How EcoWise platform is built upon five layers of data security for maximum trust in data safety and data access

How EcoWise platform is built upon five layers of data security for maximum trust in data safety and data access

09 May 2025

The EcoWise platform manages a significant amount of product data coming from the manufacturing phase, as well as supply chains and the product life cycle. The platform also allows for setting up differentiated access, so that selected organisations and their operators can see specific additional hidden data about a product, which is not visible to public users.  For example, for cases where market surveillance authorities require specific information about the product to evaluate compliance with product regulations.  

Ensuring the security of managed data and controlling access are fundamental to giving our clients full authority over who can view or use their information, while also eliminating the risk of data breaches to establish complete trust in the EcoWise platform solution. To provide this level of trust we can offer five layers of data security:

Default available layers

  • Secure cloud hosting using Amazon Web Services.
  • Cryptographic end-to-end encryption based security using verifiable credentials signed with a digital signature for general authentication of organisations, users and roles, including access to upload data to DPPs after they are issued. 

Use case dependent & client requested layers:

  • Selective disclosure using JSON web tokens where data is encrypted into hidden claims, where even the encrypted claim itself is only viewable if the recipient has been issued with a disclosure right.
  • Local Data vaults to enable fully decentralised data sharing between two parties. 
  • Blockchain based transaction management.

Secure cloud hosting using Amazon Web Services

The EcoWise Platform is built upon AWS and our servers are hosted in Germany in the European Union. AWS offers some of the most secure cloud computing environment globally by design. The infrastructure is based on three principles:

  • Isolation & segmentation: AWS uses strong tenant isolation with virtual private clouds (VPCs), dedicated hardware options, and granular access controls.
  • Encryption everywhere: Data is encrypted in transit and at rest using AWS Key Management Service (KMS) and hardware security modules (HSM).
  • Zero Trust principles: AWS encourages and supports Zero Trust architectures using Identity and Access Management (IAM), federated identities, and policy-based access.

The cloud environments provided by AWS are certified to meet the requirements of ISO 27001, the internationally recognised standard for information security management, as well as 7 other cloud securty standards. AWS servers are also fault tolerant and have high availability to ensure the DPPs hosted by the EcoWise platform can be up and running close to 24/7.

Note that the security offered by AWS is a secure infrastructure. AWS clients such as EcoWise still need to implement proper security measures and configurations in their IT architecture and sotware code, to ensure there are no breaches, especially when data is received or sent from the cloud service.

Cryptographic security using verifiable credentials with digital signatures for authentication of organisations, users and roles

A standard feature of all our DPPs is that any transactions utilise the latest web standards for sending and receiving data using standard X.509 certificates to authenticate a webdomain, and JSON Web tokens (JWTs) with a JSON Web Signature (JWS) to ensure authentication of the transacting parties, integrity of the data sent, and proof that the data was sent and received. 

The use of X.509 certificates, to ensure that data is transferred securely using https:// instead of http://, which lacks encryption and server authentication. A X.509 certificate holds information about how secure the transaction is, and incudes information such as the subject, issuer, public key, validity period, and signature algorithm used, to cross-check that the transaction is secure and the identity of the receiver or sender is valid. 

The use of JSON Web Tokens is an industry standard for authenticating a party in a transaction on the web, and the JSON Web Signature provides for the industry standard to include digital signatures in the exchange. The data in our JWTs includer user identities and roles for access of information for authentication are encrypted with a digital signature, where data access is managed using a private-public key pair. Before sending authentication data the sender encrypts and generates a digital signature with a chosen algorithm and its private key that is only known to the sender. The receiver then receives the information and uses a public key made available to the sender, retrieved from a public key server made known to the client, to verify the signature and decrypt the user identity and roles access information contained in the JWT.

