Thỏa thuận xử lý dữ liệu

1. Parties, Subject-Matter & Duration

This Data Processing Agreement ("DPA") is entered into between the customer (the "Controller") and SaaSoftware LLC, 131 Continental Dr, Suite 305, Newark, DE 19713, USA, operating the CaptchaLa brand (the "Processor"). It forms part of, and is subject to, the Terms of Service between the parties (the "Agreement"). The subject-matter of the processing is the provision of CaptchaLa's CAPTCHA and content moderation services. This DPA applies for the duration of the Agreement and for as long as the Processor processes personal data on the Controller's behalf. Where the GDPR applies, this DPA implements Article 28 GDPR. If there is a conflict between this DPA and the Agreement on data protection matters, this DPA prevails.

2. Nature & Purpose of Processing

The Processor processes personal data only to provide, secure, maintain, and support the services, including verifying that requests originate from humans, detecting and preventing automated abuse and fraud, and moderating content where the Controller enables those features. Processing operations include collection, storage, analysis, transmission, and deletion of the relevant data, performed by automated means.

3. Categories of Personal Data & Data Subjects

Data subjects: the Controller's end users and visitors who interact with CaptchaLa challenges or content moderation on the Controller's websites or applications.

Categories of personal data:

• Online identifiers: IP address, user-agent string, device and browser signals.
• Interaction and behavioural data generated during a challenge or moderation event.
• Timestamps and request metadata used for security and rate-limiting.
• Any content submitted for moderation that the Controller chooses to send to the API.

The Processor does not intentionally seek special categories of personal data. The Controller must not submit special-category data for moderation unless it has a lawful basis to do so.

4. Processor Obligations & Confidentiality

The Processor shall: (a) process personal data only on documented instructions from the Controller, including this DPA and the Agreement, unless required by applicable law (in which case it will inform the Controller unless legally prohibited); (b) ensure that persons authorised to process personal data are bound by appropriate confidentiality obligations; (c) not sell personal data or process it for its own purposes; and (d) promptly inform the Controller if, in its opinion, an instruction infringes applicable data protection law.

5. Security Measures (GDPR Art. 32)

Taking into account the state of the art and the risks of processing, the Processor implements appropriate technical and organisational measures, including:

• Encryption of data in transit (TLS) and encryption of data at rest where supported.
• Hashing of credentials and strict secret management for API keys.
• Role-based access control and least-privilege internal access on a need-to-know basis.
• Network controls, rate limiting, and abuse detection.
• Logging, monitoring, and regular security reviews and patching.
• Backup and restoration procedures supporting availability and resilience.

6. Sub-Processing & Sub-Processor List

The Controller provides general authorisation for the Processor to engage sub-processors. The Processor imposes data protection obligations on each sub-processor that are no less protective than those in this DPA and remains liable for their performance. Current sub-processors include:

• Stripe, Inc. (USA) — payment and subscription processing.
• Google LLC (USA) — optional OAuth sign-in and, if enabled, aggregate analytics.
• Email delivery provider — transactional email (verification, receipts, alerts).
• Cloud infrastructure and CDN providers — hosting, storage, and content delivery.

The Processor will give the Controller reasonable prior notice of any intended addition or replacement of a sub-processor, allowing the Controller to object on reasonable data protection grounds. An up-to-date list is available on request at [email protected].

7. Assistance with Data-Subject Requests & DPIAs

Taking into account the nature of the processing, the Processor shall assist the Controller, by appropriate technical and organisational measures and insofar as possible, in fulfilling its obligations to respond to data-subject requests (access, rectification, erasure, restriction, portability, and objection). The Processor shall also provide reasonable assistance with data protection impact assessments (Art. 35) and prior consultations with supervisory authorities (Art. 36), taking into account the information available to it.

8. Personal-Data-Breach Notification

The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach affecting the Controller's personal data, and shall provide information reasonably available to it to assist the Controller in meeting its own notification obligations under Articles 33 and 34 GDPR.

9. Deletion or Return on Termination

On termination of the services, and at the Controller's choice, the Processor shall delete or return all personal data processed on the Controller's behalf and delete existing copies, unless applicable law requires continued storage. Routine operational data is deleted within 30 days of account closure, subject to legal, tax, and fraud-prevention retention requirements.

10. Audit Rights

The Processor shall make available to the Controller information reasonably necessary to demonstrate compliance with Article 28 GDPR and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor it mandates. Audits will be conducted on reasonable prior notice, no more than once per year (except where required by a supervisory authority or following a breach), during business hours, and subject to confidentiality. The Processor may satisfy audit requests by providing relevant third-party certifications or reports where available.

11. International Transfers

Personal data may be transferred to and processed in the United States and other countries. For transfers of personal data from the EEA, the UK, or Switzerland to the United States or other third countries, the parties rely on the EU Standard Contractual Clauses (SCCs), which are incorporated into this DPA by reference, and/or the EU-US Data Privacy Framework (including its UK Extension and the Swiss-US framework) where applicable, together with any supplementary measures required to ensure an adequate level of protection.

12. Contact

For questions about this DPA, to request a countersigned copy, or to obtain the current sub-processor list, contact SaaSoftware LLC at [email protected].