GDPR compliant website protection from bots and hackers


Why you should use a captcha

Targeted cyber attacks against companies, administrations or Internet users have increased massively in recent years. It is not only the theft of information and damage to infrastructures that pose a threat to companies, but also the misuse of online functions to spread spam (e.g., via contact forms) or to damage reputations. Using a captcha can protect your login areas and forms against these attacks. When choosing, however, you should make sure that a DSGVO-compliant website protection is implemented, as this is not guaranteed with many captchas.

All contents of our whitepaper, incl. the system description of POWER CAPTCHA, can be found below on this page and as a PDF version for download:

For this reason, most captchas are not suitable for your business

Most captchas have in common, that they only protect against bots, but not against hackers, because they do not effectively restrict direct, human interaction, such as combining login names and passwords or unintentionally using a form many times.

Many captchas have non-transparent and non-controllable mechanisms of action. It is usually not clear what personal data is stored, where it is stored and what it is used for.

In addition, many captchas do not properly implement data protection regulations according to current European and German laws (GDPR / DSGVO). Accordingly, for the use of captchas, with a data pool outside the EU or the storage of personal data, the consent for use by the user(s) must be actively given in advance (analogous to cookie banners).


Protection against bots and hackers

Unlike other captchas, POWER CAPTCHA does not only distinguish whether a human or a bot has triggered an interaction, but basically checks whether the access is authorized or not. Each interaction with POWER CAPTCHA generates an encrypted code that the central POWER CAPTCHA AI evaluates and remembers for a limited time in order to subsequently increase the difficulty of the solution for further interactions, increase the response time, or possibly reject further interactions for a certain time.

Figure 1: Security query with POWER CAPTCHA

Adapt POWER CAPTCHA to your own design, Corporate Design Captcha
GDPR compliant website protection

POWER CAPTCHA runs on secured servers in certified data centers in Germany. The data of the users or clients are transmitted via encrypted communication paths and processed in non-readable form. We store this data only until the security check and the current processing period are completed. Therefore, POWER CAPTCHA is compliant with the GDPR and you do not need prior consent from users to use it. Learn more.

The maximum duration of storage is based on the blocking periods defined in the POWER CAPTCHA plans. Under the Enterprise plan, we can store the data for a maximum of three days (customer setting).


Variously configurable

You can decide on the desired balance between usability and accessibility as well as the security level. Examples:

Monitoring key values

To prevent hackers or bots from using multiple IP addresses to circumvent a block, you can set how often a username or email address may be used. Usernames and email addresses are just examples of values that you can protect.

In principle, you can pass any value to POWER CAPTCHA and protect it against misuse or unwanted use. Examples of possible application scenarios include limiting downloads, online services or accessing websites or app functions, often without the visible display of a captcha (no-captcha setting).

Figure 2: Extract from POWER CAPTCHA settings(screenshot)

Screenshot POWER CAPTCHA configuration Whitepaper GDPR-compliant website protection PDF


System description

If users access one of the areas of your website protected with POWER CAPTCHA or submit a protected form (Figure 3, Step 1), the system first checks whether a POWER CAPTCHA pop-up should be displayed according to your default settings in the Customer Center (Figure 3, Step 2). If this request is confirmed by the POWER CAPTCHA server with “yes”, a captcha is displayed and a solution value must be entered (Figure 3, Step 3).

Figure 3: Sketch of the POWER CAPTCHA system architecture

POWER CAPTCHA Whitepaper GDPR-compliant website protection - system architecture PDF

Until a captcha solution is sent, communication takes place between the POWER CAPTCHA server and the browser that accessed your website. No additional traffic is generated on your web server when new captchas are requested by the browser. Only when a correct captcha solution value is clicked is it forwarded to your web server (Figure 3, Step 3).

For barrier-free access, users can alternatively request an access code by email, which is sent by the POWER CAPTCHA server.

Checking the request

Your web server receives the solution request and checks whether the captcha has been solved correctly and access is permitted. To do this, your web server sends a verification request to the POWER CAPTCHA server (Figure 3, Step 4). This request contains the token of the Captcha solution, the user name, the e-mail address or another value to be protected, as well as the IP address of the browser request. In addition, your personal secret key simultaneously certifies the authorization of the request (server authentication).

This prevents the solution request from being intercepted and misused by third parties. It also gives you control over the number of high-performance credits* used, as only requests from your web server backend are counted towards the consumption of high-performance credits.

The POWER CAPTCHA server now checks whether the captcha has been solved correctly. If the token is confirmed as valid by the POWER CAPTCHA server, verification by POWER CAPTCHA is complete. Further processing of the request, such as checking the login data, is then carried out by you as the website operator (Figure 3, Step 5).

If you have set the “No-Captcha” mode, no captcha is displayed to users and your website is secured by other measures you have approved, such as limiting login attempts within a time limit. The No Captcha setting corresponds to a correct Captcha solution, and step 3 in Figure 3 is skipped.

* Addition to high-performance credits: Captchas with high-performance credits are provided with the highest priority (usually a few milliseconds). When your supply of High-Performance-Credits is depleted, the speed of deployment decreases. If your supply of high-performance credits is exhausted, the speed of delivery is reduced. You can find the number of high-performance credits included in your POWER CAPTCHA version in the table under “Options and pricing”.


Options and Pricing

Below you will find an overview of the POWER Captcha plans. Here you can find all details about our pricing plans.

POWER CAPTCHA Whitepaper GDPR-compliant website protection plans table PDF
Simple integration

When you register, you will automatically receive a customer key for the installation. You can then make the desired settings for POWER CAPTCHA in your account settings or start with our default settings. The integration into your website or app is done with JavaScript or available plugins (e.g. WordPress plugin). You can verify the token on your server using PHP or another programming language. On our website you will find templates and application examples that you can use directly or adapt as required.

On-Premises Version

For scenarios with particularly high requirements in terms of the integration of 3rd party solutions, POWER CAPTCHA is also available as an on-premises version for local installation on your infrastructure. Our sales team will be happy to answer any questions you may have.


POWER CAPTCHA is a brand and development of Uniique Information Intelligence AG. Uniique AG is a Hamburg-based software company that has been offering award-winning software for automation and personalization in the communication, marketing and service environment since 2010.


Download Whitepaper

Here you can download the POWER CAPTCHA whitepaper on GDPR-compliant website protection as a PDF:

WordPress Cookie Notice by Real Cookie Banner