captchaapi.eu uses a minimal set of carefully selected sub-processors to deliver the CAPTCHA service. This page lists every third-party processor that handles any personal data on our behalf, in compliance with Article 28(2) GDPR. All current sub-processors are located within the European Union.
1 Core Infrastructure
These processors are essential for delivering the CAPTCHA service. All end-user CAPTCHA verification data is processed exclusively by the core infrastructure provider.
| Sub-processor | Purpose | Location | Certifications | DPA |
|---|---|---|---|---|
| Hetzner Online GmbH | Cloud infrastructure, servers, storage, networking | Nuremberg, Germany (EU) |
ISO 27001
BSI C5 Type 2
§ 8a BSI-KritisV
ISO 14001
|
Signed 17 Apr 2026
|
Annual independent audit
Hetzner's compliance with the agreed Technical and Organizational Measures is audited annually by TÜV Rheinland, an independent German certification body. The most recent audit report is dated 19 February 2026 and is available to Controllers on request under our DPA.
2 Ancillary Services
These processors handle auxiliary data such as account notifications. They do not process end-user CAPTCHA verification data.
| Sub-processor | Purpose | Location | Data processed | Terms |
|---|---|---|---|---|
| WEDOS, a.s. | Transactional email (mailhosting) — account verification, password reset, billing notifications | Hluboká nad Vltavou, Czech Republic (EU) | Email address, message content | WEDOS Terms ↗ |
3 Change Notification Policy
Before adding or replacing any sub-processor, we provide at least 14 days' advance notice to all customers by:
- Updating this page with the "Last updated" date
- Sending email notification to the billing contact of all active accounts
If you object to a proposed sub-processor change, you may terminate your service agreement without penalty before the change takes effect. See our DPA for the full procedure.
4 Payment Processing
Merchant of Record — to be added
Paid plans are not yet available. Once a Merchant of Record is onboarded, this page and our DPA will be updated with the full details at least 14 days before paid plans go live.
Compliance questions?
Happy to answer vendor due diligence questionnaires.