How it works
Registry, discovery and governed access
RVRC Hub sits between DPP providers and industry users. It stores registry metadata, not DPP content. The actual passport remains with the provider at all times.
Three layers, one platform
RVRC Hub separates the roles that are sometimes confused
DPP Provider
Creates, hosts, resolves and secures Digital Product Passports. In Stage 1, the reference provider is Made2Verify. The provider pushes approved registry metadata to RVRC Hub for in-scope DPPs.
RVRC Hub Registry
Records DPP identifiers, provider references, search metadata, variable manifests and lifecycle status. Indexes DPPs for discovery. Does not store DPP content or restricted values.
Discovery and Access
Authenticated stakeholders search registered DPPs, inspect public metadata and request access to restricted data through a governed approval workflow.
End-to-end data flow
From DPP creation to audited data fetch
DPP is created at the provider
A DPP provider such as Made2Verify creates and hosts a Digital Product Passport. The provider checks the company connection and publication policy to determine whether the DPP is in scope for RVRC Hub.
Registry metadata is pushed to RVRC Hub
The provider pushes approved search metadata, variable manifests and identifiers to RVRC Hub. Only metadata approved for RVRC discovery is sent. Restricted values are never included in the registry payload.
Users search and discover DPPs
Authenticated users search the registry, view public metadata and inspect variable manifests to find DPPs relevant to their value-retention activities.
Access is requested
When a user needs restricted data, they submit an access request specifying the DPP scope, variables, purpose and validity period.
Data owner reviews and decides
The data-owning company receives the request through RVRC Hub and, via webhook, in their provider dashboard. They can approve, approve with modifications, or reject.
Grant is issued and data is fetched
On approval, RVRC Hub creates an access grant and issues a short-lived signed assertion. When the user views the restricted data, RVRC Hub calls the provider with the assertion. Only authorised values are returned. The hub does not store restricted data.
How restricted data stays safe
RVRC Hub never stores restricted DPP values
Restricted values stay with the provider
RVRC Hub only stores metadata approved for discovery: product identifiers, search metadata and variable manifests that describe fields and security levels. The actual values above public level never enter the registry.
Signed grant assertions
When access is approved, RVRC Hub issues a short-lived signed grant assertion. This assertion is sent to the provider when fetching authorised data. The provider verifies the assertion and returns only the approved variables.
Every action is audited
Access requests, approvals, grants, data fetches and administrative actions are recorded in an append-only audit log with hash-chain integrity verification.
Frequently asked questions
Does RVRC Hub store my Digital Product Passports?
No. RVRC Hub stores registry metadata — identifiers, search metadata and variable manifests. The actual DPP content remains with the provider, such as Made2Verify. Restricted values are fetched on demand using signed grant assertions and are not stored in the hub.
What if my organisation already uses a DPP provider?
RVRC Hub works alongside your existing provider. If you use Made2Verify, your DPPs can be registered with RVRC Hub through the company connection and publication policy mechanism. Other providers will be supported in Stage 2 and beyond.
How does RVRC Hub handle sensitive data?
RVRC Hub does not receive or store restricted DPP values. Search metadata is validated before indexing to ensure it contains only data approved for RVRC discovery. When restricted values are needed, they are fetched directly from the provider using a signed, short-lived assertion tied to a specific grant.
Is RVRC Hub a regulatory authority?
No. RVRC Hub is a UK platform operated by NMIS at the University of Strathclyde. It demonstrates registry, discovery and governed-access patterns aligned with the EU DPP direction under ESPR. It does not perform regulatory certification or compliance assessment.
Ready to participate?
Whether you create DPPs or need to discover and access them, find out how your organisation can join the RVRC Hub platform.
