LEGAL

Data Processing Agreement

Last updated: June 2026

1. Scope and Roles

This Data Processing Agreement ("DPA") forms part of the CaptchaKit Terms of Serviceand applies where CaptchaKit processes personal data on behalf of a customer ("Customer") in connection with the CaptchaKit service. For data submitted through the verification widget on your site, you are the data controller and CaptchaKit (operated by didyu) acts as the data processor.

2. What We Process on Your Behalf

  • Verification events: site key, game identifier, pass/fail outcome, timestamp.
  • Abuse-prevention data: the IP address of the requester, used only for rate limiting and security, retained transiently in rate-limit windows.
  • No end-user content: we do not receive form contents, names, emails, or any other data your users enter on your site. We use no cross-site tracking, fingerprinting, or advertising identifiers.

3. Processing Commitments

  • We process personal data only to provide the service and follow documented instructions implied by your use of it.
  • Personnel with access to customer data are bound by confidentiality obligations.
  • We apply technical and organizational measures appropriate to the risk: TLS in transit, encryption of stored secrets at rest, password hashing (bcrypt), one-time-use verification tokens, rate limiting, and audit logging.
  • We will notify affected customers without undue delay after becoming aware of a personal data breach affecting their data.
  • We assist customers with data subject requests: data export and account deletion are self-service from the dashboard; widget verification data contains no end-user identifiers.

4. Data Retention

  • Verification events are automatically deleted after 90 days.
  • Account audit logs are automatically deleted after 365 days.
  • Account data is deleted immediately upon self-service account deletion.

5. Subprocessors

We use the following subprocessors to provide the service:

  • Vercel Inc. (USA) — application hosting and edge network.
  • MongoDB Inc. (Atlas) (USA/EU regions) — database hosting.
  • Stripe Inc. (USA) — payment processing. Card data never touches CaptchaKit servers.
  • Resend Inc. (USA) — transactional email delivery.

We will update this list when subprocessors change. Material objections can be raised via the contact form.

6. International Transfers

Where personal data originating from the EEA, UK, or Switzerland is processed in the United States, we rely on our subprocessors' standard contractual clauses and equivalent safeguards as published in their respective data processing terms.

7. Questions

For DPA questions, signed copies for procurement, or security questionnaires, reach out via the contact form.