%20--%3e%3csvg%20version='1.1'%20xmlns='http://www.w3.org/2000/svg'%20x='0px'%20y='0px'%20viewBox='0%200%20207.3%2029'%20style='enable-background:new%200%200%20207.3%2029;'%20xml:space='preserve'%3e%3cstyle%20type='text/css'%3e%20.st0{fill:%231E293B;}%20.st1{fill:%232563eb;}%20%3c/style%3e%3cg%20id='Ebene_1'%3e%3cg%20id='Ebene_2_00000023959154727838081460000010218683892316788135_'%3e%3cg%3e%3cg%3e%3cpath%20class='st0'%20d='M24.3,7.4c0-0.8,0-1.5,0-2.2c0-0.6-0.4-1-1-1c-4.4,0-7.6-1.2-10.4-3.9c-0.4-0.3-1-0.3-1.5,0%20C8.7,2.9,5.4,4.1,1.1,4.1c-0.6,0-1,0.5-1,1c0,0.7,0,1.5,0,2.2c-0.2,7.4-0.4,17.3,11.8,21.6l0.3,0.1l0.3-0.1%20C24.6,24.6,24.4,14.7,24.3,7.4z%20M11.4,17.5C11.4,17.5,11.3,17.5,11.4,17.5c-0.3,0.2-0.5,0.3-0.8,0.3l0,0c-0.3,0-0.5-0.2-0.7-0.3%20l-2.7-3c-0.3-0.3-0.3-0.9,0.1-1.1L7.5,13c0.3-0.3,0.9-0.3,1.1,0.1l1.4,1.6c0.3,0.3,0.8,0.3,1.1,0.1l4.4-4.2%20c0.3-0.3,0.9-0.3,1.1,0l0.3,0.3c0.3,0.3,0.3,0.9,0,1.1L11.4,17.5z'/%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/g%3e%3cg%20id='Ebene_2'%3e%3cg%3e%3cpath%20class='st1'%20d='M46.3,8.6h-5.1v14.1h-2.8V8.6h-5.1V6.2h13V8.6z'/%3e%3cpath%20class='st1'%20d='M54.3,16.2h-3.2v6.3h-2.8V6.2h5.8c1.9,0,3.3,0.4,4.4,1.3S60,9.6,60,11.2c0,1.1-0.3,2-0.8,2.8%20c-0.5,0.7-1.3,1.3-2.2,1.7l3.7,6.8v0.2h-3L54.3,16.2z%20M51.1,13.9H54c1,0,1.7-0.2,2.2-0.7s0.8-1.1,0.8-2s-0.2-1.5-0.8-2%20C55.7,8.7,55,8.5,54,8.5h-3v5.4H51.1z'/%3e%3cpath%20class='st1'%20d='M74.3,6.2v10.9c0,1.7-0.6,3.1-1.7,4.1s-2.6,1.5-4.4,1.5c-1.9,0-3.4-0.5-4.5-1.5c-1.1-1-1.6-2.3-1.6-4.1V6.2%20h2.8v10.9c0,1.1,0.3,1.9,0.8,2.5c0.5,0.6,1.4,0.9,2.5,0.9c2.2,0,3.3-1.1,3.3-3.5V6.2H74.3z'/%3e%3cpath%20class='st1'%20d='M85.7,18.3c0-0.7-0.2-1.3-0.8-1.7c-0.5-0.4-1.4-0.8-2.7-1.2c-1.3-0.4-2.4-0.8-3.1-1.3%20c-1.5-0.9-2.2-2.2-2.2-3.7c0-1.3,0.5-2.4,1.6-3.3s2.5-1.3,4.2-1.3c1.1,0,2.2,0.2,3,0.6c0.8,0.4,1.6,1,2.1,1.8s0.8,1.6,0.8,2.6%20h-2.8c0-0.9-0.3-1.5-0.8-2s-1.3-0.7-2.3-0.7c-0.9,0-1.7,0.2-2.2,0.6s-0.8,1-0.8,1.7c0,0.6,0.3,1.1,0.8,1.5s1.5,0.8,2.7,1.2%20c1.2,0.4,2.3,0.8,3.1,1.3c0.8,0.5,1.3,1,1.7,1.7c0.4,0.6,0.5,1.4,0.5,2.2c0,1.4-0.5,2.5-1.6,3.2c-1,0.8-2.5,1.2-4.2,1.2%20c-1.2,0-2.3-0.2-3.3-0.7c-1-0.4-1.8-1-2.3-1.8s-0.8-1.7-0.8-2.7h2.8c0,0.9,0.3,1.6,0.9,2.2c0.6,0.6,1.5,0.8,2.6,0.8%20c1,0,1.7-0.2,2.2-0.6C85.4,19.5,85.7,19,85.7,18.3z'/%3e%3cpath%20class='st1'%20d='M102.6,8.6h-5.1v14.1h-2.8V8.6h-5.1V6.2h13V8.6z'/%3e%3cpath%20class='st0'%20d='M117,17.2c-0.2,1.7-0.8,3.1-1.9,4.1s-2.6,1.5-4.5,1.5c-1.3,0-2.4-0.3-3.4-0.9c-1-0.6-1.8-1.5-2.3-2.6%20c-0.5-1.1-0.8-2.5-0.8-4v-1.5c0-1.5,0.3-2.9,0.8-4.1s1.3-2.1,2.3-2.7s2.2-0.9,3.5-0.9c1.8,0,3.3,0.5,4.4,1.5s1.7,2.4,1.9,4.1h-2.8%20c-0.1-1.2-0.5-2-1-2.5c-0.6-0.5-1.4-0.8-2.4-0.8c-1.2,0-2.2,0.5-2.8,1.4c-0.7,0.9-1,2.2-1,4v1.5c0,1.8,0.3,3.1,0.9,4.1%20s1.6,1.4,2.8,1.4c1.1,0,1.9-0.2,2.5-0.8c0.6-0.5,0.9-1.3,1.1-2.5L117,17.2L117,17.2z'/%3e%3cpath%20class='st0'