Data Processing Addendum

Effective: 15 May 2026 Last updated: 18 May 2026

Incorporated into the Terms of Service. Where the DPA conflicts with the Terms on data-processing matters, the DPA prevails. Offered to every customer without negotiation.

In this DPA, "Praxa Lab" (operating the Caputchin service) is the processor; "Customer" is the controller. Terms used here have the meanings given in GDPR Article 4 (Controller, Processor, Personal Data, Data Subject, Processing, etc.).

1. When this DPA applies

A processor-controller relationship exists when Customer uses the hosted-verification feature. Customer's visitors submit forms whose contents transit Praxa Lab's infrastructure briefly on the way to Customer's destination. Praxa Lab is processor; Customer is controller.

For all other Caputchin features, the Privacy Policy governs (Praxa Lab is either controller of its own data or processes no personal data).

2. Processing details

Item	Description
Subject matter	Form submissions transiting hosted verification
Nature	Receipt, token validation, dispatch to Customer's destination. In-memory only; no persistence.
Purpose	Deliver verified submissions to Customer's chosen destination on Customer's behalf
Duration	Per-submission, seconds. No copy retained.
Data subjects	Visitors who submit a Customer's protected form
Personal data	Form submission contents as composed by the visitor (Customer controls the form schema). Praxa Lab does not receive visitor IP, User-Agent, fingerprint, geolocation, or behavioral data; those are blocked at the verification boundary.

3. Praxa Lab's obligations as processor

Praxa Lab will:

Process personal data only on Customer's documented instructions (Customer's destination configuration).
Ensure persons authorised to process are bound by confidentiality.
Implement appropriate technical and organisational security measures.
Engage subprocessors only as permitted by §4.
Assist Customer with data-subject requests (§5), breach notification (§6), and DPIAs.
Delete personal data after each dispatch (already automatic; no persistence).
Make available information necessary to demonstrate compliance.

4. Subprocessors

Customer grants Praxa Lab general authorisation for the subprocessors at /legal/subprocessors. Praxa Lab gives at least 30 days advance notice before adding or changing a subprocessor. Customer may object during the notice window and terminate the affected paid plan without penalty.

Praxa Lab remains responsible for its subprocessors' acts as if they were its own. Each subprocessor is bound by data-protection obligations no less onerous than these.

5. Data-subject requests

Praxa Lab assists Customer in responding to data-subject requests (access, rectification, erasure, etc.) for personal data within Praxa Lab's control. Because hosted-verification submissions are not persisted, requests about a specific past submission are typically out of scope; direct those at the destination system where the data ended up.

6. Personal data breach notification

If Praxa Lab becomes aware of a personal data breach affecting Customer's data, Praxa Lab notifies Customer without undue delay and, where reasonably possible, within 72 hours. Notification includes the nature of the breach, approximate categories and counts affected, contact point for more information, likely consequences, and measures taken.

7. International transfers

The subprocessors involved in hosted-verification processing (Cloudflare hosting + Resend for transactional email) operate in EU regions. Stripe is not in the hosted-verification path; Stripe processes billing-only personal data on its global infrastructure regardless of contracting entity, covered by the Privacy Policy rather than this DPA. If a future subprocessor change involves transfer outside the EU for hosted-verification data, Praxa Lab incorporates the EU Standard Contractual Clauses (Module Two) by reference. The 30-day notice in §4 lets Customer object before any such transfer.