Effective Date: May 1, 2025

Data Processing Agreement

This Data Processing Agreement (“Agreement”, “DPA”) forms part of and takes precedence over any conflicting terms regarding data processing in your agreement with the Provider (Intmaker OÜ, registration code 16430441, registered at Pärnu mnt 139b, Tallinn, Harjumaa, Estonia, 11317) under the Provider’s Terms and Conditions (the “Principal Agreement”) between the Provider and you (referred to as the “Customer”) using Provider’s Services.

This Agreement governs the processing of personal data which the Provider processes for and on behalf of the Customer (data controller) in the context of the performance of the Principal Agreement.

The terms used in this DPA shall have the meanings set forth in this DPA and capitalized terms not defined herein shall have the meaning set forth in the Principal Agreement. Except as specified below, the terms of the DPA shall remain in full force and effect.

1. Definitions and Interpretation

Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:

  • “GDPR” means the General Data Protection Regulation (Regulation (EU) 2016/679) of the European Parliament and of the Council;
  • “Agreement” means this Data Processing Agreement and all Exhibits hereto;
  • “End User”: The user that interacts with the Service, integrated on the Protected Website(s) of the Customer.
  • “End User Personal Data” means any Personal Data processed by the Provider or its Subprocessor on behalf of the Customer pursuant to or in connection with the Principal Agreement;
  • “Subprocessor” means any person appointed by or on behalf of a Processor to process End User Personal Data on behalf of the Customer in connection with the Agreement.
  • “Data Protection Laws” means the GDPR and laws implementing or supplementing the GDPR, including the Estonian Personal Data Protection Act;
  • “EEA” means the European Economic Area;
  • “Data Transfer” means: a transfer of End User Personal Data from the Customer to the Processor or a Subprocessor; an onward transfer of End User Personal Data from the Processor to a Subprocessor, or between two establishments of a Subprocessor. This is not to be confused with international data transfers outside the EEA;
  • “Services” refers to the Private Captcha solution offered by the Provider, which provides bot protection and is accessible through the website at privatecaptcha.com .
  • “Personal Data Breach” means any incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.
  • The following terms – “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

2. Roles of the Parties

The parties acknowledge and agree that with regard to the Processing of Personal Data, the Customer is a Data Controller and the Provider is a Data Processor. The Provider has the right to engage Subprocessors pursuant to the requirements set forth in the “Subprocessing” clause below.

3. Processing of End User Personal Data

The Provider shall only Process End User Personal Data for the purpose of the provision of the Services under the Principal Agreement and in accordance with the Customer’s documented instructions which are consistent with the terms of the Principal Agreement unless Processing is required by Applicable Data Protection Laws to which the Provider (or the applicable Subprocessor) is subject. In this case, the Provider shall, to the extent permitted by the Applicable Data Protection Laws, inform the Customer of that legal requirement before the relevant Processing of that End User Personal Data.

The Customer instructs the Processor to process End User Personal Data. This DPA, the Principal Agreement, and any Order Forms thereunder, are the Customer’s complete and final instructions to Provider for the Processing of End User Personal Data. Any additional or alternate instructions must be agreed upon separately in writing.

The subject matter of processing of the End User Personal Data by the Provider, the duration of the processing, the nature and purpose of the processing, the types of End User Personal Data, and categories of Data Subjects processed under this DPA are further specified in Exhibit A to this DPA, as may be amended by the parties from time to time.

The Provider may aggregate and anonymise End User Personal Data (such that it ceases to become End User Personal Data) in accordance with applicable Data Protection Laws, in order to create reports, provide and improve the Provider’s Services and the services of its Subsidiaries, and to provide better functionality to the Provider’s and its Subsidiaries’ customers. Such anonymised data shall become the Provider’s property.

4. Processor Personnel

The Processor shall take all reasonable steps to ensure the reliability, integrity, and competence of any employee, agent, or contractor of the Processor or any Subprocessor who may have access to End User Personal Data.

