Effective Date: May 15, 2026 (or the date the underlying agreement is executed, whichever is later) · Processor: Service Automations LLC (“CapchaCloud”) · Controller: The customer entity that has accepted the CapchaCloud Terms of Service or otherwise established a paid account (“Customer” or “you”)
No Compliance Guarantee. This DPA describes contractual protections for processing of Personal Data. It does not, and shall not be construed to, certify, warrant, or guarantee that Customer’s use of the Service complies with any specific law, regulation, or industry framework. Customer alone determines such fit.
For questions: support@serviceautomations.ai (use subject lines such as “DPA”, “Privacy”, “DSAR”).
This Data Processing Addendum (“DPA”) forms part of, and is incorporated by reference into, the agreement between CapchaCloud and Customer for use of the CapchaCloud service (the “Principal Agreement”). Where this DPA conflicts with the Principal Agreement regarding the processing of Personal Data, this DPA controls. Where a fully executed enterprise data-protection agreement exists between the parties, that agreement controls over this DPA for the subject matter it addresses.
Capitalized terms used but not defined here have the meaning given in the Principal Agreement or the applicable Data Protection Law. “Data Protection Law” means all laws and regulations applicable to the Processing of Personal Data under this DPA, including GDPR, UK GDPR, FADP, CCPA/CPRA, U.S. State Privacy Laws, and any other applicable law that protects personal data or personal information. “Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”) that Customer or its End Users provide to, or that CapchaCloud Processes on behalf of Customer through, the Service. “Processing” (and “Process”) means any operation performed on Personal Data, whether or not by automated means. “Controller” and “Processor” have the meanings under GDPR; for CCPA/CPRA, Customer is the Business and CapchaCloud is the Service Provider. “Subprocessor” means any third party engaged by CapchaCloud to Process Personal Data on Customer’s behalf. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data Processed under this DPA. “Standard Contractual Clauses” or “SCCs” means the EU standard contractual clauses adopted in Decision (EU) 2021/914, the UK International Data Transfer Addendum (IDTA), and Swiss adaptations as described in §11.
This DPA applies to CapchaCloud’s Processing of Personal Data on behalf of Customer in connection with the Services. Customer is the Controller and warrants that it has a lawful basis for collecting, Processing, transferring, and otherwise handling all Personal Data it causes CapchaCloud to Process. CapchaCloud is the Processor acting on Customer’s documented instructions, which are set out in this DPA, the Principal Agreement, and any further written instructions Customer provides (subject to §3). For Personal Data CapchaCloud Processes in its own capacity as a Controller (e.g., Customer’s account, billing, support, and usage data — collectively, “Operator Data”), CapchaCloud’s processing is governed by its Privacy Policy and not by this DPA.
3.1 Standing Instructions. CapchaCloud will Process Personal Data only: (a) to provide, secure, monitor, improve, and bill for the Services as described in the Principal Agreement and this DPA; (b) on Customer’s further documented instructions, including through Customer’s use of the dashboard, APIs, and configuration tools; (c) as required by applicable law (in which case CapchaCloud will inform Customer of the legal requirement before Processing, unless prohibited by that law on important grounds of public interest).
3.2 Unlawful Instructions. CapchaCloud will inform Customer if, in its reasonable opinion, an instruction infringes Data Protection Law. CapchaCloud may decline to follow such instructions until they are amended or withdrawn.
3.3 Customer Responsibility. Customer is responsible for the lawfulness and accuracy of its instructions, for the accuracy and integrity of Personal Data it submits, and for the suitability of the Services for Customer’s intended purposes.
The subject matter, duration, nature, purposes, types of Personal Data, and categories of Data Subjects are set out in Annex 1.
CapchaCloud will implement and maintain appropriate technical and organizational measures (“TOMs”) designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of Processing, and the risk to Data Subjects. A summary of CapchaCloud’s current TOMs is set out in Annex 2. CapchaCloud may update its TOMs from time to time, provided that the overall level of protection is not materially decreased. CapchaCloud will ensure that personnel authorized to Process Personal Data are bound by confidentiality obligations and have received appropriate training.
CapchaCloud will treat Personal Data as confidential and will limit access to personnel and Subprocessors who have a need to know in order to provide the Services. Personnel access is subject to written confidentiality obligations that survive termination of employment.
7.1 General Authorization. Customer provides general written authorization for CapchaCloud to engage Subprocessors to Process Personal Data, subject to this §7.
7.2 Current Subprocessors. A current list of Subprocessors is maintained at /subprocessors-policy.html and summarized in Annex 3.
7.3 New Subprocessors. CapchaCloud will provide notice of the addition or replacement of any Subprocessor at least fifteen (15) days before that Subprocessor begins Processing Personal Data. Notice may be by email to support@serviceautomations.ai or by posting on the Subprocessors page with a corresponding update notice in the dashboard.
