Recapt logo

Recapt

Data Processing Agreement

Last updated January 17, 2025

1. Introduction

This Data Processing Agreement ("DPA") is entered into by and between Byteboost AB ("Data Processor") and its clients (each a "Data Controller"). This DPA forms part of the Terms of Service or other agreement between the parties governing the provision of Recapt services (the "Agreement"). By signing up for Byteboost’s services, the Data Controller agrees to the terms of this DPA.

2. Definitions

For the purposes of this DPA, the following terms shall have the meanings set out below:

  • 2.1 "GDPR" means Regulation (EU) 2016/679 (General Data Protection Regulation) and any applicable amendments or successor legislation.
  • 2.2 "Personal Data" means any information relating to an identified or identifiable natural person.
  • 2.3 "Processing" means any operation or set of operations which is performed on Personal Data, whether or not by automated means, including but not limited to collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  • 2.4 "Subprocessor" means any third party engaged by the Data Processor to process Personal Data on behalf of the Data Controller.
  • 2.5 Data Controller: A natural or legal person, authority, institution or other body that alone or together with others determines the purposes and means for the Processing of Personal Data.
  • 2.6 Data Processor: A natural or legal person, authority, institution or other body that carries out Processing of Personal Data on behalf of the Data Controller.
  • 2.7 "Privacy Laws" means the GDPR, European Data Protection Legislation, and any other applicable data protection or privacy laws.

3. Scope and Applicability

3.1 This DPA applies when the Data Processor processes Personal Data on behalf of the Data Controller as part of the services provided under the Agreement.

3.2 Both parties agree to comply with their respective obligations under the GDPR other applicable Privacy Laws.

3.3 The Data Controller is responsible for configuring the masking rules to ensure no special categories of data under Art. 9 GDPR are transmitted to the Platform.

4. Roles and Responsibilities

4.1 The Data Controller determines the purposes and means of the processing of Personal Data.

4.2 The Data Processor processes Personal Data on behalf of the Data Controller strictly in accordance with documented instructions provided by the Data Controller, as outlined in the Agreement and this DPA.

5. Data Processing

5.1 Nature and Purpose: The Data Processor will process Personal Data solely for the purpose of providing the services cited in Appendix 1.1.

5.2 Duration: Processing will continue for the duration of the Agreement, unless otherwise required by applicable laws.

5.3 Categories of Data Subjects: As determined by the Data Controller, which may include customers, employees, or other individuals.

5.4 Types of Personal Data: As determined by the Data Controller and transmitted to the Data Processor under the Agreement.

The processing entails no processing of special categories of personal data, as per Art. 9 GDPR.

6. Data Processor Obligations

The Data Processor will: (a) Process Personal Data only on documented instructions from the Data Controller, including those specified in the Terms of Service, this DPA, and through configuration or use of the Platform. (b) Ensure personnel authorized to process Personal Data are committed to confidentiality. (c) Implement appropriate technical and organizational measures to ensure the security of processing, as detailed in security measures in schedule 3. (d) Assist the Data Controller in responding to requests from Data Subjects under GDPR Chapter III. To process requests for deletion or other GDPR rights, customers must specify the data to be removed. Once identified, we will search for and delete the data. The process begins within one month of receiving the request, ensuring compliance with legal timeframes. (e) Notify the Data Controller without undue delay upon becoming aware of a Personal Data Breach. (f) Incident Response Process for Data Breaches

In the event of a data breach or exposure, the COO will lead the incident response team to manage the incident effectively. This team will consist of key stakeholders, including:

Chief Technology Officer (CTO)

Chief Product Officer (CPO)

Additional resources as needed, such as representatives from legal, human resources, communications, or external IT-security experts.

The team is tasked with ensuring a timely, coordinated response in compliance with regulatory requirements and Byteboost AB's internal policies.

(g) Commencing 30 days after the effective date of termination of the Agreement, the Data Processor will initiate a process upon Customer’s written request to delete Customer Personal Data retained in production within 90 days and in backups within 180 days. Any Customer Personal Data archived in backups will be isolated and protected from further processing, unless required otherwise by Applicable Laws. Notwithstanding the foregoing, if Byteboost AB is required by Applicable Laws to retain some or all of the Customer Personal Data, Byteboost AB will not be obligated to delete the retained Customer Personal Data, and this DPA will continue to apply to the retained Customer Personal Data. The Customer acknowledges that it is responsible for exporting any Customer Personal Data they wish to retain prior to the expiration of the 30-day period referenced in this Section, as outlined in the Agreement.

7. Subprocessors

7.1 The Data Controller provides a general authorization for the Data Processor to engage subprocessors to assist in providing services.

7.2 The Data Processor will publish a list of approved subprocessors in Appendix 2.

7.3 The Data Processor ensures that all subprocessors are bound by data protection obligations consistent with this DPA.

7.4 The Data Processor is generally authorized to engage subprocessors in accordance with this Section and to use the subprocessors listed on our Subprocessors List. We will update the Subprocessors List at least 30 days before appointing a new subprocessor and will provide you with a mechanism to receive notifications of new general subprocessors via our Subprocessors List.

