Data Processing Agreement

1. Subject-Matter and Duration

I provide a Proof-of-Work CAPTCHA API service ("Service") to the Controller. In providing the Service, I process personal data on behalf of the Controller as described in this Agreement. This Agreement is effective for the duration of the Controller's use of the Service and terminates automatically upon termination of the Terms of Service.

2. Nature and Purpose of Processing

I process personal data solely for the purpose of delivering the CAPTCHA challenge and verification functionality — specifically:

• Generating and verifying Proof-of-Work challenge tokens
• Rate-limiting requests using one-way hashed IP addresses (SHA-256 with server-side secret salt; held only in ephemeral cache memory, not persisted to database)
• Detecting distributed automated abuse across protected sites using a short-lived cross-sitekey reputation score keyed by the same one-way hashed IP address (held only in ephemeral cache memory, never persisted)
• Deriving coarse-grained geographic signals (two-letter ISO country code + Autonomous System Number) from the raw IP via locally-hosted offline MaxMind GeoLite2 databases for the same abuse-prevention purpose (held only in ephemeral cache memory, never persisted, never transmitted to MaxMind)
• Maintaining aggregated, pseudonymous usage counters per project for billing and plan enforcement (counters are linked to the Controller's account, so under GDPR Article 4(5) they are pseudonymous, not anonymous)

I do not sell personal data, share it with third parties for advertising, or use it for any purpose other than operating the Service on the Controller's behalf.

3. Type of Personal Data and Categories of Data Subjects

Data subjects: End users (visitors) of the Controller's websites or applications that have the CAPTCHA widget integrated.

Personal data processed: IP addresses of end users, temporarily held as a one-way hash (SHA-256 with a server-side secret salt) in ephemeral cache memory (Redis) for two distinct abuse-prevention purposes — short-term rate limiting and cross-sitekey abuse reputation. Maximum retention is 2 minutes per hash for rate limiting and up to 24 hours per hash for cross-sitekey abuse reputation. In addition, two coarse-grained signals are derived from each raw IP before it is hashed — the two-letter ISO country code and the Autonomous System Number — via locally-hosted offline MaxMind GeoLite2 databases (no outbound traffic, no IP ever transmitted to MaxMind). These derived signals are held in ephemeral cache memory for up to 24 hours and feed only into aggregate per-site botnet-detection counters; they are never linked back to an identifier that could re-identify a specific visitor. No data is persisted to the database or long-term storage. No other personal data of end users is processed by the Service.

4. Obligations of the Processor

Pursuant to Article 28(3) GDPR, I commit to the following:

• Instructions. I process personal data only on the Controller's documented instructions — namely, delivering the CAPTCHA service as described above. If I am required by Union or Member State law to process data for other purposes, I will inform the Controller unless prohibited by law.
• Confidentiality. I ensure that all personnel authorised to process personal data are bound by a duty of confidentiality.
• Security. I implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (Article 32 GDPR), including encrypted communications (TLS), access controls, and short retention windows.
• Sub-processors. I will not engage any sub-processor without the Controller's prior general authorisation. The current and complete list of sub-processors and their roles is maintained on the dedicated Sub-processors page, which is the single authoritative source. I will notify the Controller of any change at least 30 days in advance.
• Data subject rights. I assist the Controller in fulfilling obligations regarding data subjects' rights (Articles 15–22 GDPR) by appropriate technical and organisational measures.
• Security incidents. I notify the Controller without undue delay, and in any event no later than 48 hours after becoming aware of a personal data breach affecting data processed under this Agreement.
• DPIAs. I assist the Controller in carrying out data protection impact assessments and prior consultations where required under Articles 35–36 GDPR.
• Deletion / return. At the choice of the Controller, I delete or return all personal data upon termination of the Service, and delete existing copies unless Union or Member State law requires retention.
• Audit. I make available all information necessary to demonstrate compliance with this Article, satisfying audit obligations in the first instance through existing documentation, including this Agreement, the Sub-processors page, and the independent audit reports of the infrastructure sub-processor (Hetzner). Where that documentation is not sufficient, the Controller or an authorised auditor may conduct an audit or inspection subject to the following: no more than once in any 12-month period (save where a personal data breach has occurred or a supervisory authority requires it); on at least 30 days' prior written notice; during normal business hours and without unreasonable disruption to the Service; subject to confidentiality obligations; and at the Controller's own cost.

5. Obligations of the Controller

The Controller warrants and undertakes that:

• It has a valid legal basis for instructing me to process personal data on its behalf.
• It will inform its own end users about the use of the CAPTCHA service in its privacy documentation.
• It will notify me promptly of any changes to applicable data protection laws that materially affect this Agreement.

6. Sub-Processors

By accepting the Terms of Service, the Controller grants general authorisation for me to engage the sub-processors listed on the Sub-processors page, which is the single authoritative source for the current list, their roles, locations, and any applicable international transfer mechanism. As of the date of this document the core sub-processors are Hetzner Online GmbH (cloud infrastructure, Nuremberg, Germany) and WEDOS, a.s. (transactional email, Hluboká nad Vltavou, Czech Republic) — both within the EU/EEA.

