Data Protection Agreement

1. PARTIES

This Data Processing Agreement (“Agreement”) is entered into between:

Hassan Capital Holdings Ltd

Trading as Hassan AI Systems Ltd (Hassan AI Systems) 17036366

United Kingdom

(“Processor”)

And

The purchasing organisation or client

(“Controller”)

This Agreement supplements any existing service or license agreement between the parties.

2. PURPOSE

This Agreement governs the processing of Personal Data by the Processor on behalf of the Controller in connection with:

  • AI Agency System Implementation

  • Consulting services

  • Workflow configuration

  • Reporting system installation

  • Digital infrastructure deployment

This Agreement ensures compliance with:

  • UK General Data Protection Regulation (UK GDPR)

  • Data Protection Act 2018

3. DEFINITIONS

“Personal Data” means any information relating to an identified or identifiable individual.

“Processing” means any operation performed on Personal Data including collection, storage, use, disclosure, or deletion.

“Controller” means the organisation that determines the purposes and means of processing Personal Data.

“Processor” means Hassan AI Systems acting on behalf of the Controller.

“Sub-Processor” means any third party engaged by the Processor to assist with data processing.

4. ROLES OF THE PARTIES

The Controller:

  • Determines why and how Personal Data is processed.

  • Remains responsible for lawful data collection.

  • Ensures it has legal grounds for processing.

The Processor:

  • Processes Personal Data only on documented instructions.

  • Does not determine purposes independently.

  • Does not use Personal Data for its own marketing or resale.

5. SUBJECT MATTER OF PROCESSING

The Processor may process Personal Data in connection with:

  • Client onboarding systems

  • Reporting frameworks

  • Workflow configuration

  • Consulting documentation

  • Implementation audits

6. TYPES OF PERSONAL DATA

Depending on the Controller’s business, data may include:

  • Names

  • Email addresses

  • Job titles

  • Client contact details

  • Business-related personal data

  • Usage analytics

  • Reporting information

The Processor does NOT intentionally process special category data unless explicitly agreed.

7. CATEGORIES OF DATA SUBJECTS

Data subjects may include:

  • Clients of the Controller

  • Employees of the Controller

  • Contractors

  • Prospective customers

  • Business contacts

8. PROCESSOR OBLIGATIONS

The Processor shall:

  1. Process data only on documented instructions from the Controller.

  2. Ensure confidentiality of authorised personnel.

  3. Implement appropriate technical and organisational measures.

  4. Assist the Controller in fulfilling data subject rights.

  5. Notify the Controller of data breaches without undue delay.

  6. Delete or return data upon termination of services.

9. SECURITY MEASURES

The Processor implements appropriate security measures, including:

  • Secure hosting environments

  • SSL encryption

  • Restricted access controls

  • Encrypted communication where possible

  • Limited data retention

  • Role-based access

No system guarantees absolute security.

10. SUB-PROCESSORS

The Processor may use Sub-Processors such as:

  • Hosting providers

  • Payment processors

  • Cloud storage providers

  • AI platforms

  • Email service providers

The Processor ensures that:

  • Sub-Processors are contractually bound to GDPR obligations.

  • Sub-Processors provide adequate security measures.

The Controller consents to the use of Sub-Processors.

11. INTERNATIONAL TRANSFERS

If Personal Data is transferred outside the UK, the Processor ensures:

  • Adequacy decisions apply

  • Standard Contractual Clauses are in place

  • Appropriate safeguards are implemented

12. DATA SUBJECT RIGHTS

The Processor shall assist the Controller, where reasonably possible, in responding to:

  • Access requests

  • Rectification requests

  • Erasure requests

  • Restriction requests

  • Objections

  • Data portability requests

The Controller remains responsible for responding to requests.

13. DATA BREACH NOTIFICATION

In the event of a Personal Data breach, the Processor shall:

  • Notify the Controller without undue delay.

  • Provide details of the breach.

  • Provide mitigation steps.

  • Cooperate in investigations.

The Controller is responsible for notifying supervisory authorities where required.

14. CONFIDENTIALITY

The Processor ensures that:

  • Personnel are bound by confidentiality obligations.

  • Access to data is limited to authorised individuals.

Confidentiality obligations survive termination.

15. DATA RETENTION

The Processor shall:

  • Retain Personal Data only as long as necessary to perform services.

  • Delete or return data upon written request.

  • Retain limited data where legally required.

16. AUDITS

Upon reasonable notice, the Controller may request information demonstrating compliance.

The Processor may provide documentation rather than permitting physical audits where appropriate.

17. LIABILITY

Liability shall follow the terms set out in the primary service agreement.

Nothing excludes liability for:

  • Fraud

  • Wilful misconduct

  • Legal obligations that cannot be limited

18. TERM

This Agreement remains in force for the duration of the services.

Obligations regarding confidentiality and data protection survive termination.

19. GOVERNING LAW

This Agreement is governed by the laws of England and Wales.

Disputes shall be subject to the exclusive jurisdiction of UK courts.

20. CONTACT INFORMATION

Hassan AI Systems

Trading name of Hassan Capital Holdings Ltd

United Kingdom

Email: info@hassanaisystems.co.uk

Website: www.hassanaisystems.co.uk

Hassan AI Systems LTD 

Company Number: 17036366

Trading name of Hassan Capital Holdings Ltd

United Kingdom

Last updated: [15th February 2026]

Scroll to Top