%20d='M128.5,18.8h-6.4l-1.3,3.8h-2.9l6.2-16.4h2.6l6.2,16.4h-3L128.5,18.8z%20M122.9,16.5h4.7l-2.4-6.8L122.9,16.5z'%20/%3e%3cpath%20class='st0'%20d='M137.2,16.5v6.1h-2.8V6.2h6.3c1.8,0,3.3,0.5,4.3,1.4c1.1,1,1.6,2.2,1.6,3.8c0,1.6-0.5,2.9-1.6,3.7%20c-1.1,0.8-2.5,1.3-4.4,1.3C140.6,16.4,137.2,16.4,137.2,16.5z%20M137.2,14.2h3.4c1,0,1.8-0.2,2.3-0.7s0.8-1.2,0.8-2.1%20s-0.3-1.6-0.8-2.1s-1.3-0.8-2.2-0.8h-3.5C137.2,8.6,137.2,14.2,137.2,14.2z'/%3e%3cpath%20class='st0'%20d='M160.7,8.6h-5.1v14.1h-2.8V8.6h-5.1V6.2h13V8.6L160.7,8.6z'/%3e%3cpath%20class='st0'%20d='M175.1,17.2c-0.2,1.7-0.8,3.1-1.9,4.1c-1.1,1-2.6,1.5-4.5,1.5c-1.3,0-2.4-0.3-3.4-0.9c-1-0.6-1.8-1.5-2.3-2.6%20c-0.5-1.1-0.8-2.5-0.8-4v-1.5c0-1.5,0.3-2.9,0.8-4.1s1.3-2.1,2.4-2.7c1-0.6,2.2-0.9,3.5-0.9c1.8,0,3.3,0.5,4.4,1.5%20s1.7,2.4,1.9,4.1h-2.8c-0.1-1.2-0.5-2-1-2.5S170,8.4,169,8.4c-1.2,0-2.2,0.5-2.9,1.4s-1,2.2-1,4v1.5c0,1.8,0.3,3.1,0.9,4.1%20c0.6,0.9,1.6,1.4,2.8,1.4c1.1,0,1.9-0.2,2.5-0.8c0.6-0.5,0.9-1.3,1.1-2.5L175.1,17.2L175.1,17.2z'/%3e%3cpath%20class='st0'%20d='M190.4,22.5h-2.8v-7.2h-7.3v7.2h-2.8V6.2h2.8v6.8h7.3V6.2h2.8V22.5z'/%3e%3cpath%20class='st0'%20d='M202.8,18.8h-6.3l-1.3,3.8h-2.9l6.2-16.4h2.6l6.2,16.4h-3L202.8,18.8z%20M197.3,16.5h4.7l-2.4-6.8L197.3,16.5z'%20/%3e%3c/g%3e%3c/g%3e%3c/svg%3e)
'%3e%3crect%20width='32'%20height='24'%20fill='white'/%3e%3cpath%20fill-rule='evenodd'%20clip-rule='evenodd'%20d='M0%200V24H32V0H0Z'%20fill='%232E42A5'/%3e%3cmask%20id='mask0_270_67386'%20style='mask-type:luminance'%20maskUnits='userSpaceOnUse'%20x='0'%20y='0'%20width='32'%20height='24'%3e%3cpath%20fill-rule='evenodd'%20clip-rule='evenodd'%20d='M0%200V24H32V0H0Z'%20fill='white'/%3e%3c/mask%3e%3cg%20mask='url(%23mask0_270_67386)'%3e%3cpath%20d='M-3.56323%2022.2854L3.47846%2025.2635L32.1597%203.23787L35.874%20-1.18761L28.344%20-2.18297L16.6456%207.3085L7.22956%2013.7035L-3.56323%2022.2854Z'%20fill='white'/%3e%3cpath%20d='M-2.59924%2024.3719L0.988173%2026.1001L34.5402%20-1.59881H29.5031L-2.59924%2024.3719Z'%20fill='%23F50100'/%3e%3cpath%20d='M35.5631%2022.2854L28.5214%2025.2635L-0.159817%203.23787L-3.87415%20-1.18761L3.65593%20-2.18297L15.3543%207.3085L24.7703%2013.7035L35.5631%2022.2854Z'%20fill='white'/%3e%3cpath%20d='M35.3229%2023.7829L31.7355%2025.5111L17.4487%2013.6518L13.2129%2012.3267L-4.23151%20-1.17246H0.805637L18.2403%2012.0063L22.8713%2013.5952L35.3229%2023.7829Z'%20fill='%23F50100'/%3e%3cmask%20id='path-7-inside-1_270_67386'%20fill='white'%3e%3cpath%20fill-rule='evenodd'%20clip-rule='evenodd'%20d='M19.7777%20-2H12.2222V8H-1.97253V16H12.2222V26H19.7777V16H34.0275V8H19.7777V-2Z'/%3e%3c/mask%3e%3cpath%20fill-rule='evenodd'%20clip-rule='evenodd'%20d='M19.7777%20-2H12.2222V8H-1.97253V16H12.2222V26H19.7777V16H34.0275V8H19.7777V-2Z'%20fill='%23F50100'/%3e%3cpath%20d='M12.2222%20-2V-4H10.2222V-2H12.2222ZM19.7