Prosopo Procaptcha

What Is Prosopo Procaptcha?

Take the conventional CAPTCHA pitch and invert it. The standard argument is: trust us, we are privacy-friendly, here is our privacy policy. Procaptcha's argument is: do not trust anyone, here is the source code. That is the contrarian position in the CAPTCHA market, and it is either unnecessarily complex or genuinely important depending on what your threat model looks like.

Prosopo Procaptcha is operated by PROSOPO LIMITED, incorporated at Companies House under number 13421250 in London in 2021. The company is bootstrapped with no disclosed external funding and a team of fewer than 10 people. The product is a CAPTCHA and bot detection service that routes verification through a decentralised network of independent providers on the Polkadot/Substrate blockchain, rather than through a single corporate server.

The privacy case is structural. Google reCAPTCHA collects behavioural data because that data is how it works. Cloudflare Turnstile is private by policy but controlled by a US hyperscaler subject to the Cloud Act. hCaptcha is independent but centralised. Procaptcha routes each verification through multiple independent network nodes rather than a single controller — no single company, including Prosopo itself, accumulates data about your users' form submissions.

The free tier is the most generous in the European CAPTCHA market: 10,000 verifications per month, which covers genuine production use for most small and mid-sized sites without payment.

Key Features

Decentralised Blockchain Validation

The core architecture is what distinguishes Procaptcha from every other CAPTCHA service. Instead of routing verification requests through a corporate API endpoint, challenges are validated by a distributed network of independent providers running on the Polkadot/Substrate blockchain.

In practice, this means that no single entity — not Prosopo, not Google, not Cloudflare — controls a central database of your users' verification events. The distributed consensus model is borrowed from blockchain systems, applied to a security use case rather than a financial one. For organisations where the risk of a single provider being compelled to disclose user data is a genuine concern — civil society organisations, legal services, healthcare — this architecture provides an assurance that a privacy policy cannot.

The trade-off is latency and complexity. Blockchain consensus takes longer than a direct API call, and the architecture introduces a dependency on Polkadot network health. For most commercial websites, the difference is imperceptible. For high-frequency, latency-sensitive applications, it is worth measuring.

Risk-Adaptive Challenge Modes

Procaptcha uses a risk-scoring approach: low-risk sessions pass invisibly via proof-of-work computation, while higher-risk sessions receive an image-based CAPTCHA challenge. The risk assessment analyses browser environment signals and behavioural patterns without collecting or storing personal data about the user.

This adaptive model is comparable to reCAPTCHA v3's scoring approach, but without the cross-site tracking that makes v3 problematic under GDPR. Image challenges only appear when the automated risk score justifies the friction cost. Real users on typical browsers submitting forms normally will rarely see a challenge.

Open-Source Code and Auditability

Server-side code, the challenge protocol, and the validator infrastructure are published on GitHub. Security teams can read the validation logic, run their own network nodes, or fork the server components for custom deployments. This transparency is qualitatively different from a privacy policy or a third-party certification — you can see exactly what the code does.

The caveat matters: the client-side detection library — the component that scores each browser session — remains proprietary. Prosopo has not explained why this component is not open-sourced, and it is the component whose behaviour is most consequential for end users. Full open-source equivalents like Altcha publish all components including the client library.

WordPress and Framework Integrations

An official WordPress plugin in the WordPress repository supports Contact Form 7, Gravity Forms, WPForms, Ninja Forms, Fluent Forms, Formidable Forms, and User Registration. React, Vue, Angular, and Next.js packages are on npm. Server-side verification runs via the Node.js package. The API is compatible with reCAPTCHA, hCaptcha, and Cloudflare Turnstile, enabling migration without rewriting form logic.

Generous Free Tier

Ten thousand verifications per month at zero cost. For comparison, CaptchaFox offers 1,000 and Friendly Captcha requires a paid plan for production traffic. For a contact form, login page, or registration flow on a site with a few hundred daily submissions, Procaptcha's free tier covers production use indefinitely.

Pricing

Procaptcha is free up to 10,000 verifications per month. Paid tiers scale with verification volume rather than feature gating — all plans access the same CAPTCHA modes, integrations, and dashboard.

The Growth tier at $34 per month covers up to 100,000 verifications. Scale at $52 per month reaches 200,000. High Volume at $87 per month handles up to 500,000 verifications. Above one million, pricing is custom. For the majority of commercial websites, the free tier or the $34 Growth tier are the realistic operating points.

