hCaptcha's approach to GDPR compliance
Last updated: October 24, 2023
This page is intended to answer common questions about our data processing under the GDPR.
Background on the hCaptcha service, what it does, and our values
hCaptcha offers a security-focused machine learning product suite operated by Intuition Machines, a company headquartered in the United States with global operations that licenses software and delivers services to businesses of all sizes around the world.
hCaptcha is uniquely privacy focused, and has been since its creation. This is a cultural practice for us: hCaptcha engineers have played important roles across the privacy and security ecosystem, contributing to projects like Tor, Signal, and Brave, IETF privacy protocol standards, open-source encryption libraries, and more.
Unlike other security services, hCaptcha is designed to operate without any long-term retention of personal data at all.
Our goal has been to find technical solutions to operate security services with truly minimized information at every step, and we are proud of the innovations in privacy-preserving machine learning and privacy-first distributed systems processing that we have made along the way. These include user-local data processing, our "Zero PII" and "First-Party Hosting" Enterprise features, and more.
We endeavor to maintain strict data retention and minimization policies for personal data related to our customers’ end users (each an "End User") and do not sell or rent End User personal data, consistent with our role as a data processor.
1. What personal data does hCaptcha process for its customers and where?
hCaptcha endeavors not to control or maintain any long-term retention of End User personal data its customers choose to transmit to hCaptcha. We have designed our systems to avoid personal data collection or processing where possible.
Where this is not possible, we promptly discard and/or anonymize any such data. Regardless of the hCaptcha services our customers use, they, as the controllers of personal data, have an obligation to be fully responsible for their own compliance with applicable privacy laws and establish independent contractual arrangements in connection with the data they choose to transmit to hCaptcha.
The types of personal data hCaptcha processes on behalf of a customer depend on which hCaptcha services are implemented. For example, they depend on the features a customer has enabled. In some cases, hCaptcha collects and processes no personal data at all. hCaptcha processes the vast majority of data within one of our many regional servers around the world. Our services are designed to process personal data using computing or network equipment within close proximity to End Users. We process metadata on behalf of our customers in our main data centers in Europe and, if applicable, the U.S.
hCaptcha maintains limited, sampled log data about events on our network in order to operate our services. For example, if a system error occurs, we may generate a sampled error log. Some of this log data may include information about End Users of our customer’s domains, networks, websites, application programming interfaces ("APIs"), or applications. This metadata contains either no personal data or extremely limited personal data, most often in the form of IP addresses. We process this type of information on behalf of our customers in our main data centers in Europe and, if applicable, the US for a limited period of time.
2. What specific technical and organizational security measures does hCaptcha provide for personal data?
Security is important to our operations, and we undergo regular external audits to maintain third-party validation of our security practices, including ISO 27001 (a globally recognized information security standard) and SOC 2 Type II security certifications.
To view the security measures hCaptcha uses for the protection of personal data, including personal data transferred from the European Economic Area ("EEA") to the U.S., please see Exhibit A of our standard Data Processing Agreement.
3. How does hCaptcha address the requirements of the GDPR to have appropriate safeguards in place when transferring personal data outside the EEA?
The GDPR provides several mechanisms to ensure that appropriate safeguards, enforceable rights, and effective legal remedies are available to the EEA data subjects, whose personal data is transferred from the EEA to a third country.
Those mechanisms include:
- Where the European Commission (“Commission”) has decided that a third country ensures an adequate level of protection after assessing that country’s rule of law, respect for human rights and fundamental freedoms, and a number of other factors;
- Where a controller or processor has put in place binding corporate rules;
- Where a controller or processor has in place standard data protection clauses adopted by the Commission; or
- Where a controller or processor has put in place an approved code of conduct or an approved certification mechanism.
hCaptcha relies on the Commission's Standard Contractual Clauses ("SCCs") as a legal mechanism to transfer personal data from the EEA to the U.S. However, we endeavor to minimize or entirely eliminate any such transfers depending on the products and features enabled by our customers.
Previously, hCaptcha also relied on the adequacy decision granted to the EU-US Privacy Shield. However, the Court of Justice of the European Union ("CJEU") in July 2020 invalidated the EU-U.S. Privacy Shield paradigm in the"Schrems II" case. The invalidation of the Privacy Shield was not material to our operating principles, as we already exceeded its data protection requirements prior to entry into the program.
