Data Processing Agreement

Last updated April 21, 2026

1. Introduction

This Data Processing Agreement ("DPA") is entered into by and between Byteboost AB ("Data Processor") and its clients (each a "Data Controller"). This DPA forms part of the Terms of Service or other agreement between the parties governing the provision of Recapt services (the "Agreement"). By signing up for Byteboost's services, the Data Controller agrees to the terms of this DPA.

2. Definitions

For the purposes of this DPA, the following terms shall have the meanings set out below:

2.1 "GDPR" means Regulation (EU) 2016/679 (General Data Protection Regulation) and any applicable amendments or successor legislation.
2.2 "Personal Data" means any information relating to an identified or identifiable natural person.
2.3 "Processing" means any operation or set of operations which is performed on Personal Data, whether or not by automated means, including but not limited to collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
2.4 "Subprocessor" means any third party engaged by the Data Processor to process Personal Data on behalf of the Data Controller.
2.5 Data Controller: A natural or legal person, authority, institution or other body that alone or together with others determines the purposes and means for the Processing of Personal Data.
2.6 Data Processor: A natural or legal person, authority, institution or other body that carries out Processing of Personal Data on behalf of the Data Controller.
2.7 "Privacy Laws" means the GDPR, European Data Protection Legislation, and any other applicable data protection or privacy laws.

3. Scope and Applicability

3.1 This DPA applies when the Data Processor processes Personal Data on behalf of the Data Controller as part of the services provided under the Agreement.

3.2 Both parties agree to comply with their respective obligations under the GDPR other applicable Privacy Laws.

3.3 The Data Controller is responsible for configuring the masking rules to ensure no special categories of data under Art. 9 GDPR are transmitted to the Platform.

4. Roles and Responsibilities

4.1 The Data Controller determines the purposes and means of the processing of Personal Data.

4.2 The Data Processor processes Personal Data on behalf of the Data Controller strictly in accordance with documented instructions provided by the Data Controller, as outlined in the Agreement and this DPA.

5. Data Processing

5.1 Nature and Purpose: The Data Processor will process Personal Data solely for the purpose of providing the services cited in Appendix 1.1.

5.2 Duration: Processing will continue for the duration of the Agreement, unless otherwise required by applicable laws.

5.3 Categories of Data Subjects: As determined by the Data Controller, which may include customers, employees, or other individuals.

5.4 Types of Personal Data: As determined by the Data Controller and transmitted to the Data Processor under the Agreement.

The processing entails no processing of special categories of personal data, as per Art. 9 GDPR.

6. Data Processor Obligations

The Data Processor will:

(a) Process Personal Data only on documented instructions from the Data Controller, including those specified in the Terms of Service, this DPA, and through configuration or use of the Platform.
(b) Ensure personnel authorized to process Personal Data are committed to confidentiality.
(c) Implement appropriate technical and organizational measures to ensure the security of processing, as detailed in security measures in schedule 3.
(d) Assist the Data Controller in responding to requests from Data Subjects under GDPR Chapter III.
(e) Notify the Data Controller without undue delay upon becoming aware of a Personal Data Breach.
(f) Incident Response Process for Data Breaches: In the event of a data breach or exposure, the COO will lead the incident response team to manage the incident effectively.
(g) Commencing 30 days after the effective date of termination of the Agreement, the Data Processor will initiate a process upon Customer's written request to delete Customer Personal Data retained in production within 90 days and in backups within 180 days.

7. Subprocessors

7.1 The Data Controller provides a general authorization for the Data Processor to engage subprocessors to assist in providing services.

7.2 The Data Processor will publish a list of approved subprocessors in Appendix 2.

7.3 The Data Processor ensures that all subprocessors are bound by data protection obligations consistent with this DPA.

7.4 The Data Processor is generally authorized to engage subprocessors in accordance with this Section. We will update the Subprocessors List at least 30 days before appointing a new subprocessor.

7.5 If you have concerns about a new subprocessor regarding the protection of Customer Personal Data, you may object by sending an email to legal@recapt.app, outlining your legitimate, good-faith objection, within 15 days of receiving a notification.

8. Data Controller Obligations

The Data Controller is responsible for:

(a) Ensuring the Processing of Personal Data complies with the requirements of Applicable Data Protection Laws.
(b) Establishing and maintaining any necessary legal basis for collecting, Processing, and transferring Personal Data to Recapt.
(c) The legal basis for processing Personal Data under Article 6 of the GDPR (such as consent or legitimate interest) is solely determined by the Data Controller.

9. Transfers of Personal Data

The Data Processor will ensure that any transfer of Personal Data outside the European Economic Area (EEA) complies with applicable data protection laws by implementing appropriate safeguards, such as EU Standard Contractual Clauses.

10. AI and Machine Learning Data Usage

10.1 Prohibition on Model Development. Recapt.ai shall not use any Customer Personal Data for the purpose of training, retraining, fine-tuning, or otherwise developing any Artificial Intelligence (AI) or Machine Learning (ML) models.

10.2 Authorized Processing Purview. Customer Personal Data shall be processed solely to provide, maintain, secure, and support the Recapt.ai Services-including the delivery of predictive decision support and customer insights-in accordance with documented instructions and applicable data protection laws.

10.3 Usage of De-identified Service Data. Recapt.ai may process de-identified and aggregated information derived from Customer Personal Data ("Service Data") only for the following restricted purposes:

Statistical reporting and benchmarking;
Security analysis and threat detection;
Internal operational insights to improve service reliability.

10.4 Non-Identification & Training Restriction. The processing of Service Data is permitted only provided that such information cannot be used to identify the Customer, its end users, or any natural person, and is strictly prohibited from being used for AI/ML training.

