Skip to main content
HumanKey
← Wersja polska (DPIA)

Data Protection Impact Assessment — Summary

GDPR Article 35 | April 2026

This is a public summary of our full DPIA conducted under GDPR Article 35. The complete assessment — including detailed processing records, technical measures, and risk matrices — is available on request for Enterprise customers, regulatory authorities, and supervisory bodies. Contact us via our contact form.

1. Purpose & Scope

HumanKey provides AI bot detection and traffic classification services for website publishers. The service systematically monitors website requests to distinguish between human users and automated agents (AI crawlers, scrapers, bots). This DPIA assesses the privacy impact of that processing.

2. Data Categories

CategoryProcessingStatus
IP AddressesCryptographically hashed with rotating salt before storage — original IP never storedPseudonymized
User-Agent StringsTruncated to 200 characters for classification onlyReduced PII
Page & Referrer URLsUsed for traffic analysisPotentially personal
Visit MetadataTimestamps, session durationNon-personal
Behavioral SignalsAggregated session-level interaction patterns (no keylogging)Pseudonymized
Country-Level LocationDerived from IP via geolocation database (country code only)Potentially personal
AI Crawler IdentityBot name, company, purpose (automated agent data)Non-personal

3. Legal Basis

  • Account data: Consent (Art. 6(1)(a)) — explicit acceptance during registration
  • Bot detection: Legitimate interest (Art. 6(1)(f)) — protecting content from unauthorized scraping, ensuring accurate traffic metrics, preventing server overload from aggressive crawlers

Consent is not suitable for bot detection because automated agents cannot and do not provide consent, and requiring it would defeat the purpose of the processing.

4. Identified Risks & Mitigations

LOW: False Classification

Human visitor incorrectly classified as bot → no functional impact (no blocking), statistical error only. Mitigated by confidence thresholds and manual review options.

LOW: Data Breach

IP hashes exposed → computationally infeasible to reverse due to cryptographic hashing with rotating salt. Mitigated by encryption at rest and in transit, access controls, and automated retention enforcement.

MEDIUM: URL Privacy Leakage

URLs containing identifiers stored in analytics → potential re-identification. Mitigated by publisher documentation and planned automatic query parameter stripping.

LOW: Sub-Processor Access

Sub-processors access pseudonymized data → mitigated by DPAs, EU data residency, and Standard Contractual Clauses for US-based processors.

Overall Risk: MEDIUM — No high-risk automated decision-making (Art. 22), no special category data (Art. 9). Risk is elevated due to US-based sub-processors for email delivery and authentication, both covered by Standard Contractual Clauses.

5. Safeguards

  • Pseudonymization: IP addresses cryptographically hashed before storage (Art. 32(1)(a))
  • Data Minimization: User-Agent truncated, no special category data collected
  • Storage Limitation: Automated retention enforcement (Free: 7d, Pro: 30d, Business: 90d, Enterprise: 365d)
  • Encryption: Industry-standard encryption in transit and at rest
  • Access Controls: Authentication, rate limiting, and role-based access
  • Monitoring: Error tracking with PII stripping, structured logging, audit trail
  • EU Data Residency: Primary data processed and stored within the European Union
  • No Automated Blocking: Classification is informational only — no automated decisions affecting individuals
  • Admin Manual Verification: Platform administrators may manually review borderline bot detection classifications and override the automated heuristic. Verification labels are stored with a hashed admin identifier for audit purposes. This processing is informational only and does not produce legal or similarly significant effects on end users.

6. Data Subject Rights (Art. 15–22)

RightHow to Exercise
Access (Art. 15)Dashboard → Settings → Export Data (JSON)
Erasure (Art. 17)Dashboard → Settings → Delete Account (cascading deletion)
Rectification (Art. 16)Dashboard → Settings → Update Profile
Object (Art. 21)Contact form (30-day response)
Portability (Art. 20)Machine-readable JSON export

7. Sub-Processors

A complete list of sub-processors, their purposes, data locations, and DPA links is maintained at: /legal/sub-processors

All EU-based processors are covered under GDPR directly. US-based processors have executed Standard Contractual Clauses per GDPR Chapter V.

8. Review Schedule

  • Frequency: Annual (every February) or when material changes occur
  • Next review: February 2027
  • Triggers: New data types, change in legal basis, data breach, supervisory authority inquiry, or significant technology changes
  • Responsible: ChainGuard (Data Controller)

9. Supervisory Authority

Polish supervisory authority: Urząd Ochrony Danych Osobowych (UODO)
Website: uodo.gov.pl

10. Conclusion

✓ Processing is GDPR-compliant and may proceed.

  • Risk to data subjects: MEDIUM
  • Legitimate interest: JUSTIFIED
  • Safeguards: ADEQUATE
  • Rights compliance: IMPLEMENTED
  • Transparency: ACHIEVED

Questions? Contact us via our contact form or write to the Polish supervisory authority (UODO).

This DPIA Summary complies with GDPR Article 35 and WP29 Guidelines on DPIAs (wp248rev.01). Full DPIA available on request. Controller: ChainGuard.

→ Data Processing Agreement→ Sub-Processors List→ Transfer Impact Assessment→ DORA Compliance Mapping
DPIA Summary - HumanKey | HumanKey