Undo Capital Data Processing Addendum

Last Updated: 28 June 2026

1. Introduction

This Data Processing Addendum (the “DPA”) forms part of, and is subject to, the Undo Capital Terms of Service (the “Terms”) between Undo Capital Ltd (“Undo Capital”, “we”, “us” and “our”) and the customer (the “Customer”, “you” and “your”). Terms defined in the Terms have the same meaning in this DPA unless defined here.

This DPA applies where, and to the extent that, we process Customer Personal Data on your behalf as a processor in the course of providing the Services. Where there is a conflict between this DPA and the rest of the Terms in relation to the processing of Customer Personal Data, this DPA prevails. In all other respects the Terms continue to apply.

2. Definitions

In this DPA:

  • “Data Protection Laws” means all laws relating to data protection and privacy that apply to the processing of Customer Personal Data under this DPA, including the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003, in each case as amended or replaced from time to time.
  • “UK GDPR” has the meaning given in section 3(10) of the Data Protection Act 2018.
  • “Controller”, “processor”, “data subject”, “personal data”, “processing”, “personal data breach” and “appropriate technical and organisational measures” have the meanings given in the UK GDPR.
  • “Customer Personal Data” means the personal data that we process on your behalf in order to provide the Services, as described in Annex 1.
  • “Sub-processor” means any third party we engage to process Customer Personal Data on our behalf.

3. Roles and scope of processing

You are the controller of the Customer Personal Data, or where you are yourself a processor acting on behalf of a third-party controller, you are that processor and we act as a sub-processor. In either case, in respect of the Customer Personal Data, you act as the controller towards us and we act as the processor towards you.

Annex 1 sets out the subject matter and duration of the processing, the nature and purpose of the processing, the types of personal data, and the categories of data subjects. We process Customer Personal Data only to provide the Services and only as set out in this DPA.

4. Our obligations as processor

We will:

  • process Customer Personal Data only on your documented instructions, including in relation to transfers of Customer Personal Data to a third country, unless we are required to process it by law that applies to us, in which case we will inform you of that requirement before processing unless that law prohibits us from doing so. The Terms, this DPA, and your configuration and use of the Services through their functionality are your complete documented instructions, and any other instruction must be agreed separately;
  • ensure that the people we authorise to process Customer Personal Data are subject to an appropriate duty of confidentiality;
  • implement appropriate technical and organisational measures to protect Customer Personal Data, as described in Annex 2 and clause 5;
  • engage Sub-processors only in accordance with clause 6;
  • taking into account the nature of the processing, assist you by appropriate technical and organisational measures, insofar as this is possible, to respond to requests from data subjects exercising their rights under Data Protection Laws, as set out in clause 9;
  • assist you in ensuring compliance with your obligations relating to security, personal data breaches, data protection impact assessments and prior consultation with the Information Commissioner, taking into account the nature of the processing and the information available to us;
  • at your choice, delete or return Customer Personal Data in accordance with clause 11; and
  • make available to you the information necessary to demonstrate compliance with our obligations as a processor, and allow for and contribute to audits, as set out in clause 10.

If we consider that an instruction infringes Data Protection Laws, we will inform you, although we are not obliged to carry out legal checks on your instructions.

5. Security

Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, as well as the risk to data subjects, we will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. Our current measures are described in Annex 2. We may update those measures from time to time provided that the level of protection is not reduced.

6. Sub-processors

You give us general authorisation to engage the Sub-processors listed in Annex 3. We will impose data protection obligations on each Sub-processor that are no less protective of Customer Personal Data than those in this DPA, and we remain responsible to you for each Sub-processor’s performance of its obligations.

We will keep the list of Sub-processors current and will give you notice before we add or replace a Sub-processor, by updating the register referred to in Annex 3 or by other written notice. You may object to a new Sub-processor on reasonable data-protection grounds within ten working days of being notified. If you do, we will work with you in good faith to address your concern. If we cannot resolve it, you may terminate the affected Services, and clause 11 will apply to the Customer Personal Data processed for those Services.

7. International transfers

We will not transfer Customer Personal Data to a country outside the United Kingdom unless we have taken the steps necessary to ensure the transfer is lawful under Data Protection Laws. These steps may include transferring to a country subject to UK adequacy regulations, or putting in place the UK International Data Transfer Agreement, or the UK Addendum to the European Commission standard contractual clauses, or another lawful transfer mechanism. Some Sub-processors may process Customer Personal Data outside the United Kingdom, and you authorise those transfers on the basis that the safeguards in this clause apply.