7.4 Objection. Customer may object to a new Subprocessor on reasonable Data Protection grounds by written notice within fifteen (15) days of the announcement. The parties will discuss the objection in good faith. If the parties cannot reach a resolution, Customer’s sole remedy is to terminate the affected portion of the Services, without further liability except for any pre-paid unused fees, which CapchaCloud will refund on a pro-rata basis.
7.5 Subprocessor Obligations. CapchaCloud will impose on each Subprocessor data-protection obligations no less protective than those in this DPA, by written agreement. CapchaCloud remains liable to Customer for the performance of its Subprocessors to the same extent as it would be liable if it performed the obligations directly.
8.1 To the extent CapchaCloud receives a request from a Data Subject exercising rights under Data Protection Law regarding Personal Data Processed on Customer’s behalf, CapchaCloud will, unless prohibited by law, promptly forward the request to Customer and will not respond to the Data Subject directly except to acknowledge receipt and direct them to Customer.
8.2 CapchaCloud will, taking into account the nature of the Processing, provide reasonable assistance — by appropriate technical and organizational measures — to enable Customer to fulfill its obligations to respond to Data Subject requests. CapchaCloud may charge reasonable fees for assistance that exceeds standard dashboard/API functionality.
CapchaCloud will notify Customer without undue delay, and where feasible within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Personal Data Processed on Customer’s behalf. The notice will include, to the extent then known and consistent with applicable law: (a) the nature of the Personal Data Breach including, where possible, the categories and approximate number of Data Subjects and Personal Data records affected; (b) the likely consequences; (c) the measures taken or proposed to address the Breach and mitigate its possible adverse effects. CapchaCloud will reasonably cooperate with Customer in investigating, mitigating, and remediating the Breach. Customer is responsible for assessing whether the Breach requires notification to Data Subjects, regulators, or other parties, and for making any required notifications.
Where Customer reasonably determines that a Data Protection Impact Assessment (“DPIA”) or prior consultation with a supervisory authority is required, CapchaCloud will provide reasonable cooperation and the information within its possession that is reasonably necessary to enable Customer to complete the DPIA or consultation. CapchaCloud may charge reasonable fees for substantial assistance.
11.1 General. CapchaCloud operates on Cloudflare’s global edge network and stores most production Personal Data in the United States. Personal Data may be transferred to, stored in, or otherwise Processed in countries other than the country of origin, including the United States.
11.2 EEA Transfers. Where the GDPR applies to a transfer of Personal Data from the European Economic Area to a country not subject to an adequacy decision, the parties agree that the EU Standard Contractual Clauses (Module Two: Controller to Processor) are hereby incorporated by reference into this DPA, with: (a) Customer as “data exporter”; (b) CapchaCloud as “data importer”; (c) Clause 7 (Docking Clause) included; (d) Clause 9(a): Option 2 (General Written Authorization); minimum advance notice 15 days (per §7.3); (e) Clause 11(a): the optional independent dispute resolution language is not included; (f) Clause 17: governed by the law of Ireland; (g) Clause 18(b): venue Ireland; (h) Annex I.A populated by reference to Annex 1 of this DPA; (i) Annex I.B populated by reference to Annex 1 of this DPA; (j) Annex I.C: competent supervisory authority is the Irish Data Protection Commission; (k) Annex II populated by reference to Annex 2 of this DPA; (l) Annex III populated by reference to Annex 3 of this DPA.
11.3 UK Transfers. Where the UK GDPR applies to a transfer of Personal Data from the United Kingdom to a country not subject to UK adequacy regulations, the UK International Data Transfer Addendum (IDTA) issued by the UK Information Commissioner’s Office is hereby incorporated by reference, modifying the SCCs as set out in the IDTA, with Table 4 selecting the importer.
11.4 Swiss Transfers. For transfers from Switzerland, the SCCs apply with adaptations required by the Swiss FADP (competent authority: Swiss Federal Data Protection and Information Commissioner).
11.5 Transfer Risk Assessment. Customer acknowledges that CapchaCloud relies on the SCCs together with supplementary measures described in Annex 2. CapchaCloud will assist Customer with Customer’s own assessment on request.
With respect to Personal Data subject to CCPA/CPRA, CapchaCloud is a “Service Provider” and is engaged to Process Personal Data only for the limited and specified purposes described in the Principal Agreement and this DPA. CapchaCloud will not: (a) Sell or Share Personal Data; (b) retain, use, or disclose Personal Data outside the direct business relationship between Customer and CapchaCloud, or for any purpose other than the Business Purposes; (c) combine Personal Data received from Customer with Personal Data received from or on behalf of any other person, except as permitted by CCPA/CPRA for security, fraud prevention, legal compliance, or internal use as reasonably necessary and proportionate to improve or maintain the quality and safety of the Services; (d) use Personal Data for cross-context behavioral advertising. Analogous provisions apply where Personal Data is subject to other U.S. State Privacy Laws.
