Skip to content

Data Processing Agreement

Last updated: April 14, 2026

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between CaptureAPI ("Processor", "we", "us") and you ("Controller", "Customer") and governs the processing of personal data by CaptureAPI on behalf of the Customer in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR").

2. Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person as defined in Article 4(1) GDPR.
  • Processing: Any operation performed on personal data, including collection, storage, retrieval, use, disclosure, or deletion.
  • Sub-processor: A third party engaged by CaptureAPI to process personal data on behalf of the Customer.

3. Scope and Purpose of Processing

CaptureAPI processes personal data solely for the purpose of providing the screenshot and PDF capture API services as described in the Terms of Service. The types of personal data processed may include:

  • URLs submitted for capture (which may contain personal data)
  • Customer account information (email address)
  • API usage metadata (timestamps, response codes)

CaptureAPI does not retain captured content (screenshots, PDFs) after delivery. All rendered output is permanently deleted immediately after the API response is sent.

4. Obligations of the Processor

  • Process personal data only on documented instructions from the Controller, unless required by EU or Member State law.
  • Ensure that persons authorized to process personal data have committed themselves to confidentiality.
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (see Section 6).
  • Assist the Controller in responding to requests from data subjects exercising their rights under GDPR.
  • Delete or return all personal data to the Controller after the end of the provision of services, at the Controller's choice.
  • Make available all information necessary to demonstrate compliance and allow for audits.

5. Sub-processors

CaptureAPI uses the following sub-processors to deliver the Service. The Customer authorizes the use of these sub-processors:

Vercel Inc.

Purpose: Application hosting and edge delivery

Location: United States (EU data region available)

Stripe Inc.

Purpose: Payment processing and subscription management

Location: United States (SCCs in place)

Upstash Inc.

Purpose: Redis database for rate limiting and session management

Location: EU (Frankfurt)

We will notify the Customer of any intended changes to sub-processors, giving the Customer the opportunity to object within 30 days.

6. Security Measures

CaptureAPI implements the following technical and organizational measures to protect personal data:

  • Encryption in transit: All data is transmitted over TLS 1.3.
  • Encryption at rest: Stored data (account information, API keys) is encrypted using AES-256.
  • Access controls: API keys are hashed with SHA-256. Access to production systems is restricted and logged.
  • Isolated rendering: Each capture runs in a sandboxed, single-use Chromium instance that is destroyed after each request.
  • Zero data retention: Captured content is deleted immediately after delivery.
  • Regular security reviews: We conduct periodic security assessments and vulnerability scanning.

7. Data Breach Notification

In the event of a personal data breach, CaptureAPI will notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach. The notification will include:

  • A description of the nature of the breach
  • The categories and approximate number of data subjects affected
  • The likely consequences of the breach
  • The measures taken or proposed to address the breach

8. International Data Transfers

Where personal data is transferred outside the EEA, CaptureAPI ensures that appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, or reliance on adequacy decisions where applicable.

9. Data Subject Rights

CaptureAPI will assist the Controller in fulfilling obligations to respond to data subject requests under GDPR Articles 15-22, including the right of access, rectification, erasure, restriction, portability, and objection.

10. Duration and Termination

This DPA remains in effect for the duration of the Customer's use of CaptureAPI services. Upon termination, CaptureAPI will delete all personal data processed on behalf of the Controller within 30 days, unless retention is required by applicable law.

11. Contact

For questions about this DPA or to request a signed copy, please contact us:

Email: privacy@captureapi.dev

Privacy PolicySecurity