Our Commitment to Security and Privacy
hCaptcha has always been committed to security and privacy, and undergoes regular external audits to certify this.
These include third-party audits of our compliance with international security best practices, and the information security and private information management systems we have put in place for ongoing assurance.
ISO/IEC 27001 Certification
hCaptcha maintains a current ISO/IEC 27001 certification.
ISO (International Organization for Standardization) is an independent, non-governmental international organization with a membership of 168 national standards bodies.
ISO/IEC 27001 is the world's best-known standard for information security management systems (ISMS). It defines requirements an ISMS must meet.
The ISO/IEC 27001 standard provides companies of any size and from all sectors of activity with guidance for establishing, implementing, maintaining and continually improving an information security management system.
Conformity with ISO/IEC 27001 means that an organization or business has put in place a system to manage risks related to the security of data owned or handled by the company, and that this system respects all the best practices and principles enshrined in this International Standard.
SOC 2 Type II Certification
hCaptcha maintains a current SOC 2 Type II certification.
SOC 2 - SOC for Service Organizations: Trust Services Criteria
Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy
These reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users' data and the confidentiality and privacy of the information processed by these systems. These reports can play an important role in:
- Oversight of the organization
- Vendor management programs
- Internal corporate governance and risk management processes
- Regulatory oversight
A type 2 report covers both management’s description of a service organization's system, the suitability of the design, and operating effectiveness of controls over a period of time.
hCaptcha SOC 2 Type II reports cover a full 12 month audit period, rather than being a "point in time" audit as with Type I reports.
PCI DSS 4.0 Service Provider Compliant
hCaptcha complies with current PCI DSS 4.0 Service Provider requirements.
PCI DSS 4.0 is the latest Payment Card Industry Data Security Standard.
Although hCaptcha does not process unblinded payment card or cardholder data, the service complies with the latest version of this standard in the Service Provider role.
PCI DSS 4.0 provides a framework for protecting cardholder data and sensitive authentication data. Compliance is mandatory for any organization that stores, processes or transmits payment card data.
Key requirements include building and maintaining secure networks, protecting cardholder data, implementing strong access control measures, regularly monitoring and testing networks, and maintaining an information security policy.
New requirements in 4.0 focus on enhancing security for emerging technologies like cloud, virtualization, and mobile. There is also increased emphasis on training staff and third parties on security best practices.
Vendors must provide proof of compliance through annual assessments, including regular external network audits.
Data Privacy Framework Certification
hCaptcha has certified its compliance with the DPF, covering EU-US, UK-US, and Swiss-US DPF agreements.
The GDPR is Europe's General Data Protection Regulation, which regulates many aspects of private data.
hCaptcha has enrolled in the Data Privacy Framework program, a series of international agreements giving EU, UK, and Swiss citizens similar data protection no matter where their data is handled, ensuring data protection that is consistent with EU, UK, and Swiss law.
While hCaptcha has a unique focus on privacy and data minimization, including Zero PII features available to Enterprise customers, and continues to follow the strict provisions of the Standard Contractual Clauses, enrolling in the DPF is a way to give additional assurances to users and customers of our service.