13.1 Information. Upon Customer’s written request not more than once per twelve (12) month period, CapchaCloud will provide Customer with reasonable information necessary to demonstrate compliance with this DPA, including the most recent summary of its TOMs and any then-current third-party security certifications or attestations it maintains.
13.2 On-Site Audits. If the information provided under §13.1 is not sufficient to demonstrate compliance, Customer may request a more detailed audit conducted at Customer’s expense, limited in scope, scheduled on at least thirty (30) days’ prior written notice, in a manner that does not unreasonably interfere with CapchaCloud’s business operations, by an independent third-party auditor mutually agreed upon by the parties and bound by appropriate confidentiality obligations, limited to once every twelve (12) months unless a Personal Data Breach affecting Customer has occurred or a supervisory authority requires more frequent audits.
13.3 Reports. Audit findings will be CapchaCloud Confidential Information.
13.4 Supervisory Authority Audits. CapchaCloud will cooperate with audits by competent supervisory authorities as required by Data Protection Law.
Upon termination or expiration of the Principal Agreement, Customer may, within the export window specified in the Principal Agreement (currently thirty (30) days), export its Personal Data via the dashboard or documented API. After the export window, CapchaCloud will delete Personal Data from active production systems within ninety (90) days, except: (a) Personal Data subject to legal hold; (b) data retained in routine backups, which will be deleted on normal backup rotation; (c) data CapchaCloud must retain to comply with applicable law; (d) aggregated and de-identified data. CapchaCloud will, upon Customer’s reasonable written request, provide written confirmation of deletion. See also /data-retention-deletion.html.
Each party’s liability under or in connection with this DPA is subject to the limitation and exclusion of liability provisions in the Principal Agreement, which apply in aggregate across the Principal Agreement and this DPA, except where applicable law prohibits such limitation. Nothing in this DPA limits or excludes liability that cannot lawfully be limited or excluded under applicable Data Protection Law, including any liability of the parties to Data Subjects under GDPR Article 82 or analogous provisions. Where the parties are jointly liable to a Data Subject, the parties will allocate liability between themselves in proportion to each party’s responsibility for the harm caused.
This DPA takes effect on the Effective Date and remains in force as long as CapchaCloud Processes Personal Data on Customer’s behalf under the Principal Agreement. Provisions that by their nature should survive termination (including §§14, 15, 17) survive.
17.1 Order of Precedence. In the event of conflict between this DPA and the Principal Agreement, this DPA controls with respect to data-protection matters. The SCCs (where incorporated) control over conflicting terms in this DPA for transfers governed by the SCCs.
17.2 Severability. If any provision is held unenforceable, the remaining provisions remain in force, modified to the minimum extent necessary to be enforceable.
17.3 Amendments. CapchaCloud may update this DPA from time to time to reflect changes in Data Protection Law or in industry practice. Material amendments will be communicated with at least fifteen (15) days’ notice. Continued use after the effective date of the amendment constitutes acceptance.
17.4 Governing Law. Except as expressly set out for the SCCs (which are governed by Irish law under Module Two Clause 17), this DPA is governed by the laws of the State of Texas, consistent with the Principal Agreement.
17.5 Counterparts. This DPA may be executed in counterparts, including by electronic acceptance (clickthrough, OAuth sign-in, or electronic signature), each of which is deemed an original.
TLS 1.2+ in transit; provider-managed encryption at rest for D1/R2; HMAC-SHA256 for webhook signatures; API key hashing; role-based access; MFA for administrative access; least privilege; WAF and DDoS protection; tenant origin allowlists and CORS controls; input validation and parameterized queries; integrity controls including cryptographic hashing for Consent Records; centralized logging, rate limiting, and anomaly detection; vendor management and subprocessor contracts; incident response with timely customer notification per §9. CapchaCloud may modify these measures from time to time, provided the overall level of protection is not materially decreased. Details appear in the Trust Center.
| Subprocessor | Role | Location / notes |
|---|---|---|
| Cloudflare, Inc. | Cloud infrastructure, edge compute, storage, Turnstile, Workers AI, AI Gateway, DNS, CDN | United States; global edge |
| Stripe, Inc. | Payments, billing, customer portal, Connect (where used) | United States |
| Google, Apple, Microsoft, GitHub, Meta, LinkedIn | OAuth identity providers (when enabled) | United States |
| Email delivery provider | Transactional and operational email (as configured) | As listed on Subprocessors page |
Full authoritative list: /subprocessors-policy.html.
For Customers that require a fully executed counterpart of this DPA:
Service Automations LLC
By: ___________________________
Name: Adam F. Woodward
Title: Member / Authorized Signatory
Date: ___________________________
Customer
By: ___________________________
Name: ___________________________
Title: ___________________________
Company: ___________________________
Date: ___________________________
For most Customers, acceptance via clickthrough, OAuth sign-in, or other electronic means in the Service is sufficient and has the same legal effect as a manuscript signature.
End of Data Processing Addendum. Last updated: May 15, 2026.