Last Updated: 28 June 2026
This Data Processing Addendum (the “DPA”) forms part of, and is subject to, the Undo Capital Terms of Service (the “Terms”) between Undo Capital Ltd (“Undo Capital”, “we”, “us” and “our”) and the customer (the “Customer”, “you” and “your”). Terms defined in the Terms have the same meaning in this DPA unless defined here.
This DPA applies where, and to the extent that, we process Customer Personal Data on your behalf as a processor in the course of providing the Services. Where there is a conflict between this DPA and the rest of the Terms in relation to the processing of Customer Personal Data, this DPA prevails. In all other respects the Terms continue to apply.
In this DPA:
You are the controller of the Customer Personal Data, or where you are yourself a processor acting on behalf of a third-party controller, you are that processor and we act as a sub-processor. In either case, in respect of the Customer Personal Data, you act as the controller towards us and we act as the processor towards you.
Annex 1 sets out the subject matter and duration of the processing, the nature and purpose of the processing, the types of personal data, and the categories of data subjects. We process Customer Personal Data only to provide the Services and only as set out in this DPA.
We will:
If we consider that an instruction infringes Data Protection Laws, we will inform you, although we are not obliged to carry out legal checks on your instructions.
Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, as well as the risk to data subjects, we will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. Our current measures are described in Annex 2. We may update those measures from time to time provided that the level of protection is not reduced.
You give us general authorisation to engage the Sub-processors listed in Annex 3. We will impose data protection obligations on each Sub-processor that are no less protective of Customer Personal Data than those in this DPA, and we remain responsible to you for each Sub-processor’s performance of its obligations.
We will keep the list of Sub-processors current and will give you notice before we add or replace a Sub-processor, by updating the register referred to in Annex 3 or by other written notice. You may object to a new Sub-processor on reasonable data-protection grounds within ten working days of being notified. If you do, we will work with you in good faith to address your concern. If we cannot resolve it, you may terminate the affected Services, and clause 11 will apply to the Customer Personal Data processed for those Services.
We will not transfer Customer Personal Data to a country outside the United Kingdom unless we have taken the steps necessary to ensure the transfer is lawful under Data Protection Laws. These steps may include transferring to a country subject to UK adequacy regulations, or putting in place the UK International Data Transfer Agreement, or the UK Addendum to the European Commission standard contractual clauses, or another lawful transfer mechanism. Some Sub-processors may process Customer Personal Data outside the United Kingdom, and you authorise those transfers on the basis that the safeguards in this clause apply.
We will notify you without undue delay after becoming aware of a personal data breach affecting Customer Personal Data. The notification will include the information available to us that you reasonably need in order to meet your own obligations to report or communicate the breach under Data Protection Laws. We will take reasonable steps to mitigate the effects of, and to minimise any damage resulting from, the breach.
If we receive a request from a data subject in relation to Customer Personal Data, we will, unless legally prohibited, tell you and will not respond to the request ourselves except on your instructions or as required by law. Taking into account the nature of the processing, we will provide reasonable assistance, by appropriate technical and organisational measures and insofar as possible, to help you respond to data subject requests. Where your requests for assistance under this DPA go beyond what is proportionate, or are manifestly unfounded or excessive, we may charge a reasonable fee for our work, or decline to act on the request.
We will make available to you the information reasonably necessary to demonstrate our compliance with this DPA and with Article 28 of the UK GDPR. We may satisfy a request for information by providing a description or summary of our relevant measures.
You may audit our compliance with this DPA no more than once in any twelve-month period, unless an audit is required by a supervisory authority or follows a personal data breach affecting Customer Personal Data. Any audit must be on at least thirty days’ written notice, during our normal business hours, conducted so as not to interfere unreasonably with our operations, subject to appropriate confidentiality obligations, and at your cost.
On expiry or termination of the Terms, or of the affected Services, we will, at your choice, delete or return the Customer Personal Data, and delete existing copies, unless we are required by law to retain it. We will make the Customer Personal Data available for export for a reasonable period after termination, consistent with the Terms, after which we may delete it. Where we are required by law to retain Customer Personal Data, we will protect it and process it only to the extent required by that law.
The exclusions and limitations of liability in the Terms, including the aggregate cap on liability, apply to all claims under or in connection with this DPA. Our total liability arising out of or in connection with the Terms and this DPA together is subject to the single aggregate cap set out in the Terms, and is not increased by this DPA.
This DPA applies for as long as we process Customer Personal Data on your behalf, and the obligations that by their nature should continue, including confidentiality, survive its end.
Except as varied by this DPA, the Terms remain in full force. This DPA is governed by the law of England and Wales, and the courts of England and Wales have exclusive jurisdiction, in line with the Terms.
Annex 1: Details of the processing
Controller: the Customer. Processor: Undo Capital Ltd, company number 15278949, 124 City Road, London, England, EC1V 2NX.
Subject matter: our provision of the Services to you under the Terms.
Duration: for the term of the Terms and until deletion or return of the Customer Personal Data under clause 11.
Nature and purpose of the processing: hosting, storage, organisation, structuring, retrieval, generation of documents, automated validation and checks, AI-assisted processing of inputs, submission of applications to HMRC where instructed, and sharing of documents with third parties you choose, in each case in order to provide the Services.
Types of personal data: to the extent you enter or upload it, this may include names, contact details, job titles and roles, dates of birth, nationality, residential and correspondence addresses, shareholdings and option holdings, identification details, signature data, and any other personal data you choose to include in your account, your cap table, the Data Room, or an Advance Assurance application. You should not upload special category personal data, and if you do, you do so on your own responsibility.
Categories of data subjects: your directors, officers, persons with significant control, shareholders, option holders, employees, consultants, investors, advisers, and any other individuals whose personal data you choose to upload.
Annex 2: Technical and organisational security measures
Annex 3: Sub-processors
Our current Sub-processors are:
We may update this list from time to time as our infrastructure evolves. Material changes will be reflected on this page. We retrieve publicly available company information from Companies House in order to provide the Services. Where we obtain such information, we act as a controller of that information and not as your processor.