777%20-2H21.7777V-4H19.7777V-2ZM12.2222%208V10H14.2222V8H12.2222ZM-1.97253%208V6H-3.97253V8H-1.97253ZM-1.97253%2016H-3.97253V18H-1.97253V16ZM12.2222%2016H14.2222V14H12.2222V16ZM12.2222%2026H10.2222V28H12.2222V26ZM19.7777%2026V28H21.7777V26H19.7777ZM19.7777%2016V14H17.7777V16H19.7777ZM34.0275%2016V18H36.0275V16H34.0275ZM34.0275%208H36.0275V6H34.0275V8ZM19.7777%208H17.7777V10H19.7777V8ZM12.2222%200H19.7777V-4H12.2222V0ZM14.2222%208V-2H10.2222V8H14.2222ZM-1.97253%2010H12.2222V6H-1.97253V10ZM0.0274658%2016V8H-3.97253V16H0.0274658ZM12.2222%2014H-1.97253V18H12.2222V14ZM14.2222%2026V16H10.2222V26H14.2222ZM19.7777%2024H12.2222V28H19.7777V24ZM17.7777%2016V26H21.7777V16H17.7777ZM34.0275%2014H19.7777V18H34.0275V14ZM32.0275%208V16H36.0275V8H32.0275ZM19.7777%2010H34.0275V6H19.7777V10ZM17.7777%20-2V8H21.7777V-2H17.7777Z'%20fill='white'%20mask='url(%23path-7-inside-1_270_67386)'/%3e%3c/g%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_270_67386'%3e%3crect%20width='32'%20height='24'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3crect%20width='32'%20height='24'%20fill='white'/%3e%3cpath%20fill-rule='evenodd'%20clip-rule='evenodd'%20d='M0%2016H32V24H0V16Z'%20fill='%23FFD018'/%3e%3cpath%20fill-rule='evenodd'%20clip-rule='evenodd'%20d='M0%208H32V16H0V8Z'%20fill='%23E31D1C'/%3e%3cpath%20fill-rule='evenodd'%20clip-rule='evenodd'%20d='M0%200H32V8H0V0Z'%20fill='%23272727'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_270_67353'%3e%3crect%20width='32'%20height='24'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Order data processing agreement
Here you will find our current order data processing contract in our standard version. You can download here and read a complete, up-to-date sample contract including attachments.
You can conclude our standard contract at any time and independently within your user account under Agreements. If you require a customised contract or additional agreements, please contact our support team.
1 - Subject matter and duration of the order processing
1.1 Object
The main object is the provision of a Software-as-a-Service (SaaS) online service known as CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart). The services covered by this contract extend to the provision, operation, maintenance, support, analysis and improvement of the CAPTCHA service.This contract supplements the service contract (hereinafter referred to as the main contract) between the controller and the processor. The contract takes precedence over the main contract when it comes to the fulfilment of regulatory requirements in the area of data protection or data security in accordance with the GDPR and only in relation to the respective fields in which personal data is processed.
1.2 Duration
