Data Processing Agreement

1. Subject-Matter and Duration

The Processor provides a Proof-of-Work CAPTCHA API service ("Service") to the Controller. In providing the Service, the Processor processes personal data on behalf of the Controller as described in this Agreement. This Agreement is effective for the duration of the Controller's use of the Service and terminates automatically upon termination of the Terms of Service.

2. Nature and Purpose of Processing

The Processor processes personal data solely for the purpose of delivering the CAPTCHA challenge and verification functionality — specifically:

• Generating and verifying Proof-of-Work challenge tokens
• Rate-limiting requests using one-way hashed IP addresses (SHA-256 + secret salt; never stored in the database)
• Maintaining aggregated, anonymised usage counters per project for billing and plan enforcement

No personal data is sold, shared with third parties for advertising, or used for any purpose other than operating the Service on the Controller's behalf.

3. Type of Personal Data and Categories of Data Subjects

Data subjects: End users (visitors) of the Controller's websites or applications that have the CAPTCHA widget integrated.

Personal data processed: IP addresses of end users, temporarily held as a one-way hash in cache memory solely for rate-limiting (maximum 60 seconds; never written to persistent storage). No other personal data of end users is processed by the Service.

4. Obligations of the Processor

Pursuant to Article 28(3) GDPR, the Processor commits to the following:

• Instructions. Process personal data only on documented instructions from the Controller — namely, delivering the CAPTCHA service as described above. If the Processor is required by Union or Member State law to process data for other purposes, it will inform the Controller unless prohibited by law.
• Confidentiality. Ensure that all personnel authorised to process personal data are bound by a duty of confidentiality.
• Security. Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (Article 32 GDPR), including encrypted communications (TLS), access controls, and short retention windows.
• Sub-processors. Not engage any sub-processor without the Controller's prior general authorisation. Current sub-processors are listed in the GDPR Policy (currently: Hetzner Online GmbH — infrastructure; Brevo / Sendinblue SAS — transactional email). The Controller will be notified of any changes at least 14 days in advance.
• Data subject rights. Assist the Controller in fulfilling obligations regarding data subjects' rights (Articles 15–22 GDPR) by appropriate technical and organisational measures.
• Security incidents. Notify the Controller without undue delay after becoming aware of a personal data breach affecting data processed under this Agreement.
• DPIAs. Assist the Controller in carrying out data protection impact assessments and prior consultations where required under Articles 35–36 GDPR.
• Deletion / return. At the choice of the Controller, delete or return all personal data upon termination of the Service, and delete existing copies unless Union or Member State law requires retention.
• Audit. Make available all information necessary to demonstrate compliance with this Article and allow for audits and inspections conducted by the Controller or an authorised auditor.

5. Obligations of the Controller

The Controller warrants and undertakes that:

• It has a valid legal basis for instructing the Processor to process personal data on its behalf.
• It will inform its own end users about the use of the CAPTCHA service in its privacy documentation.
• It will notify the Processor promptly of any changes to applicable data protection laws that materially affect this Agreement.

6. Sub-Processors

By accepting the Terms of Service, the Controller grants general authorisation for the Processor to engage the sub-processors listed in the GDPR Policy. The current list is:

• Hetzner Online GmbH — cloud infrastructure (Gunzenhausen, Germany, EU)
• Brevo (Sendinblue SAS) — transactional email for account notifications (Paris, France, EU)

All sub-processors are located within the EU/EEA. We do not intentionally transfer personal data outside the EU/EEA. The Processor will provide at least 14 days' notice before adding or replacing any sub-processor, giving the Controller the opportunity to object.

7. Governing Law

This Agreement is governed by and construed in accordance with the laws of the Czech Republic, consistent with the Terms of Service. Any disputes shall be subject to the exclusive jurisdiction of the competent courts of the Czech Republic.

This document is generated dynamically from captchaapi.eu live content. The version date above reflects when this copy was generated. The legally binding version is always the current document available at https://captchaapi.eu/dpa. Accepting the Terms of Service at https://captchaapi.eu/terms constitutes acceptance of this DPA without requiring a separate signature.