In March 2022, the EU Commission and US Department of Commerce committed to a new Trans-Atlantic Data Privacy Framework that would govern transfers of data from the EEA to the US, and in December 2022, the European Commission issued a draft adequacy decision concluding the Framework provides adequate protection for personal data transferred from the EU to US companies.
Several more steps are required before implementation, and it is unclear when this will happen, but we look forward to more closely aligned data protection frameworks between all countries.
4. What additional data protection safeguards does hCaptcha provide?
The best data protection safeguard of all is simply to not have the personal data in the first place. We have innovated in this area with our "Zero PII" features for enterprise customers, allowing them to partially or completely remove any personal data from our purview depending on their needs. We also minimize retention for all data, whether or not it contains personal data.
We require legal process before providing any government entity with any customer data outside of an emergency or limited instances of fraud by a customer as determined by us. We will provide our customers with notice of any legal process requesting their customer or billing information before disclosure of that information unless legally prohibited or related to fraud by a customer. An example of fraud by a customer would be creating an account with us solely to embed hCaptcha on a phishing page, in order to more convincingly mimic the login page of another one of our customers and attempt to fool their users into giving up their credentials for abuse.
To date, we have never turned over encryption keys to any government, received a legal order to provide private data, provided any government any private data, or deployed law enforcement equipment within our services.
We believe that government requests for personal data that conflict with the privacy laws of a person's country of residence should be legally challenged. The European Data Protection Board (“EDPB”) recognized that the GDPR might pose such a conflict in this assessment. Our commitment to GDPR compliance means that hCaptcha would evaluate legal remedies before producing data identified as being subject to the GDPR in response to a U.S. government request for data.Consistent with the existing U.S. case law and statutory frameworks, hCaptcha may ask U.S. courts to quash a request from U.S. authorities for personal data based on such a conflict of law.
5. Does the U.S. Clarifying Lawful Overseas Use of Data ("CLOUD") Act affect how hCaptcha views its obligation to turn over data in response to U.S. government legal process?
We believe that U.S. government requests for the personal data of a non-U.S. person that conflict with the privacy laws of that person's country of residence(such as the GDPR in the EU) should be legally challenged.
The CLOUD Act does not expand the U.S. investigative authority, and applies to access to content, which we generally do not store or have access to at all, as described above. Furthermore, the CLOUD Act does not change existing practices when U.S. law enforcement seeks access to corporate data. It is important to note that law enforcement would typically seek to obtain data from the entity that has effective control of the data (i.e., our customers) rather than cloud providers.
6. How do recent Court of Justice of the European Union (CJEU) decisions inform our approach to GDPR compliance?
hCaptcha will continue to make the latest adopted SCCs available to our customers whose data is subject to the GDPR, and we are following developments in SCCs as well as the new alternative transfer mechanisms.
We have enrolled in the EU-US Data Privacy Framework, and believe the recent CJEU adequacy decision strengthens both our use of SCCs and the additional protection provided by the new alternative transfer mechanism under the DPF.
We will briefly cover the U.S. national security authorities as discussed in the Schrems II case below.
Section 702. Section 702 of the Foreign Intelligence Surveillance Act ("FISA")is an authority that allows the U.S. government to request the communications of non-U.S. persons located outside of the United States for foreign intelligence purposes. The U.S. government may use section 702 to collect the content of communications through specific "selectors", such as email addresses, that are associated with specific foreign intelligence targets. Because the authority is often used to collect the content of communications, the "electronic communications service providers" asked to comply with section 702 are typically email providers or other providers with access to the content of communications.
hCaptcha does not have access to this type of traditional customer content for our core services. In addition, to date, hCaptcha has never provided any government any kind of data feed related to other customers, and we would evaluate all legal remedies if we were asked to do so in order to protect our customers from what we believe are illegal or unconstitutional requests.
Executive Order 12333. Executive Order 12333 governs US intelligence agencies' foreign intelligence collection targeting non-U.S. persons outside the United States. Executive Order 12333 does not have provisions to compel the assistance of U.S. companies.
hCaptcha requires legal process before providing any government entity with access to any customer data outside of an emergency or fraud committed by a customer. We have no intention of complying with voluntary government requests for data under Executive Order 12333. We have also never weakened, compromised, or subverted any of our encryption at the request of a government or other third party.
7. How can Customers who do not have an Enterprise agreement make sure the SCCs are in place with hCaptcha?
Our Master Terms of Service incorporate our standard DPA by reference. Where the personal data we process on behalf of our self-serve customers is governed by the GDPR, then our DPA incorporates the EU and UK SCCs. Therefore, no action is required to ensure that the SCCs are in place.
