Data Processing Agreement
Version 1.0 · Effective: March 2026 · Governing law: Republic of Poland
How to use this DPA: This template documents the data processing relationship between you (Controller) and HumanKey (Processor) as required by GDPR Article 28. Fill in the fields marked [ ], sign both copies, and retain one each. Enterprise customers receive a countersigned DPA — contact us at our contact form.
§Article 1 — Parties and Definitions
1.1 Controller
Legal name: [ ]
Address: [ ]
Contact: [ ]
(hereinafter "Controller" or "you")
1.2 Processor
Legal name: HumanKey (ChainGuard)
Service: AI crawler analytics and bot detection platform
Website: humankey.io
Data residency: EU (Germany + Netherlands)
(hereinafter "Processor" or "HumanKey")
1.3 Definitions
Terms used in this DPA have the meanings set out in the GDPR (EU) 2016/679: "personal data", "processing", "data subject", "supervisory authority", "controller", "processor", "sub-processor". "Services" means the HumanKey bot detection and AI crawler analytics services provided under the Terms of Service.
§Article 2 — Subject Matter and Duration
2.1 Subject Matter
The Processor processes personal data on behalf of the Controller for the purpose of providing AI crawler detection, bot classification, and web traffic analytics services as described in the HumanKey Terms of Service.
2.2 Duration
This DPA is effective from [ ] and remains in force for the duration of the Controller's active subscription to HumanKey Services, until termination of the Terms of Service, or until the data processing relationship ends, whichever is earliest.
§Article 3 — Nature and Purpose of Processing
| Nature | Collection, storage, classification, analysis, and deletion of visitor traffic data from the Controller's website(s). Processing is automated. |
| Purpose | Detecting and classifying AI crawlers and bots visiting the Controller's website; generating analytics reports; geographic traffic analysis via GEO Analytics; providing bot blocking API responses; manual traffic verification (admin classification override of borderline ML predictions, stored with hashed admin ID, informational only); maintaining timestamped records for the Controller's compliance and legal purposes. |
| Legal basis | GDPR Article 6(1)(f) — legitimate interests of the Controller in protecting website content and maintaining accurate analytics. Processing is performed exclusively per Controller's documented instructions. |
§Article 4 — Types of Personal Data and Categories of Data Subjects
4.1 Types of Personal Data Processed
| Data Field | Format Stored | Retention |
|---|---|---|
| IP Address | Cryptographic hash with rotating salt — irreversibly pseudonymized | Per plan (7–365 days) |
| HTTP User-Agent | Truncated to 200 characters | Per plan (7–365 days) |
| Page URL | Full URL path (no query parameters containing PII) | Per plan (7–365 days) |
| HTTP Referrer | Domain and path only | Per plan (7–365 days) |
| Timestamp | UTC datetime of request | Per plan (7–365 days) |
| GEO Location Data | Country code derived from IP via MaxMind GeoLite2 (local lookup) | Per plan (7–365 days) |
| Bot classification result | Boolean flag + bot identifier (non-personal) | Per plan (7–365 days) |
Retention periods by plan: Free = 7 days, Pro = 30 days, Business = 90 days, Enterprise = 365 days. Automated deletion runs daily at 03:00 UTC.
4.2 Categories of Data Subjects
Visitors (human or automated) to the Controller's website(s) registered with HumanKey. The data subjects are not identified by name or contact details; they are represented only by the pseudonymized data fields listed above.
Verified Badge embed surface (additional category):Where the Controller has elected to embed the public HumanKey Verified Badge on their site(s), visitors of those sites who load the badge image are an additional category of data subjects whose hashed IP, truncated User-Agent, and optional Referer (used for cache-TTL discrimination only) are processed by HumanKey. This processing surface is documented in HumanKey's public DPIA at /legal/dpia §6.2 under Art. 6(1)(f) GDPR legitimate-interest basis; for clarity, this distinct surface does not change the Processor obligations of this DPA for primary detection and analytics data.
§Article 5 — Processor Obligations (Art. 28(3) GDPR)
The Processor agrees to all of the following obligations:
5.1 Process only on documented instructions
The Processor shall process personal data only on documented instructions from the Controller. If the Processor is required by EU or Member State law to process data beyond Controller's instructions, it shall inform the Controller before processing, unless prohibited by law.