7.5 If you have concerns about a new subprocessor regarding the protection of Customer Personal Data, you may object by sending an email to [email protected], outlining your legitimate, good-faith objection, within 15 days of receiving a notification (a 'Change Notice'). We will address the objection by:(a) Not using the new subprocessor to process Customer Personal Data;(b) Taking corrective actions requested in the Objection Notice;(c) Ceasing to provide the relevant parts of the services involving the new subprocessor processing Customer Personal Data, and adjusting remuneration accordingly.If the objection cannot be resolved satisfactorily within 15 days, either party may terminate the affected order, and Byteboost will refund any unused amounts paid for the affected services, pro-rated to the remaining terms of the order. If we don’t receive an objection within the 15-day period, you will be deemed to have authorized our use of the subprocessor and waived your right to object.

8. Data Controller Obligations

The Data Controller is responsible for:

  • (a) The Controller shall ensure the Processing of Personal Data complies with the requirements of Applicable Data Protection Laws. For clarity, the Controller’s instructions for Processing Personal Data must align with Applicable Data Protection Laws, and the Processor reserves the right to refuse any instructions that fail to comply. The Controller is solely responsible for the accuracy, quality, and legality of Personal Data, as well as the means of its acquisition.
  • (b) The Controller shall establish and maintain any necessary legal basis for collecting, Processing, and transferring Personal Data to Recapt. This includes authorizing Recapt’s Processing of Personal Data and its Processing activities conducted on Your behalf.
  • (c) The legal basis for processing Personal Data under Article 6 of the GDPR (such as consent or legitimate interest) is solely determined by the Data Controller. The Controller is responsible for ensuring that its use of the Platform complies with applicable data protection laws, including obtaining any necessary consents or conducting legitimate interest assessments as required.

9. Transfers of Personal Data

The Data Processor will ensure that any transfer of Personal Data outside the European Economic Area (EEA) complies with applicable data protection laws by implementing appropriate safeguards, such as EU Standard Contractual Clauses.

10. Change in Privacy Laws

Notwithstanding anything to the contrary in the Agreement (including this DPA), in the event of a change in Privacy Laws or a determination or order by a government authority or competent court affecting this DPA or the lawfulness of any processing activities under this DPA, the Data Processor reserves the right to make any amendments to this DPA as are reasonably necessary to ensure continued compliance with Privacy Laws or compliance with any such orders. Notice of such amendments will be provided to the Data Controller through an update to the DPA.

11. Audits and Inspections

The Data Controller may audit the Data Processor’s compliance with this DPA. The Data Processor will provide access to relevant documentation and personnel as needed to demonstrate compliance. Such audits shall be limited to once per year unless required by applicable law or following a personal data breach.

12. Liability

The responsibility for a GDPR sanction depends on the circumstances of the violation:

If the violation is due to our actions:If fines arise because we, as the data processor, have failed to fulfill our obligations under GDPR or the DPA, we take responsibility in accordance with applicable laws and the agreement between the parties. However, our liability is capped at an amount equal to the fees you have paid for our services during the 12 months preceding the incident that led to the fines.

If the violation is due to the customer's actions or instructions:If fines are caused by the customer, as the data controller, providing us with instructions that conflict with GDPR, the data controller will bear the responsibility.

13. General Provisions

13.1 This DPA is governed by the laws of Sweden, and disputes will be resolved in the courts of Stockholm.

13.2 If any provision of this DPA is found invalid, the remaining provisions will remain in effect.

Appendix 1.1: Description of Processing Operations

Purpose

Recapt is a session replay and insight platform developed by Byteboost AB that enables support and product teams to understand user behavior, troubleshoot issues, and deliver faster, more accurate customer support. Recapt captures user interactions—such as clicks, navigation events, console logs, and session metadata—and turns them into replayable sessions that provide full context into the user experience.

The purpose of processing is to support clients in resolving user-reported issues efficiently, improving product usability, and reducing time spent on manual debugging or back-and-forth communication with users.

Data flow

1. Data Collection: Recapt’s script runs in the background of the client’s web application, capturing real-time user interaction data such as clicks, page views, scrolls, console messages, and metadata tied to the session.

2. Data Transmission: Captured data is securely transmitted to Recapt’s backend systems via encrypted HTTPS connections immediately after it is generated.

3. Data Masking and Obfuscation (Server-Side): Upon receipt, the data undergoes processing to apply the customer’s configured masking and obfuscation rules. This step ensures that any sensitive personal data is redacted or transformed according to the customer’s privacy preferences after transmission but before storage or analysis.

4. Data Storage and Further Processing: The masked/processed data is securely stored in Recapt’s backend. It is indexed and prepared for session replay, search, tagging, and other analysis features enabled by the customer.

