Please visit here for the PassKit Data Processing Agreement.
It's very important you understand how PassKit processes and stores your data. By accepting PassKit terms and conditions you indicate you have read, understood, and accept the PassKit Data Processing Agreement.
This information is just a very short summary.
PassKit is fully GDPR-compliant as a data processor. PassKit only stores the information that you provide to us, and on that front, we strongly recommend that you only provide data to us that you want to display on the pass. There is no need to provide us with customer information/data that is not used on your pass.
In terms of data transit and storage; all data is protected at rest and in transit. TLS encryption is required and enabled by default for data being transmitted to and from the PassKit Service (data in transit). Data at rest is encrypted using AES256 encryption. All PII data is encrypted with an individual salt. Only your authorized personnel (i.e. your people with the PassKit username and password or API credentials) can access this data via the PassKit platform.
We have two production clusters, both hosted with Google Cloud Engine:
Europe: europe-west-4 (located in Eemshaven, Netherlands)
USA: us-central-1 (located in Council Bluffs, Iowa, North America)
You have the option to pick either a European or USA data cluster when you signup for a new account.
VERY IMPORTANT NOTE: It is not possible to transfer accounts and data between regions at a later stage as they are completely separate. Doing so will require you to create a new account and re-create your projects.
If you are using the API, each data cluster has its own API prefix.
If you are unsure which data cluster your account was created in, you can find your cluster location on the Developers Tools page.