1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person
- "Data Controller" means the Customer who determines the purposes of processing
- "Data Processor" means CloudFlush
- "End User" means any individual interacting with the CAPTCHA widget
2. Scope of Processing
2.1 Types of Personal Data
- IP addresses
- Browser User-Agent strings
- GPU renderer information (WebGL)
- Click interaction and timing data
- Page URLs
- Proof-of-Work results
2.2 Purpose
Human vs. bot determination, token generation, aggregated analytics, and rate limiting.
3. Processor Obligations
- Process data only per Controller's instructions
- Ensure staff confidentiality
- Implement appropriate security measures
- No Sub-processor without prior authorization
- Assist with data protection obligations
- Delete or return all data on service end
4. Security Measures
- TLS 1.2+ encryption in transit
- Restricted database access
- Cryptographically random single-use tokens
- Industry-standard cryptographic password hashing with salting
- Automatic data purging
- Time-limited JWT authentication
5. Data Retention
| Data Type | Retention | Deletion |
|---|---|---|
| Challenge Data | 5 min (configurable) | Automatic expiry |
| Verification Tokens | Single-use / 5 min | Consumed on verify |
| Verification Logs | 30 days (configurable) | Automatic purge |
| Account Data | Until deletion | 30 days post-termination |
6. Sub-processors
| Sub-processor | Purpose | Data Shared |
|---|---|---|
| SMTP Provider | Verification emails | Email, code |
| GitHub (OAuth) | Optional social login | GitHub user ID |
14 days advance notice for Sub-processor changes.
7. Data Subject Rights
- Right to access, rectification, erasure
- Right to restriction, portability, objection
8. Data Breach Notification
Notification within 72 hours of becoming aware of a breach, with details of nature, categories, and remediation.
9. International Transfers
Safeguards via Standard Contractual Clauses (SCCs) or adequacy decisions.
10. Term and Termination
DPA remains in effect during Service use. On termination, data is deleted or returned per Controller's choice.
11. Contact
- DPO: admin@cloudflush.win
- Operated by: CloudFlushDev