The Processor shall take steps to ensure that:

  1. Access to End User Personal Data is strictly limited to those individuals who require such access for the purposes of fulfilling the Processor’s obligations under the Principal Agreement or to comply with Applicable Laws (“Need-to-Know Basis”);

  2. Such individuals are informed of the confidential nature of the End User Personal Data, have received appropriate training on their responsibilities, and are bound by written confidentiality undertakings or are under appropriate statutory or professional obligations of confidentiality;

  3. The access rights of such individuals to End User Personal Data are promptly removed or modified upon change of role or termination of their engagement;

  4. Appropriate background checks are conducted on personnel, where permissible under Applicable Law and appropriate to the role;

  5. Individuals are subject to regular supervision and periodic reviews to ensure ongoing compliance with Data Protection Laws and internal security procedures.

5. Security

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall in relation to the End User Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.

In assessing the appropriate level of security, the Processor shall take into account in particular the risks that are presented by Processing, in particular from a Personal Data Breach.

6. Subprocessing

The Customer acknowledges and agrees with the list of current Subprocessors, specified in Exhibit B to this DPA.

The Provider shall give the Customer a written notice of the appointment of any new Subprocessor, including full details of the Processing to be undertaken by the Subprocessor. If, within 14 days of receipt of that notice, the Customer notifies the Provider in writing of any objections (on reasonable grounds) to the proposed appointment, the Provider has the right to extraordinary termination of this DPA and the Principal Agreement with effect from when the change is scheduled to come into effect. Refund terms for contract termination from the Principal Agreement apply.

The Provider confirms having entered into or shall enter into a written agreement with each Subprocessor (the “Subprocessing Agreement”) containing data protection obligations not less protective than those set forth in the Agreement and/or this DPA with respect to the protection of End User Personal Data to the extent applicable to the nature of the Services provided by such Subprocessor. The Provider shall be liable for the acts and omissions of its Subprocessors to the same extent the Provider would be liable if performing the services of each Subprocessor directly under the terms of this DPA. The liability cap from the Principal Agreement applies.

7. Data Subject Rights

The Customer shall autonomously and on their own responsibility comply with any commercially reasonable request by an End User to correct, amend, block, or delete End User Personal Data, as required by applicable Data Protection Laws, to the extent the End User is legally permitted to do so.

In case such compliance is not possible, taking into account the nature of the processing, the Provider shall assist the Customer by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer’s obligations, as reasonably understood by the Customer, to respond to requests to exercise the Data Subject rights under the Data Protection Laws. Any reasonable expenses incurred in connection with the above-mentioned obligations shall be borne by the Customer and reimbursed to the Provider within 30 days of invoice submission, with detailed documentation of such expenses.

8. Personal Data Breach

The Provider shall notify the Customer without undue delay, but no later than 72 hours upon becoming aware of a Personal Data Breach affecting End User Personal Data, providing the Customer with sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.

The Provider shall co-operate with the Customer and take reasonable commercial steps as are directed by the Customer to assist in the investigation, mitigation, and remediation of each such Personal Data Breach.

9. Data Protection

Impact assessment and prior consultation - the Provider shall provide reasonable assistance to the Customer with any data protection impact assessments, and prior consultations with supervising authorities or other competent data privacy authorities, which the Customer reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of End User Personal Data by, and taking into account the nature of the Processing and information available to, the Subprocessors.

10. Deletion or return of End User Personal Data

A Processor shall promptly and in any event within 30 days of the date of cessation of any Services involving the Processing of End User Personal Data (the “Cessation Date”), delete and procure the deletion of all copies of the Customer’s data, unless otherwise is required by law of EU or the Member State in which its registered office is located.

11. Audit rights

The Provider shall make available to the Customer on request all information necessary to demonstrate compliance with this Agreement and shall allow for and contribute to audits, including inspections, by the Customer or an auditor mandated by the Customer in relation to the Processing of the End User Personal Data by the Subprocessors, subject to reasonable notice of at least 30 days, and not more than once per calendar year unless required by Data Protection Laws or competent authorities.