To encrypt the data the EcoWise platform uses asymmetric cryptographic algorithms including EdDSA and ECDH within this structure, to ensure authenticity, integrity, and non-repudiation. The receiver can trust that the JWT was generated by a legitimate source, and that the data has not been altered, because only the sender has the private key needed to sign the JWT. If the signature is valid the receiver knows the JWT was signed by the authentic server where the data originated, and that it has not been tampered with. If the data is altered the digital signature no longer matches and the token is no longer valid to ensure the risk of anyone

Verifiable credentials to manage DPP upload access

The EcoWise platform verifiable credential architecture as described above is versatile and can also be used to provide trusted access to DPPs for uploading data during the product life cycle. In our Trace-Wise service, in order to create product status events and logs during the lifecycle, access is granted based on verifiable credentials. The benefits are significant as authentication is not based on a username and password infrastructure which is prone to phishing attacks and vulnerabilities. In the EcoWise platform a 3rd party economic operator is issued with a digitally signed credential by the manufacturer that issued the DPP, which needs to be presented before access is granted. The issued verifiable credential is unique to the economic operator and can also be tailored to provide only access to specific features on the EcoWise platform, such as only providing repair or only providing logistics updates.

Selective disclosure of hidden claims providing a double access layer setup

Selective disclosure when using JSON Web Tokens (JWTs) to exchange data involves a method where specific pieces of data - referred to as claims - are encrypted and embedded into the token in such a way that even the existence of these claims remains hidden. The approach ensures that sensitive information, including the data and the metadata, remains concealed unless explicitly shared, providing users with greater security. This goes beyond traditional JWT encryption by introducing an access control layer that determines not just whether a user can decrypt a claim, but whether they can even see that a claim exists within the token. 

The issuer of the JWT can assign disclosure rights to recipients based on their roles or permissions. Only when a recipient possesses the appropriate cryptographic key or token extension indicating these rights, can they decrypt and access specific hidden claims. The system ensures that unauthorized users cannot infer or detect the presence of concealed data, thereby reducing exposure to both data leaks as well as metadata leaks.

Data vaults to enable end-to-end encrypted decentralised data sharing between two parties

In cases where data that needs to be shared is sensitive, we can offer a data vault. The EcoWise data vault is operated in the server of a manufacturer and fully based on decentralised information management. Our data vault technology is under development and available for piloting for early adopters. 

The first principle of the EcoWise platform data-vault is that it offers a layer of data management that is isolated from the ERP/PLM system, such that all sensitive exchanges between the EcoWise Platform DPP system can take place with the data-vault, instead of the manufacturer ERP or PLM system, reducing the risk of exposure of the manufacturer’s data systems. 

The second principle is that all data in our data-vaults and the transfers of data from it are end-to-end encrypted using digital signatures, with only the non-sensitive metadata identifying a piece of data made available. Our data-vaults require verifiable credentials to be presented for exchanging data that contain identity claims of the two parties that are transacting to authenticate them (see for more details the section, How EcoWise platform is built upon six layers of data security for maximum trust in data safety and data access). 

The third principle is that EcoWise data-vaults are also self-operable meaning that a party can self-sign their digital signature and does not need EcoWise for the signing process, making the data vault fully decentralised. This eliminates the need for interacting with an issuer of verifiable credentials and digital signatures, further reducing exposure risks. 

The fourth principle is that EcoWise Platform also offers a secure way to provide end-to-end encryption to enter data into the data vault from a local offline IT device. This is done by a special encryption programme that can be installed on a local device that opens a secure encrypted pipeline to our data vaults using standard messaging pipelines. The innovation means that at all stages as soon as data enters the cloud and is managing in the cloud it is fully encrypted and secure.

Blockchain based transaction management

In cases where a client requires it, we can offer ledger-based data transaction management in a blockchain on a decentralised basis. 

Blockchain transactions are pseudonymous, meaning that the identities of the sender and receiver are not directly recorded on the ledger. Instead, transactions are linked to cryptographic addresses (public keys). However, this means that identifying the actual individuals behind those addresses requires access to an external registry or database that maps public keys to real-world identities. This database is typically centralised and held by one company that is the blockchain issuer. 

Blockchain transactions are immutable, meaning they cannot be altered or deleted. The complete set of transactions can be easily audited, creating a transparent and traceable chain of events. This makes blockchain particularly useful for managing chain of custody in supply chains.

Whilst we can provide for blockchain ledgers, we do not offer this as a default feature due to the relatively high cost of blockchain transactions especially for larger sets of data. Our recommendation is to utilise blockchain ledgers for referencing of data transactions, e.g. storing metadata or identity references, not for storing entire data payloads, in cases where the transaction records between two parties needs to have additional layers of being tamper proof beyond digital signatures. For other use cases, the decentralised identity system with verifiable credentials provides similar or better performance than blockchain for decentralised identity and data exchange management.

