Enterprise-grade bot protection — without the enterprise price tag, the GDPR headache, or the Google dependency. Built for organisations that take data privacy seriously and can't afford form friction to cost them leads or transactions.
| Problem | Business impact |
|---|---|
| Puzzle CAPTCHAs frustrate users | Up to 29% form abandonment when a CAPTCHA appears — lost leads, lost transactions |
| reCAPTCHA sends data to Google | Requires a Data Processing Agreement; may conflict with GDPR, HIPAA, or sector-specific regulation |
| Third-party dependency | If Google's CAPTCHA API is down, your forms stop working — outage risk outside your control |
| Per-request pricing | Costs scale unpredictably with traffic — a viral campaign can mean a surprise invoice |
No puzzles, no "click all the traffic lights", no accessibility complaints. The protection is invisible — users never know it's there. Conversion rates are unaffected.
CWaptcha runs entirely within your infrastructure. No data leaves your servers. No third-party cookies. No behavioural telemetry sent to Google, Cloudflare, or anyone else. One-page GDPR story: there is nothing to declare.
CWaptcha is a NuGet package — one deployment, unlimited forms. No API keys, no request quotas, no surprise invoices at month-end. No contract. No renewal.
| CWaptcha | reCAPTCHA v3 | hCaptcha Enterprise | Turnstile | |
|---|---|---|---|---|
| Licensing cost | Free | Free (Google ToS) | Paid per site | Free / paid tiers |
| Per-request cost | None | None | Yes (at volume) | Paid tiers |
| Data to third party | None | hCaptcha | Cloudflare | |
| GDPR DPA required | No | Yes | Yes | Yes |
| Private / intranet | Yes | No | No | No |
| Vendor outage risk | None | Yes | Yes | Yes |
| Dev hours to integrate | ~1 hour | ~2–4 hours | ~4–8 hours | ~2–4 hours |
CWaptcha is a self-contained NuGet package with no upstream API your forms depend on. If the internet goes down, your forms still work. If the package maintainer disappears, your existing version keeps running indefinitely — the source is in your build artifacts.
Three lines of server code and one HTML attribute on a form. Integration is reversible in under an hour. No architectural commitment. No lock-in.
HMAC-SHA256 field integrity, constant-time comparison (no timing attacks), one-time nonces (no replay attacks), honeypot field (catches naive bots). Designed to the same threat model as paid enterprise alternatives.
The package is self-contained and version-locked in your NuGet feed. A frozen version continues to work indefinitely. Source code is available for audit and forking.
Yes. CWaptcha makes no external HTTP calls. It works wherever your .NET application runs — including air-gapped environments.
Yes. Contact us for integration support, custom deployment guidance, and enterprise arrangements.
CWaptcha is software, not a cloud service — it inherits your infrastructure's certifications. There is no CWaptcha-specific data to certify because no data leaves your perimeter.
Yes. A single AddCWaptcha() + UseCWaptcha() registration protects as many routes as you configure. One package, unlimited forms, no per-form cost.
Forward this page to your security or legal team — there's nothing to redact.
Read the integration docs → Talk to us →