Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between you ("Customer", controller) and AESHA Technology Services Limited ("TrustedCaptcha", processor). It governs the processing of personal data by TrustedCaptcha on your behalf in connection with the Service.

1. Subject matter and duration.

The subject matter is TrustedCaptcha's processing of personal data on your behalf for the purpose of providing the Service. Duration: for the term of your subscription plus 90 days for cleanup.

2. Nature and purpose.

Verification of human users on your websites and applications via CAPTCHA challenges; storage of challenge metadata, verification tokens, and aggregated usage statistics for fraud prevention and service operation.

3. Categories of data.

End-users of your services: truncated IP addresses, hashed user agents, viewport / device hint signals, challenge solutions (encrypted), verification timestamps. We do not collect names, contact details, or unique identifiers of end-users.

4. Categories of data subjects.

End-users of your websites and applications who interact with the TrustedCaptcha widget.

5. Obligations of the processor.

1. Process personal data only on your documented instructions, including with regard to transfers, unless EU or Member State law requires otherwise.
2. Ensure that personnel authorised to process the data have committed to confidentiality.
3. Implement appropriate technical and organisational measures (Annex 1).
4. Engage subprocessors only with prior general written authorisation; the current list is at /legal/subprocessors with 30 days advance notice of changes.
5. Assist you in fulfilling data subject requests (Art. 12-22 GDPR).
6. Assist you in security, breach notification, and DPIA obligations (Art. 32-36 GDPR).
7. On termination, delete or return all personal data, at your choice, within 90 days.
8. Make available all information necessary to demonstrate compliance and allow audits.

6. Subprocessors (general authorisation).

You authorise us to engage the subprocessors listed at /legal/subprocessors. We notify you 30 days before any addition or replacement; you have the right to object on reasonable data protection grounds.

7. International transfers.

Personal data is processed in the European Union. Where a subprocessor processes data outside the EU/EEA, the transfer is governed by Standard Contractual Clauses (Module 3 — processor-to-processor) or an applicable adequacy decision.

8. Liability.

Liability under this DPA is subject to the limits in the main service agreement.

9. Annex 1 — Technical and Organisational Measures.

• Pseudonymisation: IPs truncated to /24 or /64; user agents SHA-256 hashed with per-deployment pepper before storage.
• Encryption at rest: database backups encrypted (AES-256-GCM); challenge expected answers encrypted with libsodium secretbox.
• Encryption in transit: TLS 1.2+ (TLS 1.3 preferred) for all internet-facing communication; mTLS for internal service traffic.
• Access control: SSH key-only access to production hosts, 2FA-required dashboard access, principle of least privilege for staff.
• Backup and recovery: nightly encrypted backups, retained 30 days; quarterly restore tests.
• Logging: audit logs of administrative actions retained 13 months.
• Personnel: confidentiality obligations, security training annually.
• Vulnerability management: dependency scanning in CI; security patches applied within 7 days of vendor release for high/critical issues.

10. Signing.

For Pro customers, this DPA is automatically incorporated upon Pro subscription. A countersigned PDF copy is available from the dashboard. Free tier customers can request a signed copy from dpo@trustedcaptcha.com.