Compliance & trust program

CapchaCloud 20 control themes — strong security practices and transparency. We do not guarantee legal or regulatory outcomes.

No compliance warranty. These pages describe intentions, practices, and roadmaps. They are not legal advice, not a certification, and not a substitute for your own counsel, DPIA, or agreements (including a signed DPA where required).

Program index

Each item links to a dedicated page. Deeper evidence packets and runbooks are shared through procurement when appropriate.

Also: Why CapchaCloud · Roadmap (public product direction) · Status & probes

Legal agreements (published)

Operator: Service Automations LLC · Effective May 15, 2026 · Single contact: support@serviceautomations.ai

Lead program & visitor consent

Technical orientation for counsel and operators on the embed lead-capture path. Not legal advice.

If Lead program is incomplete or embed-program cannot load, the live widget.js shows a short operator footnote under the sign-in card (no silent failure) so merchants know to finish dashboard setup or fix allowlists.

Printable counsel review summary · Embed test harness (same-origin; requires allowlisted ?client_id=) · Operator repo: docs/COUNSEL-LEAD-PROGRAM-REVIEW-PACKET.md, docs/CONSENT-TCPA-PRODUCT-PLAN.md.

1. Security overview & control alignment

How we describe controls alongside common frameworks—without claiming certification.

2. Shared responsibility model

What we operate vs. what you configure (domains, keys, BYOB, webhooks).

3. Data Processing Addendum (full)

Binding processor terms + SCC references. Start with DPA summary for orientation.

4. Subprocessors & change notices

Who we rely on and how we notify material changes.

5. Retention & deletion

Data classes and lifecycle—in principle and by configuration.

6. Legal hold

How preservation requests work alongside deletion.

7. Audit logging & integrity

Append-only operational logs and hash-chain tamper evidence.

8. Encryption & keys

TLS, platform crypto, BYOB; CMK roadmap.

9. Incident response & notifications

Severity model and customer communication principles.

10. Tabletop exercises

How we drill breaches and outages—cadence and scope.

11. IAM & least privilege

Access reviews and production change discipline.

12. Admin authentication

Phishing-resistant MFA and break-glass expectations.

13. Configuration baselines

Known-good settings, drift reduction, infrastructure-as-code.

14. Vulnerability management

Disclosure intake and remediation targets.

15. Supply chain & SBOM

Dependencies, provenance, CycloneDX artifacts in CI.

16. Secure SDLC

Gates: review, scans, secrets hygiene, release discipline.

17. Penetration testing

Third-party testing cadence and remediation tracking.

18. Data residency

Cloudflare regions and roadmap for tenant pinning.

19. Privacy-by-design (contributors)

PR checklist: minimization, purpose, sensitive fields.

20. Evidence program

How we assemble audit artifacts—controls, logs, policies, exports.

Operate with counsel for jurisdictional requirements. Contact: serviceautomations.ai.