Compared to hCaptcha's commercial plans, Procaptcha's per-verification cost is competitive. The architecture imposes a price in engineering complexity rather than dollars — integrating a blockchain-backed CAPTCHA is more involved than dropping in a Google tag, even with the API compatibility layer.

EU Compliance & Privacy

PROSOPO LIMITED is incorporated in the United Kingdom under Companies House number 13421250. The UK is not an EU member, but the European Commission has granted the UK an adequacy decision, meaning UK data protection law is recognised as providing equivalent protection to GDPR. The company documents that data is hosted within the EU.

The privacy architecture is structural by design: zero cookies, zero personal data stored, no cross-site tracking. CAPTCHA verification events are distributed across the blockchain validator network rather than accumulated in a central database. A Data Processing Agreement is available on request.

For European enterprises, the relevant question is whether the UK adequacy decision is sufficient or whether a German or Dutch-registered vendor is required by procurement policy. If the latter, CaptchaFox (Munich, Scoria Labs GmbH) is the EU-member alternative with a similar privacy-by-design approach, though a smaller free tier and less open-source transparency.

Who It's Best For

If you have a genuine architectural concern about centralised data collection — not just a compliance checkbox but an actual threat model where a single provider holding your users' verification history is a risk — Procaptcha's decentralised architecture is the only available answer in the European CAPTCHA market.

If your site handles fewer than 10,000 form interactions per month, the free tier covers production deployment. No payment required, no time limit.

If you run a WordPress site, the official plugin and broad form plugin compatibility make the integration straightforward. The same applies for React, Vue, Angular, and Next.js stacks.

If you want full open-source auditability across all components including the client-side detection library, Altcha is the correct choice — it publishes everything under MIT and can run fully self-hosted.

If you need simple hosted CAPTCHA with no blockchain concepts, flat EU-law registration, and the most straightforward reCAPTCHA migration, CaptchaFox is less complex for the majority of commercial use cases.

The Verdict

Procaptcha makes a genuine contribution to the European CAPTCHA ecosystem: a decentralised architecture that removes the single corporate controller at the heart of every other CAPTCHA service. The 10,000-verification free tier is the most generous available, and the open-source server code provides real transparency.

The honest counter-argument is that the blockchain architecture is more complex than most websites need, the client-side detection library remains closed, and a bootstrapped five-person company is carrying a lot of architectural ambition. For organisations that need the decentralisation story — civil society, legal services, organisations operating under surveillance risk — Procaptcha is the technically correct choice. For the majority of European businesses replacing reCAPTCHA for straightforward GDPR compliance, the architecture is more than necessary, and the simpler alternatives will serve them better without the overhead.

Frequently Asked Questions

What makes Prosopo Procaptcha different from reCAPTCHA?

Google reCAPTCHA collects behavioural and device data to build cross-site user profiles, which conflicts with GDPR's data minimisation and purpose limitation requirements. Procaptcha collects zero personal data and routes validation through a decentralised blockchain network rather than Google's servers, eliminating the third-party data processing relationship. The APIs are compatible, so migration does not require rewriting form code.

How does the blockchain validation work?

Procaptcha uses the Polkadot/Substrate network to distribute CAPTCHA validation across independent providers rather than routing every check through a single corporate server. When a user submits a form, the challenge and response are verified by multiple nodes on the network, with consensus determining the outcome. No single entity accumulates a database of your users' verification events.

Is Procaptcha truly open source?

Server-side code and the challenge infrastructure are published on GitHub under open-source licences. The client-side detection library — the component that scores each browser session — remains proprietary. For most organisations the open server-side code provides sufficient transparency; teams requiring full open-source auditability across all components should evaluate Altcha, which publishes everything including the client library.

How generous is the free tier compared to other EU CAPTCHAs?

Procaptcha's free tier allows 10,000 verifications per month. CaptchaFox offers 1,000 and Friendly Captcha requires a paid plan for production traffic. For a contact form, login form, or registration page receiving a few hundred daily submissions, Procaptcha's free tier covers production use indefinitely.

Does Procaptcha support WordPress?

Yes. The official WordPress plugin is available in the plugin repository and integrates natively with Contact Form 7, Gravity Forms, WPForms, Ninja Forms, Fluent Forms, and several others. React, Vue, Angular, and Next.js packages are on npm. Server-side verification uses the Node.js package.