11. Change in Privacy Laws

In the event of a change in Privacy Laws or a determination or order by a government authority or competent court affecting this DPA, the Data Processor reserves the right to make any amendments to this DPA as are reasonably necessary to ensure continued compliance.

12. Audits and Inspections

The Data Controller may audit the Data Processor's compliance with this DPA. The Data Processor will provide access to relevant documentation and personnel as needed to demonstrate compliance. Such audits shall be limited to once per year unless required by applicable law or following a personal data breach.

13. Liability

The responsibility for a GDPR sanction depends on the circumstances of the violation:

If the violation is due to our actions: If fines arise because we, as the data processor, have failed to fulfill our obligations under GDPR or the DPA, we take responsibility in accordance with applicable laws and the agreement between the parties. However, our liability is capped at an amount equal to the fees you have paid for our services during the 12 months preceding the incident that led to the fines.

If the violation is due to the customer's actions or instructions: If fines are caused by the customer, as the data controller, providing us with instructions that conflict with GDPR, the data controller will bear the responsibility.

14. General Provisions

14.1 This DPA is governed by the laws of Sweden, and disputes will be resolved in the courts of Stockholm.

14.2 If any provision of this DPA is found invalid, the remaining provisions will remain in effect.

Appendix 1.1: Description of Processing Operations

Purpose

Recapt is a session replay and insight platform developed by Byteboost AB that enables support and product teams to understand user behavior, troubleshoot issues, and deliver faster, more accurate customer support. Recapt captures user interactions (such as clicks, navigation events, console logs, and session metadata) and turns them into replayable sessions that provide full context into the user experience.

The purpose of processing is to support clients in resolving user-reported issues efficiently, improving product usability, and reducing time spent on manual debugging or back-and-forth communication with users.

Data flow

Data Collection: Recapt's script runs in the background of the client's web application, capturing real-time user interaction data such as clicks, page views, scrolls, console messages, and metadata tied to the session.
Data Transmission: Captured data is securely transmitted to Recapt's backend systems via encrypted HTTPS connections immediately after it is generated.
Data Masking and Obfuscation (Server-Side): Upon receipt, the data undergoes processing to apply the customer's configured masking and obfuscation rules.
Data Storage and Further Processing: The masked/processed data is securely stored in Recapt's backend. It is indexed and prepared for session replay, search, tagging, and other analysis features enabled by the customer.
Purpose of Data Usage: The processed data is used to reproduce user sessions, allowing clients to investigate issues, identify bugs, improve user experience, and enhance support workflows.

Appendix 1.2: Subprocessors

Google LLC (Google Cloud Platform)
1600 Amphitheatre Parkway, Mountain View, CA 94043, United States
Location: European Union
Processing purpose: Cloud infrastructure services
Processing data: User email and potential personal data found in sessions.

Railsware Products Studio LLC (mailtrap.io)
925 N La Brea Ave, Suite 400, office 560, West Hollywood, CA 90038, US
Location: United States
Processing purpose: Email delivery services
Processing data: User email

Userstack LTD
71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ
Location: United Kingdom
Processing purpose: Parsing user agents
Processing data: User Agents

Appendix 1.3: Security Measures

User Access Control

Access on a need-to-know basis. Our team members only have access to the information that their job function requires.
Logical access restriction. Our team members have restrictive access to data based on identification, authentication, and authorization systems.
Prohibition of shared accounts. Our team members have unique accounts to log into systems and apps.
Strong password policy. We have strong guidelines for password management.

Traceability Measures

Security event logging. We monitor event logs to identify unauthorized security-related activities.
System access & attempts log. We maintain a history of all requests and attempts to access the system.

Software Protection Measures

Antivirus on devices. We equip all devices with antivirus software or applications.
Antivirus on systems. We equip all systems with antivirus software or applications.
Software security updates. We update all software when security updates are available.

System and Network Protection

Attack prevention. We've put in place a set of measures to prevent and reduce the risks of cyber attacks.
Firewall on internet traffic. We have firewall monitors and filters for our incoming and outgoing internet traffic.
Remote access authorization process. Only authorized persons have the ability to access a computer or network from a geographical distance.
Vulnerability monitoring and patching. We have processes to identify, scan and prioritize vulnerabilities for remediation.

Data Backup Measures

Backup encryption. We encrypt our data before back-up.
Frequent data backup. We back up our data on a regular basis.

Data Encryption

AES Encryption At Rest.
HTTPS encryption in transit.
TLS 1.2 or 1.3 used in transit.

Control of Processors

Security Assessment Process. Our processors and service providers are assessed based on their security policy and data protection measures.

Physical Access Control

Byteboost is hosted on Google Cloud Platform. Google data centers feature a multi-layered security model, including robust measures such as:

Custom-designed electronic access cards
Alarms
Vehicle access barriers
Perimeter fencing
Metal detectors
Biometrics

Byteboost employees do not have physical access to Google data centers, including servers, network equipment, or storage.

Physical Security

Device Encryption. We encrypt our devices that store business and personal data.
Physical access control. Our team members' access to physical locations is restricted.

Security Governance

Security ownership and roles. Data ownership and security-related roles are clearly defined.
Security policies and procedures. We have clearly outlined principles and strategies to maintain our data security.

Secured Developments

Code Review and Testing (OWASP). We ensure the quality of our code base with peer code reviews and frequent code testing.
Privacy by design and by default. All our activities involving personal data prioritize privacy.
Prohibition of personal data on non-production environment. We never use personal data for testing purposes.

Data Erasure

Secured data erasure. Once we delete our users' data from our systems and apps, it can't be recovered.