8. Personal data breaches

We will notify you without undue delay after becoming aware of a personal data breach affecting Customer Personal Data. The notification will include the information available to us that you reasonably need in order to meet your own obligations to report or communicate the breach under Data Protection Laws. We will take reasonable steps to mitigate the effects of, and to minimise any damage resulting from, the breach.

9. Assistance with data subject requests

If we receive a request from a data subject in relation to Customer Personal Data, we will, unless legally prohibited, tell you and will not respond to the request ourselves except on your instructions or as required by law. Taking into account the nature of the processing, we will provide reasonable assistance, by appropriate technical and organisational measures and insofar as possible, to help you respond to data subject requests. Where your requests for assistance under this DPA go beyond what is proportionate, or are manifestly unfounded or excessive, we may charge a reasonable fee for our work, or decline to act on the request.

10. Audits and information

We will make available to you the information reasonably necessary to demonstrate our compliance with this DPA and with Article 28 of the UK GDPR. We may satisfy a request for information by providing a description or summary of our relevant measures.

You may audit our compliance with this DPA no more than once in any twelve-month period, unless an audit is required by a supervisory authority or follows a personal data breach affecting Customer Personal Data. Any audit must be on at least thirty days’ written notice, during our normal business hours, conducted so as not to interfere unreasonably with our operations, subject to appropriate confidentiality obligations, and at your cost.

11. Deletion and return of Customer Personal Data

On expiry or termination of the Terms, or of the affected Services, we will, at your choice, delete or return the Customer Personal Data, and delete existing copies, unless we are required by law to retain it. We will make the Customer Personal Data available for export for a reasonable period after termination, consistent with the Terms, after which we may delete it. Where we are required by law to retain Customer Personal Data, we will protect it and process it only to the extent required by that law.

12. Liability

The exclusions and limitations of liability in the Terms, including the aggregate cap on liability, apply to all claims under or in connection with this DPA. Our total liability arising out of or in connection with the Terms and this DPA together is subject to the single aggregate cap set out in the Terms, and is not increased by this DPA.

13. Duration

This DPA applies for as long as we process Customer Personal Data on your behalf, and the obligations that by their nature should continue, including confidentiality, survive its end.

14. General

Except as varied by this DPA, the Terms remain in full force. This DPA is governed by the law of England and Wales, and the courts of England and Wales have exclusive jurisdiction, in line with the Terms.

Annex 1: Details of the processing

Controller: the Customer. Processor: Undo Capital Ltd, company number 15278949, 124 City Road, London, England, EC1V 2NX.

Subject matter: our provision of the Services to you under the Terms.

Duration: for the term of the Terms and until deletion or return of the Customer Personal Data under clause 11.

Nature and purpose of the processing: hosting, storage, organisation, structuring, retrieval, generation of documents, automated validation and checks, AI-assisted processing of inputs, submission of applications to HMRC where instructed, and sharing of documents with third parties you choose, in each case in order to provide the Services.

Types of personal data: to the extent you enter or upload it, this may include names, contact details, job titles and roles, dates of birth, nationality, residential and correspondence addresses, shareholdings and option holdings, identification details, signature data, and any other personal data you choose to include in your account, your cap table, the Data Room, or an Advance Assurance application. You should not upload special category personal data, and if you do, you do so on your own responsibility.

Categories of data subjects: your directors, officers, persons with significant control, shareholders, option holders, employees, consultants, investors, advisers, and any other individuals whose personal data you choose to upload.

Annex 2: Technical and organisational security measures

  • encryption of Customer Personal Data in transit using current protocols;
  • encryption of Customer Personal Data at rest;
  • role-based access controls and least-privilege access to Customer Personal Data;
  • hosting with a reputable infrastructure provider operating from secure data centres;
  • separation of production and non-production environments;
  • regular backups and a documented restore process;
  • logging and monitoring of access to and changes in the platform;
  • confidentiality obligations and access controls for personnel, with access granted on a need-to-know basis;
  • secure software development and change-management practices;
  • a documented process for detecting, reporting and responding to personal data breaches; and
  • data minimisation and retention controls aligned with the purposes of the Services.
  • Undo Capital is registered with the UK Information Commissioner’s Office (ICO) as a data controller.

Annex 3: Sub-processors

Our current Sub-processors are:

  • Google (Google Cloud and Gemini models): AI-assisted processing of inputs. Location: EU / UK.
  • Stripe: payment processing. Location: Global.
  • DigitalOcean: hosting and infrastructure for the platform. Location: United Kingdom (London, LON1).
  • PostHog: Product analytics. Location: EU.

We may update this list from time to time as our infrastructure evolves. Material changes will be reflected on this page. We retrieve publicly available company information from Companies House in order to provide the Services. Where we obtain such information, we act as a controller of that information and not as your processor.