I will provide at least 30 days' notice before adding or replacing any sub-processor, giving the Controller the opportunity to (a) request additional information about the change, (b) propose alternative arrangements which I will consider in good faith, or (c) terminate the service relationship without penalty before the change takes effect, with a pro-rata refund of any prepaid unused period. Objections must be sent to info@captchaapi.eu within the notice period.

7. Sub-Processor Guarantees

I have concluded a written Data Processing Agreement with Hetzner Online GmbH pursuant to Article 28 GDPR (signed 17 April 2026). The Service runs exclusively in Hetzner's Nuremberg datacenter (Germany); no replication or backup leaves Hetzner's EU/EEA datacenters. Hetzner's compliance with the agreed Technical and Organizational Measures is audited annually by TÜV Rheinland, an independent German certification body. The most recent audit report is dated 19 February 2026 and is available to Controllers on request under this Agreement.

Hetzner maintains the following certifications relevant to this sub-processing relationship: ISO 27001, BSI C5 Type 2, and ISO 14001.

7b. Data Suppliers (not Sub-Processors)

The Service uses the MaxMind GeoLite2 offline databases (Country and ASN) as a local data source for deriving geolocation signals as described in Sections 2 and 3. The databases are downloaded under license to my infrastructure and queried in-memory; no end-user data is ever transmitted to MaxMind. Consistent with MaxMind's own Data Processing Addendum (Section 2(a)), MaxMind does not act as a sub-processor of end-user personal data in connection with the GeoLite Databases. MaxMind is therefore listed as a data supplier rather than on the Sub-processors page.

Attribution: This product includes GeoLite2 Data created by MaxMind, available from https://www.maxmind.com.

The same MaxMind GeoLite2 Country database is also used by my own first-party server-side analytics for visitors to the captchaapi.eu marketing site, to resolve the visitor's ISO country code without storing the IP itself. That processing is described in the Privacy Policy § 7 and is outside the scope of this Agreement, which governs only end-user personal data processed via the CAPTCHA service on the Controller's behalf. No end-user data of the Controller's visitors is involved.

8. Retention Periods

• IP hashes — rate limiting: maximum 2 minutes in Redis cache; never persisted to database.
• IP hashes — cross-sitekey abuse reputation: maximum 24 hours in Redis cache; TTL refreshed on each new failure across protected sites; never persisted to database.
• Derived geolocation signals (country code + ASN): maximum 24 hours in Redis cache; transient cache only; never persisted to database; never transmitted to MaxMind.
• Challenge tokens: maximum 2 minutes in Redis cache; deleted immediately after verification.
• Aggregated usage counters: retained for the duration of the billing relationship; deleted within 30 days after service termination.
• Controller account data: retained for the duration of the Service; deleted within 30 days of account closure, except where retention is required by applicable law (e.g., accounting records under Czech law).
• Application logs: retained for 14 days (rolling daily rotation), then automatically purged.
• Authentication credentials (two-factor authentication, when enabled by the Controller): encrypted TOTP secret and one-time recovery codes are retained until 2FA is disabled by the Controller or the account is deleted.
• Authenticated session metadata (Controller dashboard): session row containing IP address, user-agent, last-activity timestamp and serialized session payload — retained while the session is active; invalidated on logout and pruned by Laravel session-garbage-collection thereafter.
• VIES verification audit trail (EU B2B Controllers only): append-only log of every VIES query result, kept as the operator's own due-diligence and accounting documentation for cross-border B2B invoicing. Valid rows (with VIES consultation number) and Invalid rows are retained for 10 years, aligned with the retention applied to the related invoices; Down rows older than 90 days that are not bound to an unsettled invoice are pruned daily.
• Subscription lifecycle data (Controllers on a paid plan): billing-period start/end dates, payment-overdue / VAT-grace timers, scheduled tier changes, provider subscription IDs — retained for the duration of the Service and for the legal accounting-records retention period (10 years from the end of the tax period of the last invoice) thereafter.
• Free-tier hard-cap state (Controllers on the Free plan): timestamp of first hard-cap event and a one-time-warning-seen flag — retained until account deletion; used solely to drive the post-cap re-activation UX.

9. Governing Law

This Agreement is governed by and construed in accordance with the laws of the Czech Republic, consistent with the Terms of Service. Any disputes shall be subject to the exclusive jurisdiction of the competent courts of the Czech Republic.

This document is generated dynamically from captchaapi.eu live content. The version date above reflects when this copy was generated. The legally binding version is always the current document available at https://captchaapi.eu/legal/dpa. Accepting the Terms of Service at https://captchaapi.eu/legal/terms constitutes acceptance of this DPA without requiring a separate signature. The current sub-processors list is maintained at https://captchaapi.eu/legal/subprocessors.