8. How can Enterprise Customers make sure the SCCs are in place with hCaptcha?
Our standard Enterprise Subscription Agreement ("ESA") and Master Subscription Agreement ("MSA") incorporate our standard DPA by reference. Therefore, no action is required for these customers. To the extent the personal data we process on behalf of the customer is governed by the GDPR, our DPA incorporates the EU and UK SCCs. Enterprise customers may contact their customer success manager with any questions about their DPA.
9. How is hCaptcha responding to the new SCCs?
We incorporated the Commission's SCCs released on June 4, 2021, into new customer contracts and our updated Master Terms of Service for customers subject to the GDPR.
10. What tools does hCaptcha have for its customers to geographically restrict access to data?
By default, analytics data is already stored in the EU, and sessions are processed on equipment close to the End User in many regions around the world (i.e., on equipment in a country where the End User is located or close by in most cases). We recognize that some of our customers would prefer that any personal data subject to the GDPR remain in the EU and not be transferred to the U.S. for processing. This happens automatically in most cases already, but we provide additional features for Enterprise customers to create hard technical guarantees on what data is stored, where data will be processed, and when practicable to entirely eliminate or pre-blind this data before it reaches us for processing via our Zero PII features.
11. Are there any enforceable rights and effective remedies available to the EU data subjects in the U.S. where data is processed by hCaptcha or hCaptcha's sub-processors?
hCaptcha requires valid legal process before providing the personal information of our customers to government entities or civil litigants, unless there is an emergency or fraud is committed by the customer. We do not provide our customers' personal data to government officials in response to requests that do not include legal process.
To ensure that our customers have the opportunity to enforce their rights, it is hCaptcha's policy to notify our customers of a subpoena or other legal process requesting their personal data before disclosing it, regardless of whether the legal process comes from the government or private parties involved in civil litigation, unless legally prohibited.
In addition, U.S. law provides mechanisms for companies to challenge orders that pose potential conflicts of law, such as a legal request for personal data subject to GDPR. The CLOUD Act, for example, provides mechanisms for a provider to petition a court to quash or modify a legal request that poses such a conflict of law. That process also allows a provider to disclose the existence of the request to a foreign government whose citizen is affected if that government has signed a CLOUD Act agreement with the United States. hCaptcha endeavors to legally challenge any orders that pose such a conflict of law. To date, we have received no orders that we have identified as posing such a conflict.
12. How is hCaptcha dealing with cross-border transfers to and from the UK?
hCaptcha will continue to utilize the EU SCCs mechanism coupled with the UK data transfer addendum, which are included in our standard DPA, to transfer personal data outside the UK and EEA. We are continuing to monitor ongoing developments in this space and will ensure our ongoing compliance with the UK data protection laws and regulations.
13. How should hCaptcha customers keep End Users informed of personal data processing that is subject to the GDPR?
Some implementations of hCaptcha do not transmit any personal data at all to hCaptcha, so the specific steps customers should take depend upon their implementation.
We cannot provide hCaptcha customers with legal advice, so each hCaptcha customer should consult with their legal counsel regarding their obligations around the use of hCaptcha based on their specific set of facts.
Note that the information and links provided by hCaptcha on this page are not legal advice. hCaptcha customers should consult with qualified counsel in the jurisdictions in which they operate if they have further questions about hCaptcha or their specific use cases.
14. How should End Users who interact with hCaptcha in our role as a processor, i.e., embedded within another website or mobile app, exercise their data subject rights?
End Users should contact the operator of the website or mobile app directly. hCaptcha is not the controller of the End User personal data it processes and may not be a processor either depending on the details of the customer’s implementation.
In some cases, a hCaptcha customer acting as a processor or controller may license the hCaptcha software to run within their network, so simply seeing hCaptcha’s logo does not mean that we are processing personal data for a particular online service.
Note that deletion requests forwarded to hCaptcha by hCaptcha customers on behalf of End Users will generally not result in any additional actions aside from confirmation of receipt. No personal data is retained long-term by hCaptcha, and hCaptcha is unable to tie data in the system to specific End Users of hCaptcha customers, as we do not receive or process personal data that, by itself, can identify End Users in the real world like names, email addresses, or usernames.
The information provided only applies to the processing of personal data that is subject to the GDPR. This page is for informational purposes only and does not provide legal guidance or assistance, form a contract or other agreement, or otherwise create additional obligations for hCaptcha. However, we believe it is an accurate summary of the topics covered as of the date of publication listed on this page.