SOC 2 logo

Our Commitment to Security and Privacy

hCaptcha has always been committed to security and privacy, and undergoes regular external audits to certify this.

These include third-party audits of our compliance with international security best practices, and the information security and private information management systems we have put in place for ongoing assurance.

hCaptcha Enterprise customers may request certifications, attestation letters, and other documentation by contacting your designated account representative, or [email protected].

ISO/IEC 27001 Certification

hCaptcha maintains a current ISO/IEC 27001 certification.

ISO (International Organization for Standardization) is an independent, non-governmental international organization with a membership of 168 national standards bodies.

ISO/IEC 27001 is the world's best-known standard for information security management systems (ISMS). It defines requirements an ISMS must meet.

The ISO/IEC 27001 standard provides companies of any size and from all sectors of activity with guidance for establishing, implementing, maintaining and continually improving an information security management system.

Conformity with ISO/IEC 27001 means that an organization or business has put in place a system to manage risks related to the security of data owned or handled by the company, and that this system respects all the best practices and principles enshrined in this International Standard.

source: ISO

Learn more about ISO/IEC 27001.

ISO/IEC 27701 Certification

hCaptcha maintains a current ISO/IEC 27701 certification.

ISO (International Organization for Standardization) is an independent, non-governmental international organization with a membership of 168 national standards bodies.

ISO 27701 extends ISO/IEC 27001 to cover privacy information management. It defines requirements for a Privacy Information Management System (PIMS) to process Personally Identifiable Information (PII) while managing privacy controls to reduce risk to the private data and rights of data subjects.

Conformity with ISO/IEC 27701 means that an organization or business has put in place a system to manage risks related to the privacy of data owned or handled by the company, and that this system respects all the best practices and principles enshrined in this International Standard.

source: ISO + IMI

Learn more about ISO/IEC 27701.

SOC 2 Type II Certification

hCaptcha maintains a current SOC 2 Type II certification.

SOC 2 - SOC for Service Organizations: Trust Services Criteria

Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy

These reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users' data and the confidentiality and privacy of the information processed by these systems. These reports can play an important role in:

- Oversight of the organization
- Vendor management programs
- Internal corporate governance and risk management processes
- Regulatory oversight

A type 2 report covers both management’s description of a service organization's system, the suitability of the design, and operating effectiveness of controls over a period of time.

source: AICPA

hCaptcha SOC 2 Type II reports cover a full 12 month audit period, rather than being a "point in time" audit as with Type I reports.

Learn more about SOC 2 Type II.

PCI DSS 4.0 Level 1 Service Provider Compliant

hCaptcha complies with current PCI DSS 4.0 Level 1 Service Provider requirements.

PCI DSS 4.0 is the latest Payment Card Industry Data Security Standard.

Level 1 is the highest level of PCI certification. This requires a Qualified Security Assessor to inspect and assess the data environment (CDE) for compliance with protection standards. Attestation of Compliance documents are available to Enterprise customers upon request.

Although hCaptcha does not process unblinded payment card or cardholder data, the service complies with the latest version of this standard in the Service Provider role.

PCI DSS 4.0 provides a framework for protecting cardholder data and sensitive authentication data. Compliance is mandatory for any organization that stores, processes or transmits payment card data.

Key requirements include building and maintaining secure networks, protecting cardholder data, implementing strong access control measures, regularly monitoring and testing networks, and maintaining an information security policy.

New requirements in 4.0 focus on enhancing security for emerging technologies like cloud, virtualization, and mobile. There is also increased emphasis on training staff and third parties on security best practices.

Vendors must provide proof of compliance through annual assessments, including regular external network audits.

Learn more about PCI DSS 4.0.

Data Privacy Framework Certification

hCaptcha has certified its compliance with the DPF, covering EU-US, UK-US, and Swiss-US DPF agreements.

The GDPR is Europe's General Data Protection Regulation, which regulates many aspects of private data.

hCaptcha has enrolled in the Data Privacy Framework program, a series of international agreements giving EU, UK, and Swiss citizens similar data protection no matter where their data is handled, ensuring data protection that is consistent with EU, UK, and Swiss law.

While hCaptcha has a unique focus on privacy and data minimization, including Zero PII features available to Enterprise customers, and continues to follow the strict provisions of the Standard Contractual Clauses, enrolling in the DPF is a way to give additional assurances to users and customers of our service.

Our GDPR FAQ.