

You probably have a Shopify, a WooCommerce, a Lightspeed, a Cin7, or a custom ERP. Your passports cannot live in a separate silo from your SKU management.

The right answer includes:

• A list of supported integrations (Shopify, WooCommerce, Lightspeed Retail, Cin7, ERPNext)
• A REST API for custom integrations, with documentation
• A CSV upload path for "I just want to get started"

If integration is "we will quote a custom development project," budget for that to be six months and tens of thousands of pounds.

11. Who are three of your existing customers I can call?

Not testimonials on the marketing site. Three customers, by name, with their phone numbers. Call them. Ask:

• How long did onboarding take in reality?
• What broke and how was it handled?
• What does the renewal conversation look like?
• Would they buy again?

A vendor who cannot put you in front of three customers is either too new to trust (which is OK if they are upfront about it) or hiding something (which is not).

12. What happens between now and the textile delegated act publishing?

The textile delegated act publishes some time between late 2026 and Q2 2027. When it does, every DPP platform has to update its data schema to match the final specification: what fields are required, what optional, what format.

Ask:

• How will the platform absorb the delegated act changes?
• Will I be charged extra for the update?
• What is the timeline from delegated act publication to platform support?
• Is there a beta or sandbox environment where I can test changes before they go live?

A vendor who has not thought about this is going to spend Q2 2027 firefighting instead of supporting you.

What we tell prospects

The conversation we have with brands considering Filovera covers all twelve of these. We answer them in order, on the first call, without slides. If we cannot, we tell you so plainly and we recommend you talk to someone else.

The DPP space is going to be loud over the next eighteen months. Vendors will appear faster than they can be vetted. Most of them will not be around for the second audit cycle. The twelve questions above are the cheapest insurance you can buy: thirty minutes per vendor, and you will know which ones to take seriously.

If you want to see how Filovera answers these, book a call or browse the features. Either way, please bring this list to whichever vendor you end up evaluating. Every brand who asks better procurement questions makes the whole DPP ecosystem better.

Related reading

• Build or buy a DPP: which is right for textile SMBs for the foundational decision before vendor selection
• GS1 Digital Link explained for textile DPP for a deep dive on question 1 and question 7 above
• ESPR for textile SMBs: what 2028 actually requires for the regulatory backdrop driving all twelve questions

Frequently asked questions

What is a Digital Product Passport?

A Digital Product Passport (DPP) is a structured, machine-readable record attached to a physical product. For textiles, it carries fibre composition, country of origin per processing stage, durability data, care instructions, recycling pathway, and a tamper-evident audit trail. It is accessed via a QR code on the garment label and resolves to a permanent URL hosted by the brand or its DPP platform. The DPP is required under the EU Ecodesign for Sustainable Products Regulation (ESPR).

Which standards must a DPP platform implement?

At minimum: GS1 Digital Link (ISO/IEC 18975) for QR resolution, W3C Verifiable Credentials for the tamper-evident signature layer, and CEN/CENELEC TC 442 specifications for the data schema. Platforms that cannot name these standards by their formal identifiers are not building to the ESPR compliance target.

How much does a Digital Product Passport platform cost in 2026?

For an SMB textile brand with 200 to 2,000 SKUs, expect somewhere between £8,000 and £40,000 per year all-in, including platform licence, supplier portal seats, onboarding, and reasonable view volumes. Per-passport-view pricing should be avoided if possible. Platforms charging less than £4,000 per year are usually missing the supplier data-collection workflow that makes the system actually work. Platforms charging more than £60,000 per year are pricing for enterprises that have full-time compliance teams.

Can I switch DPP platforms later?

Yes, if you choose a vendor that takes data portability seriously. Confirm before signing that your data export will include the audit log (not just current state), that the QR codes on physical garments can be re-pointed at a new resolver, and that there is no exit fee. Vendors who object to these clauses are vendors you should not pick.

Do I need a DPP platform if I am only a small brand?

The size threshold under ESPR has not been finalised, but the European Commission has been explicit that micro and SMB brands are not carved out. Any brand placing textile products on the EU market, including UK and third-country exporters, is in scope. The volume of work scales with company size; the requirement does not.

When does the textile delegated act publish?

Somewhere between late 2026 and Q2 2027 based on the latest signals from DG GROW. From the day it publishes, brands have approximately eighteen months to comply, putting practical deadlines in mid to late 2028. Filovera and other DPP platforms track this closely and will update their data schemas to match the final specification.

What is the difference between a DPP and a sustainability claim?

A sustainability claim is a marketing statement (for example, "made with recycled fibres"). A DPP is structured, machine-readable, tamper-evident data that supports (or contradicts) such claims. The EU Empowering Consumers Directive, alongside ESPR, restricts brands from making sustainability claims they cannot substantiate via DPP-grade evidence. A DPP is not a marketing tool; it is the substrate that makes future marketing claims defensible.

---

Disclaimer. Filovera is software, not legal or compliance advice. The exact text of the textile delegated act has not been published as of June 2026. Brands with high-value or high-risk product lines should engage qualified compliance counsel before relying on any procurement framework, including this one.