5. Purpose of Data Usage: The processed data is used to reproduce user sessions, allowing clients to investigate issues, identify bugs, improve user experience, and enhance support workflows. It may also be used to generate session summaries or dashboards if such features are enabled by the client.

Appendix 1.2: Subprocessors

Company Google LLC (Google Cloud Platform) 1600 Amphitheatre Parkway Mountain View, CA 94043, United States Location: European Union Processing purpose Cloud infrastructure services Processing data User email and potential personal data found in sessions.

Company Railsware Products Studio LLC (mailtrap.io) 925 N La Brea Ave, Suite 400, office 560, West Hollywood, CA 90038, US. Location: United states Processing purpose Email delivery services Processing data User email

Company Userstack LTD 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ Location: United Kingdom Processing purpose Parsing user agents Processing data User Agents

Appendix 1.3: Security measures

User Access Control Access on a need-to-know basis. Our team members only have access to the information that their job function requires, regardless of their security clearance level or other approvals.

Logical access restriction. Our team members have restrictive access to data based on identification, authentication, and authorization systems.

Prohibition of shared accounts. Our team members have unique accounts to log into systems and apps and we avoid sharing passwords.

Strong password policy. We have strong guidelines for password management to ensure that all passwords used within the organization are secure and resistant to common attacks.

Traceability Measures Security event logging. We monitor event logs to identify unauthorized security-related activities.

System access & attempts log. We maintain a history of all requests and attempts to access the system.

Software Protection Measures Antivirus on devices. We equip all devices with antivirus software or applications.

Antivirus on systems. We equip all systems, such as servers and network devices, with antivirus software or applications.

Software security updates. We update all software when security updates are available.

System and Network Protection

Attack prevention. We've put in place a set of measures to prevent and reduce the risks of cyber attacks.

Firewall on internet traffic. We have firewall monitors and filters for our incoming and outgoing internet traffic.

Remote access authorization process. Only authorized persons have the ability to access a computer or network from a geographical distance through a network connection.

Vulnerability monitoring and patching. We have processes to identify, scan and prioritize vulnerabilities for remediation.

Data Backup Measures

Backup encryption. We encrypt our data before back-up to protect it from unauthorized access and breaches.

Frequent data backup. We back up our data by copying it from a primary to a secondary location on a regular basis.

Data Encryption

AES Encryption At Rest. We require the same encryption key from both the sender and the receiver of data to read the data.

HTTPS encryption in transit. We use HTTPS to encrypt information transmitted between our user's browser and our web service/website.

TLS 1.2 or 1.3 used in transit. Any data transferred over the network is protected by TLS encryption.

Control of Processors

Security Assessment Process. Our processors and service providers are assessed based on their security policy and data protection measures.

Data Encryption

AES Encryption At Rest. We require the same encryption key from both the sender and the receiver of data to read the data.

HTTPS encryption in transit. We use HTTPS to encrypt information transmitted between our user's browser and our web service/website.

TLS 1.2 or 1.3 used in transit. Any data transferred over the network is protected by TLS encryption.

Physical Access Control

Byteboost is hosted on Google Cloud Platform. Google data centers feature a multi-layered security model, including robust measures such as:

  • Custom-designed electronic access cards
  • Alarms
  • Vehicle access barriers
  • Perimeter fencing
  • Metal detectors
  • Biometrics

According to the Google Security Whitepaper, Google data centers also employ “advanced security measures such as laser beam intrusion detection and continuous monitoring with high-resolution interior and exterior cameras” to identify and track unauthorized access. In addition, “access logs, activity records, and camera footage are available in case of an incident,” and “experienced security personnel, who have undergone extensive background checks and training, conduct regular patrols” of the facilities.

Byteboost employees do not have physical access to Google data centers, including servers, network equipment, or storage.

Physical Security

Device Encryption. We encrypt our devices that store business and personal data so they can only be accessed by people who have authorization.

Physical access control. Our team members' access to physical locations is restricted with password protected doors, keys or badges.

Security Governance

Security ownership and roles. Data ownership and security-related roles are clearly defined within our organization.

Security policies and procedures. We have clearly outlined principles and strategies to maintain our data security.

Secured developments

Code Review and Testing (OWASP). We ensure the quality of our code base with peer code reviews and frequent codetesting.

Privacy by design and by default. All our activities involving personal data prioritize privacy, and by default, only collect essential information.

Prohibition of personal data on non-production environment. We never use personal data for testing purposes.

Data Erasure

Secured data erasure. Once we delete our users' data from our systems and apps, it can't be recovered.

Data Obfuscation Before transferring data from your client application to Recapt, we strive, to the best of our ability, to remove and/or irreversibly alter all data points that may be classified as personal data. Once the data reaches our servers, we may further process it to ensure the removal of any residual personal data before storing it in our databases. However, please note that this safeguard can be overridden at your discretion, allowing you, as our user, to explicitly store personal data within our database.