Data Processing Agreement
Terms for processing personal data on behalf of customers
Last updated: December 2025
Introduction
This Data Processing Agreement (“DPA”) forms part of the agreement between BotSigged (“Processor”) and the customer (“Controller”) for the provision of bot detection services.
Definitions
- Personal Data: Any information relating to an identified or identifiable natural person
- Processing: Any operation performed on Personal Data
- Data Subject: The individual to whom Personal Data relates
- Sub-processor: Any third party engaged by Processor to process Personal Data
Scope of Processing
Categories of Data Subjects
End users who interact with websites using the BotSigged SDK.
Types of Personal Data
- Browser fingerprint data (canvas hash, WebGL renderer, fonts)
- Behavioral data (mouse movements, scroll patterns, form interactions)
- Technical identifiers (IP address, user agent)
- Session identifiers
Purpose of Processing
Processing is performed solely to provide bot detection services, including:
- Real-time behavioral analysis
- Risk score calculation
- Detection of automated traffic
- Aggregated reporting
Processor Obligations
Security Measures
Processor shall implement appropriate technical and organizational measures to ensure security of Personal Data, including:
- Encryption of data in transit and at rest
- Access controls limiting data access to authorized personnel
- Regular security assessments and penetration testing
- Incident response procedures
- Employee security training
Confidentiality
Processor shall ensure that personnel authorized to process Personal Data are bound by confidentiality obligations.
Sub-processors
Current sub-processors:
| Name | Purpose | Location |
|---|---|---|
| [Cloud Provider] | Infrastructure hosting | [Region] |
| [GeoIP Provider] | IP geolocation | [Region] |
Processor shall:
- Maintain an up-to-date list of sub-processors
- Notify Controller of changes to sub-processors
- Ensure sub-processors are bound by equivalent data protection obligations
Data Subject Rights
Processor shall assist Controller in responding to Data Subject requests, including:
- Access requests
- Deletion requests
- Rectification requests
- Portability requests
Data Breach Notification
Processor shall notify Controller without undue delay (and within 72 hours where feasible) upon becoming aware of a Personal Data breach.
Audit Rights
Controller may audit Processor’s compliance with this DPA, subject to reasonable notice and confidentiality obligations.
Controller Obligations
Controller shall:
- Ensure lawful basis for processing (legitimate interest, consent, or contract)
- Provide appropriate privacy notices to Data Subjects
- Respond to Data Subject requests
- Notify Processor of any restrictions on processing
Data Retention
Personal Data shall be retained as follows:
- Session data: 90 days
- Fingerprint data: 1 year
- Aggregated statistics: Indefinitely (anonymized)
Upon termination of services, Processor shall delete Personal Data within 30 days unless retention is required by law.
International Transfers
If Personal Data is transferred outside the European Economic Area, appropriate safeguards shall be implemented, such as:
- Standard Contractual Clauses
- Adequacy decisions
- Binding Corporate Rules
Liability
Each party’s liability under this DPA is subject to the limitations set forth in the main service agreement.
Term and Termination
This DPA shall remain in effect for the duration of the service agreement. Upon termination, the data retention and deletion provisions shall continue to apply.
Governing Law
This DPA shall be governed by the same law as the main service agreement.
Contact
For DPA-related inquiries: [email protected]