The duration (term) of this contract corresponds to the term of the main contract, but at least for as long as the processor processes personal data for the controller. In addition, the parties agree that all previous data processing contracts shall be cancelled by mutual agreement upon conclusion of this contract.2 - Specification of the data processing
2.1 Purpose and type of processing
The processor processes personal data for the controller within the meaning of Art. 4 No. 2 GDPR on the basis of the contract. The purpose of the data processing is the protection of companies through the security mechanisms of the TrustCaptcha CAPTCHA service and the provision of additional functions. TrustCaptcha analyses data from CAPTCHA requests to provide threat detection. TrustCaptcha also processes data to offer related extended functions. In particular, the data may be: collected, stored, organised, modified, read out, queried, used, disclosed, compared, linked and deleted.2.2 Object of the processing
The object of processing by the CAPTCHA service is usage/behavioural data, device data, connection data and location data. Depending on the user’s device and settings, this includes, for example, information on device properties and device data (e.g. device and device type, operating system, plugins, screen size, hardware), IP address, referrer website, automatically transmitted cookies, behavioural data such as mouse and keyboard behaviour or touches on touch devices, as well as settings (e.g. language). This data may be stored temporarily for threat detection, compared with other information such as time, general location information and IP allow/block lists and analysed. Some data may be stored temporarily to further develop the protection mechanisms. Data collection by CAPTCHA is limited to technical, behavioural and statistical aspects; no content-related input is evaluated. The data processed by the CAPTCHA service is processed exclusively for the purposes of CAPTCHA verification and to be reliably prepared for future threats. The data is also processed to provide the controller with statistics and usage information. Other data may also be processed in the future to provide effective protection in the event of changing requirements and framework conditions, as well as through the addition of new functions.2.3 Categories of data subjects
The processing concerns:- Persons who trigger the evaluation (bot verification) of a CAPTCHA field
2.4 The contractually agreed data processing of personal data is carried out in a member state of the European Union or in another state party to the agreement on the European Economic Area. A transfer to a third country is only permitted with the prior consent of the controller and may only take place if the special requirements of Art. 44 et seq. of the GDPR are met.