Your subscription could not be saved. Please try again.
Your subscription has been successful.

Tell us a bit about yourself to access the full content — whether it’s a report, whitepaper, or in-depth article.

09 May 2025

The EcoWise platform manages a significant amount of product data coming from the manufacturing phase, as well as supply chains and the product life cycle. The platform also allows for setting up differentiated access, so that selected organisations and their operators can see specific additional hidden data about a product, which is not visible to public users.  For example, for cases where market surveillance authorities require specific information about the product to evaluate compliance with product regulations.  

Ensuring the security of managed data and controlling access are fundamental to giving our clients full authority over who can view or use their information, while also eliminating the risk of data breaches to establish complete trust in the EcoWise platform solution. To provide this level of trust we can offer five layers of data security:

Default available layers

  • Secure cloud hosting using Amazon Web Services.
  • Cryptographic end-to-end encryption based security using verifiable credentials signed with a digital signature for general authentication of organisations, users and roles, including access to upload data to DPPs after they are issued. 

Use case dependent & client requested layers:

  • Selective disclosure using JSON web tokens where data is encrypted into hidden claims, where even the encrypted claim itself is only viewable if the recipient has been issued with a disclosure right.
  • Local Data vaults to enable fully decentralised data sharing between two parties. 
  • Blockchain based transaction management.

Secure cloud hosting using Amazon Web Services

The EcoWise Platform is built upon AWS and our servers are hosted in Germany in the European Union. AWS offers some of the most secure cloud computing environment globally by design. The infrastructure is based on three principles:

  • Isolation & segmentation: AWS uses strong tenant isolation with virtual private clouds (VPCs), dedicated hardware options, and granular access controls.
  • Encryption everywhere: Data is encrypted in transit and at rest using AWS Key Management Service (KMS) and hardware security modules (HSM).
  • Zero Trust principles: AWS encourages and supports Zero Trust architectures using Identity and Access Management (IAM), federated identities, and policy-based access.

The cloud environments provided by AWS are certified to meet the requirements of ISO 27001, the internationally recognised standard for information security management, as well as 7 other cloud securty standards. AWS servers are also fault tolerant and have high availability to ensure the DPPs hosted by the EcoWise platform can be up and running close to 24/7.

Note that the security offered by AWS is a secure infrastructure. AWS clients such as EcoWise still need to implement proper security measures and configurations in their IT architecture and sotware code, to ensure there are no breaches, especially when data is received or sent from the cloud service.

Cryptographic security using verifiable credentials with digital signatures for authentication of organisations, users and roles

A standard feature of all our DPPs is that any transactions utilise the latest web standards for sending and receiving data using standard X.509 certificates to authenticate a webdomain, and JSON Web tokens (JWTs) with a JSON Web Signature (JWS) to ensure authentication of the transacting parties, integrity of the data sent, and proof that the data was sent and received. 

The use of X.509 certificates, to ensure that data is transferred securely using https:// instead of http://, which lacks encryption and server authentication. A X.509 certificate holds information about how secure the transaction is, and incudes information such as the subject, issuer, public key, validity period, and signature algorithm used, to cross-check that the transaction is secure and the identity of the receiver or sender is valid. 

The use of JSON Web Tokens is an industry standard for authenticating a party in a transaction on the web, and the JSON Web Signature provides for the industry standard to include digital signatures in the exchange. The data in our JWTs includer user identities and roles for access of information for authentication are encrypted with a digital signature, where data access is managed using a private-public key pair. Before sending authentication data the sender encrypts and generates a digital signature with a chosen algorithm and its private key that is only known to the sender. The receiver then receives the information and uses a public key made available to the sender, retrieved from a public key server made known to the client, to verify the signature and decrypt the user identity and roles access information contained in the JWT.

