captxa Beta
Log in Get started free
Legal — Effective April 14, 2026

Data Processing Agreement

The formal Art. 28 GDPR DPA governing how Captxa processes CAPTCHA verification data on behalf of customers.

✔  What this is: This Data Processing Agreement (DPA) governs the processing of personal data by Captxa on behalf of customers integrating the Captxa API. It fulfils the Art. 28 GDPR requirement for a written processor agreement.

⚠  Practical note: For most Captxa integrations, the CAPTCHA widget does not transmit personally identifiable information about your end-users to our servers in a stored or linkable form. This DPA is provided for completeness and for customers whose compliance teams require one. If you need a countersigned PDF, email hello@captxa.com.

1. Parties

  • Data Controller ("Customer"): the individual or organisation that has accepted the Captxa Terms of Service and uses the Captxa API.
  • Data Processor ("Captxa"): the operator of the Captxa service — hello@captxa.com.

This DPA is incorporated into and forms part of the Captxa Terms of Service. By using the Captxa API, the Customer agrees to this DPA.

2. Subject Matter and Duration

This DPA governs processing by Captxa on behalf of the Customer when the Customer integrates the Captxa CAPTCHA widget. It remains in force for the duration of the Customer's use of the service.

3. Nature and Purpose of Processing

  • Purpose: Verifying whether an HTTP request originates from a human user or an automated bot, using Proof-of-Work challenges and behavioural signals.
  • Nature: Automated, ephemeral processing of request-level signals (encrypted challenge tokens, transient IP binding, browser environment signals) to produce a binary verification result (pass/fail) returned to the Customer's server.

4. Categories of Data Subjects

End-users of the Customer's applications who interact with a web form or interface protected by the Captxa CAPTCHA widget.

5. Types of Personal Data Processed

  • Transient IP address: used solely to bind a CAPTCHA challenge to a session and apply rate-limiting. Not persisted in personally identifiable form after the request lifecycle.
  • TLS JA4 fingerprint: a technical fingerprint of the TLS handshake. Used for session binding only. Not stored persistently.
  • Browser environment signals: WebGL renderer, screen dimensions, hardware concurrency, timezone, and device memory — submitted as part of the challenge. Not stored after verification.
  • Mouse trajectory (complex path only): collected only when the sliding puzzle is triggered. Processed in-memory for bot scoring. Not stored after the request.

No persistent personal data about end-users is stored by Captxa. All data above is processed ephemerally within a single verification request's lifetime.

6. Obligations of Captxa (Processor)

Captxa shall:

  • Process personal data only on documented Customer instructions or as required by EU law.
  • Ensure authorised persons are bound by confidentiality obligations.
  • Implement appropriate technical and organisational measures per Art. 32 GDPR.
  • Not engage sub-processors without prior notification to the Customer.
  • Assist the Customer in responding to data subject rights requests where reasonably possible.
  • Notify the Customer without undue delay upon becoming aware of a personal data breach.
  • Delete or return all personal data at the end of the service relationship, unless EU law requires retention.
  • Provide information necessary to demonstrate compliance with Art. 28 GDPR.

7. Obligations of the Customer (Controller)

  • Ensure a valid GDPR legal basis exists for deploying the Captxa widget.
  • Include appropriate disclosure in their own privacy policy about the use of Captxa as a third-party CAPTCHA processor.
  • Not instruct Captxa to process personal data in a manner that would violate applicable data protection law.

8. Sub-Processors

Captxa currently uses one sub-processor:

  • Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany — cloud infrastructure (EU-only).

Captxa will give at least 14 days' notice of any new sub-processor. Objections must be sent to hello@captxa.com.

9. International Transfers

All processing occurs within the EU (Nuremberg, Germany). No personal data is transferred outside the EEA. No Standard Contractual Clauses are required.

10. Security Measures (Art. 32 GDPR)

  • TLS 1.3 encryption for all data in transit.
  • ChaCha20-Poly1305 encryption for CAPTCHA challenge tokens.
  • Ed25519 digital signatures for verification tokens.
  • No persistent storage of end-user verification data beyond the request lifecycle.
  • Access controls limiting personnel access to production systems.
  • Regular security review of the codebase.

11. Audit Rights

The Customer may request compliance information by emailing hello@captxa.com. We will respond within 30 days. Physical audits may be arranged on a case-by-case basis.

12. Liability

Liability under this DPA is governed by the limitations in the Captxa Terms of Service. Each party is liable for GDPR-violating processing attributable to that party.

13. Term and Termination

This DPA is effective for the duration of the Customer's use of Captxa. Upon termination, Captxa will delete personal data as described in Section 6, unless EU law requires continued retention.

14. Governing Law

This DPA is governed by the laws of Germany and the European Union, consistent with the Captxa Terms of Service.

15. Execution

This DPA is agreed to electronically by accepting the Captxa Terms of Service. For customers requiring a countersigned PDF, contact hello@captxa.com.

Questions about this document?

hello@captxa.com