Data Processing Addendum
Last updated: June 2026
This Data Processing Addendum (the “DPA”) sets out how we process personal data on your behalf, and gives customers who need a processor agreement on file the terms required by Article 28 of the UK GDPR.
1. Introduction and when this applies
This DPA forms part of the agreement between you (the customer) and Varsuite Media Group Ltd (“Varsuite”, “we”, “us”), a company registered in England and Wales (company number [Company number to be inserted], registered office [Registered office address to be inserted]). It supplements our Terms of Service and our Privacy Policy, and applies whenever we process personal data on your behalf while providing our services.
This DPA is written to support compliance with the Data Protection Laws (defined below). If there is any conflict on a matter of data processing between this DPA and the Terms of Service, this DPA prevails to the extent of that conflict. On all other matters, the Terms of Service continue to apply.
2. Definitions
The following terms have the meanings given to them in the Data Protection Laws, and are used here with the same meaning:
- “Controller” means the party that determines the purposes and means of the processing of personal data.
- “Processor” means the party that processes personal data on behalf of the controller.
- “Personal data” means any information relating to an identified or identifiable living individual that is processed under this DPA.
- “Processing” means any operation performed on personal data, such as collection, storage, use, disclosure, transfer or deletion.
- “Data subject” means the individual to whom the personal data relates.
- “Special category data” means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic data, biometric data processed to identify a person, data concerning health, and data concerning a person’s sex life or sexual orientation, together with data relating to criminal convictions and offences.
- “Personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
- “Sub-processor” means any third party we engage to process personal data on our behalf as our processor in connection with the services. Third parties that act as independent controllers in their own right (for example payment providers and social media platforms) are not sub-processors and are addressed in the Terms of Service and Privacy Policy.
“UK GDPR” means the United Kingdom General Data Protection Regulation as defined in the Data Protection Act 2018. “Data Protection Laws” means the UK GDPR and the Data Protection Act 2018, together with any other applicable data protection or privacy laws, in each case as amended or replaced from time to time. Other capitalised terms not defined here have the meaning given in the Terms of Service.
3. Roles and scope
For personal data you provide, or that we process to deliver and support your services, you are the controller and Varsuite is the processor. You are responsible for ensuring that you have a lawful basis to provide that personal data to us and for the instructions you give us.
For our own business data (for example your billing contact, our records of our dealings with you, and data we collect to run and improve our own operations), we act as a controller, as described in our Privacy Policy. This DPA governs only the processing we carry out as your processor.
4. Details of processing
The subject matter, nature, purpose and duration of the processing, the types of personal data and the categories of data subject are set out in Annex 1 below. In summary, we process personal data for the provision of websites, software, automations, AI-assisted features and marketing, for the term of your services plus any legally required retention period, and only to the extent needed to deliver and support what you have asked us to provide.
5. Our obligations as processor
In respect of personal data we process on your behalf, we will:
- Process the personal data only on your documented instructions, including with regard to transfers of personal data to a third country, unless we are required to process it by law, in which case we will inform you of that legal requirement before processing, unless the law prohibits us from doing so on important grounds of public interest.
- Tell you promptly if, in our opinion, an instruction you give infringes the Data Protection Laws.
- Ensure that the persons we authorise to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in line with Article 32 of the UK GDPR and as described in Annex 2.
- Respect the conditions set out in this DPA for engaging sub-processors.
- Taking into account the nature of the processing, assist you by appropriate measures, so far as is reasonable, in responding to requests from data subjects to exercise their rights.
- Assist you, taking into account the nature of the processing and the information available to us, in ensuring compliance with your obligations relating to security of processing, notification of personal data breaches, data protection impact assessments and prior consultation with the Information Commissioner’s Office (ICO).
- Make available to you the information necessary to demonstrate compliance with the obligations in Article 28 of the UK GDPR, and allow for and contribute to audits as described below.