To encrypt the data the EcoWise platform uses asymmetric cryptographic algorithms including EdDSA and ECDH within this structure, to ensure authenticity, integrity, and non-repudiation. The receiver can trust that the JWT was generated by a legitimate source, and that the data has not been altered, because only the sender has the private key needed to sign the JWT. If the signature is valid the receiver knows the JWT was signed by the authentic server where the data originated, and that it has not been tampered with. If the data is altered the digital signature no longer matches and the token is no longer valid to ensure the risk of anyone

Verifiable credentials to manage DPP upload access

The EcoWise platform verifiable credential architecture as described above is versatile and can also be used to provide trusted access to DPPs for uploading data during the product life cycle. In our Trace-Wise service, in order to create product status events and logs during the lifecycle, access is granted based on verifiable credentials. The benefits are significant as authentication is not based on a username and password infrastructure which is prone to phishing attacks and vulnerabilities. In the EcoWise platform a 3rd party economic operator is issued with a digitally signed credential by the manufacturer that issued the DPP, which needs to be presented before access is granted. The issued verifiable credential is unique to the economic operator and can also be tailored to provide only access to specific features on the EcoWise platform, such as only providing repair or only providing logistics updates.

Selective disclosure of hidden claims providing a double access layer setup

Selective disclosure when using JSON Web Tokens (JWTs) to exchange data involves a method where specific pieces of data - referred to as claims - are encrypted and embedded into the token in such a way that even the existence of these claims remains hidden. The approach ensures that sensitive information, including the data and the metadata, remains concealed unless explicitly shared, providing users with greater security. This goes beyond traditional JWT encryption by introducing an access control layer that determines not just whether a user can decrypt a claim, but whether they can even see that a claim exists within the token. 

The issuer of the JWT can assign disclosure rights to recipients based on their roles or permissions. Only when a recipient possesses the appropriate cryptographic key or token extension indicating these rights, can they decrypt and access specific hidden claims. The system ensures that unauthorized users cannot infer or detect the presence of concealed data, thereby reducing exposure to both data leaks as well as metadata leaks.

Data vaults to enable end-to-end encrypted decentralised data sharing between two parties

In cases where data that needs to be shared is sensitive, we can offer a data vault. The EcoWise data vault is operated in the server of a manufacturer and fully based on decentralised information management. Our data vault technology is under development and available for piloting for early adopters. 

The first principle of the EcoWise platform data-vault is that it offers a layer of data management that is isolated from the ERP/PLM system, such that all sensitive exchanges between the EcoWise Platform DPP system can take place with the data-vault, instead of the manufacturer ERP or PLM system, reducing the risk of exposure of the manufacturer’s data systems. 

The second principle is that all data in our data-vaults and the transfers of data from it are end-to-end encrypted using digital signatures, with only the non-sensitive metadata identifying a piece of data made available. Our data-vaults require verifiable credentials to be presented for exchanging data that contain identity claims of the two parties that are transacting to authenticate them (see for more details the section, How EcoWise platform is built upon six layers of data security for maximum trust in data safety and data access). 

The third principle is that EcoWise data-vaults are also self-operable meaning that a party can self-sign their digital signature and does not need EcoWise for the signing process, making the data vault fully decentralised. This eliminates the need for interacting with an issuer of verifiable credentials and digital signatures, further reducing exposure risks. 

The fourth principle is that EcoWise Platform also offers a secure way to provide end-to-end encryption to enter data into the data vault from a local offline IT device. This is done by a special encryption programme that can be installed on a local device that opens a secure encrypted pipeline to our data vaults using standard messaging pipelines. The innovation means that at all stages as soon as data enters the cloud and is managing in the cloud it is fully encrypted and secure.

Blockchain based transaction management

In cases where a client requires it, we can offer ledger-based data transaction management in a blockchain on a decentralised basis. 

Blockchain transactions are pseudonymous, meaning that the identities of the sender and receiver are not directly recorded on the ledger. Instead, transactions are linked to cryptographic addresses (public keys). However, this means that identifying the actual individuals behind those addresses requires access to an external registry or database that maps public keys to real-world identities. This database is typically centralised and held by one company that is the blockchain issuer. 

Blockchain transactions are immutable, meaning they cannot be altered or deleted. The complete set of transactions can be easily audited, creating a transparent and traceable chain of events. This makes blockchain particularly useful for managing chain of custody in supply chains.

Whilst we can provide for blockchain ledgers, we do not offer this as a default feature due to the relatively high cost of blockchain transactions especially for larger sets of data. Our recommendation is to utilise blockchain ledgers for referencing of data transactions, e.g. storing metadata or identity references, not for storing entire data payloads, in cases where the transaction records between two parties needs to have additional layers of being tamper proof beyond digital signatures. For other use cases, the decentralised identity system with verifiable credentials provides similar or better performance than blockchain for decentralised identity and data exchange management.