5.2 Confidentiality
The Processor ensures that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
5.3 Security measures
The Processor implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk (Art. 32 GDPR). Current measures include:
- Industry-standard encryption in transit and at rest
- IP pseudonymization: cryptographic hash with rotating salt (irreversible)
- Cryptographic access controls for API authentication
- Short-lived access tokens with automatic rotation
- Abuse prevention measures enforced in production
- Automated retention enforcement: daily automated process
- Error monitoring: PII stripping configured
- Access restrictions and audit trail for administrative functions
5.4 Sub-processors
The Processor shall not engage sub-processors without the Controller's general written authorization. The following sub-processors are currently authorized:
| Sub-processor | Role | Location |
|---|---|---|
| Neon Inc. | Database hosting — primary data storage | EU (Germany) |
| Railway Corp. | Application hosting | Netherlands (EU West) |
| Sentry (Functional Software Inc.) | Error monitoring (PII-stripped) | EU (sentry.io EU region) |
| Vercel Inc. | Frontend CDN hosting (no personal data stored) | EU-routed CDN |
| Cloudflare, Inc. | DNS proxy, DDoS protection, CDN (processes network metadata including visitor IPs in transit); also serves as edge cache for the public HumanKey Verified Badge SVG endpoint — caches per HMAC payload with 1-hour TTL active subscriptions / 5-minute TTL inactive; no PII is retained by Cloudflare | USA (SCCs) |
| Stripe Payments Europe, Limited (EEA flows) / Stripe, Inc. (US technology) | Payment processing, subscription billing, invoicing | Ireland (EEA) + USA (SCCs + EU-US DPF) |
| Resend, Inc. | Transactional email | USA (SCCs) |
| MaxMind, Inc. | IP geolocation database (local file download only — no visitor data transferred) | USA (no data transfer — local processing) |
| Cloudflare, Inc. (Radar API) | ASN metadata enrichment (public API — no PII transmitted) | USA (no personal data transfer) |
| Anthropic, PBC | Large-language-model inference for the public AI Assistant chatbot, automated audit summarisation, and admin-only advisory analytics. Data categories: user-submitted chat text and system prompts assembled by HumanKey. Zero-retention flag enabled on all API calls per Anthropic Commercial Terms — inputs and outputs are not retained beyond the time necessary to generate the response and are not used for training. HumanKey acts as deployer under AI Act Art. 3(4) | USA (SCCs 2021/914 Module 2; Anthropic Commercial DPA) |
All primary data storage is within the EU. Data transfers outside the EEA are protected by Standard Contractual Clauses (SCCs) as required by GDPR Chapter V. The Processor will inform the Controller of any intended changes to sub-processors with at least 14 days notice, giving the Controller the opportunity to object.
5.5 Assist the Controller with data subject rights
The Processor shall assist the Controller in responding to data subject requests (access, rectification, erasure, restriction, portability, objection) to the extent technically possible. HumanKey provides automated data export and deletion endpoints accessible via the dashboard and API.
Right to Erasure (Art. 17 GDPR) — scope & exemptions:when a data subject exercises Art. 17, the Processor performs a layered erasure: (a) non-financial account data is permanently erased within 30 days; (b) audit log entries created by other Controllers that interacted with the data subject as a team invitee have the data subject's email address replaced with a redacted marker, preserving the other Controller's audit-trail continuity (their Art. 30 record-of-processing obligation under Art. 6(1)(f) legitimate-interest basis); (c) financial audit log records (invoice events, payment confirmations) are retained for up to 5 years per Art. 17(3)(b) GDPR and Polish Ustawa o rachunkowości art. 74 (legal-obligation exemption), then permanently deleted by the Processor's automated retention cron job.
5.6 Assist with security obligations
The Processor shall assist the Controller in ensuring compliance with Arts. 32–36 GDPR (security, breach notification, DPIA, prior consultation) insofar as such assistance relates to the Processor's Services. A public DPIA is available at /legal/dpia.
5.7 Deletion or return upon termination
Upon termination of the Services, the Processor shall, at the Controller's choice, delete or return all personal data and delete existing copies, unless EU or Member State law requires storage. The Controller may export their data via the dashboard at any time before termination. After account deletion, all personal data is purged within 30 days.
5.8 Provide information and enable audits
The Processor shall make available to the Controller all information necessary to demonstrate compliance with Art. 28 GDPR and shall allow for and contribute to audits conducted by the Controller or a mandated auditor, with reasonable notice (minimum 30 days) and during normal business hours. Audit costs are borne by the Controller.
§Article 6 — Controller Obligations
The Controller agrees to:
- Provide lawful instructions for processing and update them as needed
- Ensure a valid legal basis exists for the processing (Art. 6 GDPR)
- Fulfill obligations toward data subjects (privacy notice, DSR handling)
- Notify HumanKey promptly of any changes to instructions
- Maintain the confidentiality of API keys and access credentials
§Article 7 — Liability and Indemnification
Each party shall be liable for damages caused by its own breach of this DPA and the GDPR. The Processor shall not be liable for processing performed in accordance with documented Controller instructions. Liability is subject to the limitations set forth in the HumanKey Terms of Service.
§Article 8 — Governing Law and Jurisdiction
This DPA is governed by the law of [ ] (Controller's jurisdiction, provided it is an EU Member State or EEA jurisdiction). Disputes shall be resolved by the competent courts of [ ]. Where the GDPR applies, supervisory authority jurisdiction is determined by the Controller's establishment.
§Article 9 — Signatures
On behalf of the Controller
Name: ___________________________
Title: ___________________________
Date: ___________________________
Signature: ___________________________
On behalf of HumanKey (Processor)
Name: ___________________________
Title: ___________________________
Date: ___________________________
Signature: ___________________________
Enterprise customers: Contact us via our contact form to receive a countersigned DPA with your organization's details pre-filled. All HumanKey Enterprise plans include a signed DPA as standard.
This DPA template is provided for informational purposes. HumanKey recommends you review it with your legal counsel before signing. Last updated: March 2026.