The assistance described in this Article is provided as required by the Data Protection Laws. Where you ask us to provide assistance that goes beyond what the Data Protection Laws strictly require of a processor, or that is repeated, extensive or otherwise materially burdensome, we may provide it on reasonable prior notice and at your reasonable cost. Costs and audit charges referred to in this DPA are exclusive of VAT, which is added where applicable.
6. Security measures
We apply appropriate technical and organisational measures designed to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage. These measures are described in Annex 2 and include access controls, encryption of data in transit, code scanning, round-the-clock monitoring, confidentiality obligations and least-privilege access. We keep our measures under review and may update them, provided the level of protection is not reduced.
7. AI processing safeguards
Where we process your personal data using AI systems to deliver the AI-assisted features and services you commission, we limit access to what is necessary for that purpose, and we use the data to provide the services to you. We process your personal data only to provide the services to you. We do not use your personal data for unrelated purposes, and we do not sell it. We do not use your personal data to train general-purpose AI models for unrelated third parties, and we select our service providers and configure our use so that your personal data is processed to serve you and is not used by those providers to train their general-purpose models for unrelated purposes, so far as their terms allow.
8. Sub-processors
You give us your general written authorisation to appoint sub-processors to carry out specific processing activities on your behalf, including providers of hosting, infrastructure and AI services. A current list of the categories of sub-processor we use is available on request.
Where we engage a sub-processor, we impose on it, by a written contract, data protection obligations no less protective than those set out in this DPA. We remain fully liable to you for the performance of each sub-processor’s obligations. We select providers that offer appropriate protections for personal data and impose obligations on them consistent with this DPA.
We will give you at least 30 days’ notice of any intended change concerning the addition or replacement of a sub-processor, and you may reasonably object on data protection grounds within 30 days of that notice. If you do not raise a timely and reasonable objection within that period, we may proceed with the change. While a reasonable objection is being resolved, we may continue to use the existing sub-processor. If we are unable to accommodate a reasonable objection, your sole remedy is to terminate the affected services in accordance with the Terms of Service. Termination under this Article is governed by the cancellation and fee provisions of the Terms of Service and does not entitle you to a refund of fees already paid except as the Terms of Service provide.
9. International transfers
Where personal data is transferred outside the United Kingdom, whether by us or by a sub-processor, we will ensure that an appropriate safeguard is in place before the transfer takes place. Your authorisation of our sub-processors under Article 8 constitutes your instruction and authorisation for the resulting transfers, and we will put an appropriate safeguard under Chapter V of the UK GDPR in place. The safeguard may be a finding of adequacy applicable to the destination, the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses issued by the Information Commissioner, or another lawful transfer mechanism recognised under the Data Protection Laws.
10. Personal data breach
We will notify you without undue delay after becoming aware of a personal data breach affecting personal data we process on your behalf. So far as the information is available to us, our notification will describe the nature of the breach, the likely consequences, the measures taken or proposed to address it, and a point of contact, so that you can meet your own notification obligations to the ICO and to affected data subjects. Where we cannot provide all of this information at once, we may provide it in phases as it becomes available. A notification under this Article is given to support your compliance and is not an acknowledgement of any fault or liability on our part. You remain responsible for assessing and making any required notifications as controller.
11. Data subject requests
If we receive a request from a data subject to exercise their rights in relation to personal data we process on your behalf, we will promptly inform you and will not respond to the request directly unless you instruct us to do so, or unless we are required to respond by law. Taking into account the nature of the processing, we will assist you, so far as is reasonable, in fulfilling your obligation to respond, subject to the costs provisions in Article 5.
12. Return and deletion of data
On termination or expiry of the services, we will, at your choice, delete or return to you the personal data we process on your behalf, and delete existing copies, unless the Data Protection Laws or other applicable law requires us to retain the personal data. Where we are required to retain personal data, we will protect it in line with this DPA and process it only as required by that law. On request, we will certify in writing that we have complied with this Article.
13. Audit
We will make available to you the information reasonably necessary to demonstrate compliance with our obligations under this DPA, and will allow for and contribute to audits, including inspections, conducted by you or an auditor you appoint. We may satisfy an audit request by providing existing documentation, summaries of our measures, or third-party reports where these reasonably address the matters you wish to verify.