3 - Technical and organisational measures
- 3.1 The processor must establish security in accordance with Art. 28 para. 3 lit. c, pursuant to Art. 32 GDPR. Overall, the measures to be taken are data security measures and measures to ensure a level of protection appropriate to the risk with regard to the confidentiality, integrity, availability and resilience of the systems. The state of the art, the implementation costs and the nature, scope and purposes of the processing as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons must be considered (see Annex 2).
- 3.2 The technical and organisational measures are subject to technical progress and further development. Therefore, the processor is permitted to implement alternative adequate measures if the specified security level is not permanently undercut. Significant changes are documented.
4 - Access, rectification, erasure and return of personal data
- 4.1 The processor may rectify or erase the personal data covered by the contract on behalf of the controller during the term of the contract if the controller so instructs and this is covered by the scope of the instructions. If deletion in compliance with data protection regulations or a corresponding restriction of data processing is not possible, the processor shall undertake the destruction of data carriers or other materials in compliance with data protection regulations on the basis of an individual order from the controller. For the provision of these support services, the processor may charge a fee per hour of work or part thereof.
- 4.2 The processor shall be entitled to delete or anonymise the personal data processed by the CAPTCHA service for threat analysis purposes in particular at any time. This is essential to reduce the amount of data processed and to ensure the efficiency of the CAPTCHA service.
- 4.3 The processor shall support the controller to the best of its ability in fulfilling the rights of data subjects (Art. 28 para. 3 lit. e GDPR) and shall ensure that the necessary technical and organisational measures are in place to fulfil these requests.
- 4.4 If a data subject contacts the processor for access, rectification or erasure, the processor shall refer the data subject to the controller and forward the request to the controller. The processor shall support the controller in the fulfilment of requests from data subjects to a reasonable extent. Requests for support shall be made by the controller in textual form to the processor and the processor shall be reimbursed for any costs incurred.
- 4.5 After completion of the service, the processor shall delete all personal data or return it to the controller as instructed by the controller, provided that there are no statutory retention obligations to the contrary.
5 - Authorisation of the controller to issue instructions and obligations of the processor
- 5.1 The processor may only process personal data that is the subject of the order within the scope of the order and the instructions of the controller, unless there is an exceptional case pursuant to Art. 28 para. 3 lit. a GDPR. The processor shall inform the controller immediately if it is of the opinion that an instruction violates applicable laws. The processor may suspend the implementation of the instruction until it has been confirmed or amended by the controller.
- 5.2 Instructions from the controller must be documented by the processor.
- 5.3 The controller shall confirm verbal instructions immediately (at least in text form).
- 5.4 If the controller issues instructions to the processor that go beyond the contractually agreed services or require unforeseen additional measures, the controller shall reimburse the costs incurred as a result.
- 5.5 Maintaining confidentiality in accordance with Art. 28 para. 3 lit. b, Art. 29, Art. 32 para. 4 GDPR. When carrying out the work, the processor shall only use employees who have been obliged to maintain confidentiality. The processor and any person subordinate to the processor who has access to personal data may only process this data in accordance with the controller’s instructions, including the authorisations granted in this agreement, unless they are legally obliged to do so.
- 5.6 The processor shall ensure the implementation of and compliance with all technical and organisational measures required for this contract (see Annex 2).
- 5.7 The controller and the processor shall co-operate with the supervisory authority in the performance of their duties upon request.
- 5.8 The processor shall inform the controller without undue delay of any inspection activities and measures of the supervisory authority insofar as they relate to this order. This shall also apply if a competent authority investigates the processor in the context of administrative offence or criminal proceedings relating to the processing of personal data during commissioned processing.
- 5.9 If the controller is subject to an inspection by the supervisory authority, administrative offence or criminal proceedings, a liability claim by a data subject or a third party or any other claim in connection with the commissioned processing at the processor, the processor shall support the controller as far as possible.
- 5.10 The processor shall regularly monitor the internal processes and the technical and organisational measures to ensure that the processing in its area of responsibility is carried out in accordance with the requirements of the applicable data protection law and that the protection of the rights of the data subject is guaranteed.