Similarly, the Customer shall make available all information necessary to demonstrate its compliance with this Agreement and shall allow for and contribute to audits, including inspections, by the Provider or an auditor mandated by the Provider in relation to the Customer’s obligations under this Agreement.

Information and audit rights of the Customer only arise to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Laws.

12. International Data Transfer

If personal data processed under this Agreement is transferred from a country within the European Economic Area to a country outside the European Economic Area, the Parties shall ensure that the personal data is adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU-approved standard contractual clauses for the international transfer of personal data.

If the Customer chooses the EU as the endpoint of Service, the Provider may not transfer or authorize the transfer of Data to countries outside the EU and/or the European Economic Area (EEA) without the prior written consent of the Customer.

13. Release obligations

If third parties (including Data Subjects and data protection supervisory authorities) make claims against the Provider, including in relation to infringements of laws, that are based on the Customer breaching their obligations arising from this DPA or GDPR, the Customer shall immediately release the Provider from these claims, provide the Provider with adequate support for the legal defense, and release the Provider from the costs of legal defense.

The requirement for this obligation to release is that the Provider shall immediately inform the Customer in writing of asserted claims, shall not make any acknowledgments or equivalent declarations, and shall enable the Customer as soon as possible to conduct all court hearings and out-of-court negotiations concerning the claims at the Customer’s expense.

14. General Terms

14.1 Notices

All notices and communications given under this Agreement must be in writing and will be delivered personally, sent by email to the email address of the Customer specified when the Principal Agreement was concluded.

14.2 Amendments

The Provider reserves the right to unilaterally amend this Agreement at any time. The Customer will be notified about such amendments over email at least four (4) weeks before the effective date. Continued use of the Service after the changes become effective constitutes Customer acceptance of the amended Agreement.

15. Governing Law and Jurisdiction

This Agreement is governed by the laws of the Republic of Estonia without regard to the choice of law rules.

The Parties shall use all reasonable efforts to amicably settle any disputes arising out of or in connection with this Agreement. If the Parties fail to resolve the disputes relating to this Agreement through negotiations, the dispute shall be conclusively resolved in the Harju county court.

Exhibit A: Details of the Processing

Processor:

Name: Intmaker OÜ

Address: Pärnu mnt 139b, Tallinn, Harjumaa, Estonia, 11317

Contact: inquiries@privatecaptcha.com

Activities relevant to the data transferred under these Clauses: Customer receives the Services described in the Terms.

Role (controller/processor): Processor

Description of Transfer

Duration of the Processing: The duration of data processing shall be for the term agreed between the data exporter and Provider in the Agreement or an applicable Order Form.

Nature and Purpose of the Processing: Provision of Provider’s Service.

Types of End User Personal Data: Connection data (HTTP request data, IP address, connection exchange data, network statistics), Environment data (software and device types and versions), Functional data (versions, metrics, and usage data of used client-side software components of the Service).

Categories of Data Subjects: Visitors to Customer’s Protected Website(s), where Provider’s Service is integrated by the Customer.

Frequency of Transfer: Continuous

Competent Supervisory Authority: Where the EU GDPR applies, the competent supervisory authority shall be the Estonian Data Protection Inspectorate (DPI). Where the UK GDPR applies, the competent supervisory authority shall be the UK Information Commissioner’s Office.

Exhibit B: Subprocessors

  • BunnyWay d.o.o., a Slovenian subcontractor for hosting, delivery and CDN (Content Delivery Network) solution. Does not collect, store or distribute personally identifiable information, has standard contractual clauses for EU.

  • Hetzner Online GmbH, a German subcontractor for hosting and delivery of the Service. The Provider has signed a DPA with the subprocessor.

  • Scaleway S.A.S., a French subcontractor for hosting and delivery of the Service. The Provider has signed a DPA with the subprocessor.

Protect your forms and APIs from abuse

Independent, privacy-first, self-hostable CAPTCHA service made in EU

Log in Start free trial