Shared responsibility model

Security and compliance are jointly achieved by CapchaCloud and your team.

Your obligations depend on your jurisdiction, industry, and data choices. We do not determine “compliant” for your use case.

CapchaCloud (platform)

Operate Workers, queues, and bound storage with provider baseline security.
Provide mechanisms: tenant isolation patterns, audit logs, webhook signing, Turnstile hooks, billing integrity hooks.
Maintain subprocessors disclosure and incident notification practices described in our trust docs.

Identity & OAuth: Configure allowed providers, redirect URLs, and session policies appropriate to your users.
Custom hostnames / SaaS: DNS, certificate authorization, and Cloudflare for SaaS setup on your zone.
BYOB: Bucket policies, IAM/CASL on your storage side, encryption choices, and lifecycle rules.
Application integration: Correct client IDs, API keys, CORS allowlists, and webhook secret rotation.
Lawful basis & notices: Privacy policy, consent UX copy, records of processing — your responsibility.