6 - Obligations of the controller
- 6.1 The controller must inform the processor immediately and in full if it discovers any breaches of data protection provisions by the processor.
- 6.2 The controller shall be solely responsible for assessing the permissibility of the commissioned processing and for safeguarding the rights of data subjects.
7 - Notification of breaches by the processor
- 7.1 The processor shall notify the controller without undue delay, but at the latest within 48 hours of becoming aware of any breaches of the controller’s personal data protection. A notification of data breaches shall contain at least:
- a description of the incident, including, where possible, the nature of the personal data breach, the categories and approximate number of data subjects concerned, the categories concerned and the approximate number of personal data records concerned
- contact details of a contact point for further information
- a description of the likely consequences of the reported incident, a description of the measures taken to remedy it and, where appropriate, measures to mitigate its possible adverse effects
- 7.2 The processor shall assist the controller in complying with the obligations set out in Articles 32 to 36 of the GDPR, including the security of personal data, the notification of data breaches, the performance of data protection impact assessments and prior consultation with supervisory authorities. This includes in particular:
- Implementing and maintaining appropriate technical and organisational measures to ensure a level of protection appropriate to the risk (See Annex 2).
- Immediate notification of data breaches to the competent supervisory authority.
- Informing data subjects about data breaches if these are likely to pose a high risk to their rights and freedoms.
- Carrying out data protection impact assessments if processing is likely to result in a high risk to the rights and freedoms of natural persons.
- Consultation of the supervisory authority prior to processing if the data protection impact assessment indicates that the processing poses a high risk.
8 - Control rights
The processor shall, at the request of the controller, provide evidence of compliance with the obligations set out in this contract, but no more than once per calendar year. This applies in particular to proof of the implementation of technical and organisational measures. This proof is provided by means of certifications or reports by internal or external auditors, as well as by inspections in special cases. Audits must be carried out without disrupting operations and with due regard for the security and confidentiality interests of the processor. Audits must only be carried out during normal business hours and must be announced at least 14 days in advance.9 - Subcontracts
- 9.1 A subcontract within the scope of this agreement is one in which the processor commissions other sub-processors to process personal data agreed in the agreement that is directly related to the provision of the main service.
- 9.2 A subcontracting relationship requires that the sub-processor be subject to the same data protection obligations as those laid down in the contract between the controller and the processor by means of a contract or other legal instrument under union law or the law of the member state concerned, in particular providing sufficient guarantees that the appropriate technical and organisational measures are implemented in such a way that the processing is carried out in accordance with the requirements of this regulation.
- 9.3 The controller consents to the sub-processors already engaged as listed in Annex 1.
- 9.4 The controller agrees that the processor may involve or replace sub-processors. Before involving or replacing the sub-processors, the processor shall notify the controller of any changes in writing or in text form with a reasonable period of notice. In the event of an objection by the controller, the processor shall have the right to extraordinary termination of this agreement and the underlying Service agreement.
- 9.5 If the sub-processor provides the agreed service outside the EU or the EEA, the processor shall be responsible for ensuring that the data protection requirements are met by taking appropriate measures.
10 - Miscellaneous
- 10.1 The controller is obliged to treat as confidential all knowledge of the processor’s business secrets and data security measures obtained within the scope of this contractual relationship. This obligation shall also apply after termination of this contract. If there is any doubt as to whether information is subject to the confidentiality obligation, this information shall be treated as confidential until it has been released in writing by the processor.
- 10.2 Should the controller’s data be jeopardised by seizure or confiscation, by insolvency or composition proceedings or by other events or measures by third parties, the processor shall inform the controller of this immediately.
- 10.3 Amendments and supplements to this agreement and all its components, including any assurances given by the processor, shall require a written agreement, which may also be in an electronic format (text form) and an express reference to the fact that it is an amendment or supplement to this contract. This also applies to the waiver of this formal requirement.
- 10.4 Should individual parts of this contract be invalid, this shall not affect the validity of the remainder of the contract.
- 10.5 The law of the Federal Republic of Germany shall apply.
- 10.6 The place of jurisdiction shall be the court at the registered office of the processor and therefore Munich.
Version: v24.11.1