skip to content
CLASIstart a brief
← clasi.co.uk
▸ legal · v1.0 · last updated 04 may 2026

Data Processing Addendum

CLASI LTD · Company No. [CO_NUMBER] · Registered office: 20 Wenlock Road, London, England, N1 7GU

About this document

This Data Processing Addendum applies to CLASI LTD, a private company limited by shares incorporated in England and Wales (Company No. [CO_NUMBER]) with registered office at 20 Wenlock Road, London, England, N1 7GU ("CLASI", "we", "us"). Questions about this document can be directed to privacy@clasi.co.uk. We review this document at least annually and on any material change to our services or applicable law.

Roles

In the provision of services under a SOW, the Client acts as Data Controller and CLASI LTD acts as Data Processor in respect of personal data processed on the Client's behalf ("Client Personal Data").

Subject matter and duration

The subject matter is the services described in the SOW. The duration is the term of the SOW plus any agreed retention period.

Annex I — Processing details

Categories of data subjects: the Client's customers, end-users, employees and prospects whose personal data the Client makes available through the services. Categories of personal data: identifiers, contact data, account data, transactional data, support communications, and any further categories agreed in the SOW. Special category data: only if explicitly agreed in writing. Frequency: continuous for the duration of the engagement. Nature and purpose: hosting, processing, retrieval, analysis and support necessary to deliver the services.

Annex II — Technical and organisational measures

  • Encryption in transit (TLS 1.3) and at rest (AES-256).
  • Role-based access control with least privilege and mandatory MFA.
  • Audit logging with append-only retention of at least 12 months.
  • Secure software development lifecycle, peer review, dependency scanning.
  • Vendor risk management and sub-processor due diligence.
  • Incident response plan with defined severity levels and notification timelines.
  • Backup and disaster recovery testing.
  • Staff training on data protection and security at onboarding and annually.

Sub-processors

A current list of sub-processors is at /legal/subprocessors. We will provide at least 14 days' notice of any new sub-processor. The Client may object on reasonable data protection grounds.

International transfers

Where Client Personal Data is transferred outside the United Kingdom, we rely on the UK IDTA or UK Addendum to the EU SCCs and complete transfer impact assessments as appropriate.

Assistance and audits

We will provide reasonable assistance with data subject requests, data protection impact assessments and regulator enquiries. The Client may audit our compliance with this DPA on reasonable notice, no more than once per 12 months, subject to confidentiality.

Personal data breach

We will notify the Client of any confirmed personal data breach affecting Client Personal Data without undue delay, and in any event within 48 hours of confirmation, providing the information necessary for the Client to meet its UK GDPR Article 33 obligations.

Return or deletion

On termination of the SOW we will, at the Client's choice, return or delete Client Personal Data within 30 days, except where retention is required by law.

Updates

We may update this document from time to time. The "last updated" date at the top reflects the most recent change. For material changes that affect your rights, we will provide reasonable notice through our website or, where appropriate, by email.

Contact

CLASI LTD 20 Wenlock Road, London, England, N1 7GU United Kingdom Email: privacy@clasi.co.uk General: hello@clasi.co.uk

Contact privacy@clasi.co.uk
All policies
Privacy NoticeCookie PolicyWebsite Terms of UseMaster Services AgreementAcceptable Use PolicyData Processing AddendumSub-processor ListShopify App Privacy AddendumRefund & Cancellation PolicyService Level AgreementAccessibility StatementModern Slavery Statement