Any auditor you appoint must be independent and suitably qualified, must not be a competitor of Varsuite, and must sign confidentiality undertakings acceptable to us before any audit begins. Audits may be carried out on reasonable prior written notice, no more than once in any twelve month period, except where an audit is required by a regulator or where you reasonably believe a personal data breach has occurred. Audits must be carried out during business hours, must be conducted so as to cause minimal disruption to our operations and without compromising the confidentiality or security of other customers’ data, and, save where an audit reveals a material breach of this DPA by us, are carried out at your reasonable cost on the basis set out in Article 5.
14. Customer responsibilities and indemnity
You are responsible for the instructions you give us, for having a valid lawful basis for the processing you ask us to carry out, and for the personal data and content you provide to us. You will indemnify and hold Varsuite harmless against claims, fines, penalties, losses and costs arising from your instructions, from any absence of a lawful basis, or from personal data or content you provide, except to the extent that they are caused by our breach of this DPA. This Article is in addition to, and consistent with, the indemnity in the Terms of Service.
15. Liability
Each party’s liability arising out of or in connection with this DPA is subject to the same limitations and exclusions of liability, and the same overall cap, as set out in the Terms of Service. Claims under the Terms of Service and under this DPA are not cumulative, and the cap in the Terms of Service is not duplicated by this DPA. Nothing in this DPA limits or excludes any liability that cannot be limited or excluded under the Data Protection Laws or other applicable law.
16. Events outside our reasonable control
Our obligations under this DPA are subject to events outside our reasonable control, as described in the Terms of Service, except where the Data Protection Laws require otherwise. The mandatory obligations of a processor under Article 28 of the UK GDPR cannot be set aside in this way and continue to apply.
17. General and conflict
This DPA supplements and forms part of the Terms of Service. On matters of data processing it prevails over the Terms of Service to the extent of any conflict, as set out above. This DPA is coterminous with the services: it takes effect when we begin processing personal data on your behalf and continues for as long as we do so. If any provision of this DPA is found to be unenforceable, the remaining provisions continue in full effect. This DPA is governed by the laws of England and Wales, and the courts of England and Wales have exclusive jurisdiction.
Annex 1: Details of processing
- Subject matter: the provision of websites, software, automations, AI-assisted features and marketing services, and their support and maintenance.
- Duration: the term of the services, plus any period during which we are required to retain personal data by law.
- Nature and purpose: processing personal data to design, build, test, host, operate, support and improve the products and services you commission, including delivering the AI-assisted features and marketing services you commission.
- Types of personal data: contact details (such as name, email, phone and business name), account data, content and product data, and data you connect to us through integrations.
- Categories of data subject: your staff, your customers and your contacts.
- Special category data: not requested or required by us. You should not provide special category data, or data relating to criminal convictions and offences, unless we have agreed it in writing and you have a lawful condition under Articles 9 and 10 of the UK GDPR to do so. If you provide such data without our prior written agreement, you do so at your own risk and on the basis that you have a valid lawful condition for it and remain responsible for it, and we may decline to process it or delete it.
Annex 2: Technical and organisational measures
We maintain appropriate technical and organisational measures designed to ensure a level of security appropriate to the risk, including:
- Access controls and authentication, with least-privilege access so that information is available only to those who need it.
- Encryption of personal data in transit.
- Code scanning of the software we build, before launch and on an ongoing schedule.
- Round-the-clock monitoring of the services we host and operate, with processes to contain and resolve security issues.
- Confidentiality obligations binding the people we authorise to process personal data.
- Selection of sub-processors that offer appropriate protections, under contracts no less protective than this DPA.
- Measures to support the restoration of availability and access to personal data following an incident, and periodic review of the effectiveness of these measures.
Contact
For any data protection matter, or to exercise rights under this DPA, contact hello@varsuite.co.uk. You also have the right to complain to the Information Commissioner’s Office (ICO). Our ICO registration number is [ICO registration number to be inserted].