Skip to content
Markable logo
Markable logoBack to home

Compliance Statement

Markable — Compliance Statement

Version: 1.0 (POC) Effective date: 8 May 2026 Owner: Markable Compliance Lead Contact: support@markable.uk

This statement summarises Markable's compliance posture during its proof-of-concept stage. It is intended for review by Data Protection Officers, school Senior Leadership Teams, and other stakeholders considering use of Markable. A more detailed compliance framework will be issued before scaled deployment.

1. About Markable

Markable is an AI-assisted annotation and feedback platform for vocational and curriculum-based qualifications. It is currently in proof-of-concept stage, working with a limited number of pilot schools.

The AI's role is limited to:

  • Paragraph-level annotations highlighting strengths and areas for development;
  • Identification of mark-scheme content present or absent in a response;
  • Suggested improvement priorities, which the teacher reviews.

Markable does not produce or suggest marks, mark bands, or grades. All marks, bands, comments, and grades are determined and entered by the teacher.

2. Frameworks Markable is designed against

We have designed Markable's processes with reference to:

  • UK GDPR and the Data Protection Act 2018 — compliance documented through the Privacy Policy, DPA, DPIA, LIA, and TRA.
  • Ofqual's Principles of AI use in marking (Jan 2026) — informs our approach to validity, oversight, transparency, fairness, and contestability.
  • DfE Generative AI in education (last updated August 2025) — informs our schools-facing position.
  • DfE Generative AI Product Safety Expectations (Jan 2025) — informs filtering, monitoring, security, privacy, IP, design and testing, and governance.
  • Keeping Children Safe in Education 2025 — informs our safeguarding posture.
  • JCQ guidance on AI use in assessments — informs assessment integrity.
  • ICO Children's code — informs our processing of children's data.
  • The five UK AI Regulation principles — applied across our design.

3. How we comply, in summary

3.1 Data protection (UK GDPR)

  • Privacy Policy sets out lawful basis, purposes, retention, recipients, transfers, and rights.
  • Data Processing Agreement between Markable and each School satisfies UK GDPR Article 28.
  • Data Protection Impact Assessment maintained as required by Article 35.
  • Legitimate Interests Assessment maintained where relied upon (internal working document, available on request).
  • Transfer Risk Assessment maintained for each non-UK Sub-processor (internal working document, available on request).
  • ICO registration C1917001.
  • Multi-factor authentication available and strongly encouraged for teacher accounts; encryption in transit and at rest; row-level security; least-privilege access for staff.

3.2 AI transparency (UK GDPR Articles 13(2)(f), 14(2)(g), 22)

  • The Privacy Policy provides the formal disclosure: what the AI does, how it works in plain English, the limitations of LLMs, and that Markable does not engage in solely automated decision-making.
  • A first-time-use AI disclosure with tick-box acknowledgement is shown to teachers before their first upload.
  • A persistent in-app indicator shows when AI is operating.
  • A Student/Parent Privacy Notice template is provided to schools to issue to students and parents.

3.3 Teacher oversight

  • The AI does not produce or suggest marks, mark bands, or grades.
  • AI annotations are visible to the teacher only.
  • AI suggestions are copy-protected; the teacher cannot paste AI text into the report.
  • The teacher must independently enter marks, write comments, and select grades.
  • AI-generated improvement priorities require explicit teacher confirmation or editing before they appear on the student's report.

3.4 Safeguarding

  • Where script content appears to indicate a possible safeguarding disclosure, the platform alerts the teacher with "false positive expected — please review in context" framing, recognising that scripts in many subjects routinely include scenario references.
  • The platform does not auto-escalate. The teacher and the school's Designated Safeguarding Lead remain decision-makers.
  • Teachers are reminded in the Terms of Service that they may not rely on the platform to substitute for their professional safeguarding vigilance.

3.5 Validity and fairness — POC stage

We will run a first internal evaluation cycle within the first three months of POC, covering:

  • Coverage accuracy — are the AI's content-presence claims correct?
  • Hallucination rate — does the AI claim content is present that isn't?
  • Consistency — do repeated runs produce similar output?
  • Sub-group fairness on script-derived proxies — does annotation quality vary by response length, surface complexity, or other script-derived factors?

Findings will inform iteration during POC. A formal Validity and Fairness Report will be issued before scaled deployment.

We do not request demographic data (e.g., EAL status) from schools and do not flag individual scripts to teachers as "EAL" or "difficult to read"; doing so could itself produce discriminatory effects.

3.6 Contestability and complaints

Concerns about the AI's behaviour, fairness, accuracy, or about Markable's data protection practice should be sent to support@markable.uk with the subject line "Compliance Concern". We acknowledge within 5 working days and respond substantively within 20 working days.

Marking disputes are not handled by Markable; they are a matter for the school's normal assessment appeals procedure.

Escalation routes include the ICO (data protection), Ofqual (qualification regulation), the relevant Local Authority Designated Officer (safeguarding), and the relevant awarding organisation.

3.7 Intellectual property

  • Student work remains the IP of the student. Markable does not collect, retain, share, or use student script content for training, fine-tuning, product improvement, or any commercial purpose.
  • Teacher-authored content belongs to the teacher's school under the school's normal arrangements with its staff.
  • Awarding organisation materials referenced by the platform are the copyright of the relevant awarding organisation. We acknowledge that the commercial position with awarding organisations will need to be formalised before scaled deployment, on legal advice. POC scale is limited and bounded.
  • Markable platform code, design, prompts, and trained components are Markable's IP.

3.8 Children's data

We process pseudonymised data about children. We apply the principles of the ICO Age Appropriate Design Code: data minimisation, no profiling for advertising, no nudge techniques, default to the most protective settings, and age-appropriate transparency through the Student/Parent Privacy Notice template.

3.9 Scope

Markable is offered as an annotation and feedback tool for the subjects and assessment types officially supported on the platform. It is not offered for use as a sole or primary marker for any regulated qualification, for GCSE/AS/A-level summative marking that contributes to reported outcomes, for coursework moderation that bypasses centre IV, as a remote invigilator, or directly with students.

4. POC stage — what is deferred to scale

In line with legal advice, the following items are appropriately deferred from POC to scaled deployment:

| Item | POC position | Action before scale | | --- | --- | --- | | Formal commercial arrangement with awarding organisations regarding mark schemes, examiner reports, and past papers referenced in the platform | Not in place; POC scale is limited and bounded | Open commercial conversation with each relevant awarding organisation | | Published annual Validity and Fairness Report | First internal evaluation cycle planned within 3 months of POC | Move from internal evaluation to published report | | External information security audit (e.g. Cyber Essentials Plus) | Not yet completed | Complete before scaled deployment | | Formal subject-by-subject scoping document for each subject area | Drafted at high level | Formalised per subject before launch | | In-product school-administrator dashboard for safeguarding flags and platform usage | Logged but not surfaced via dashboard | Implement before scaled deployment |

5. Operational responsibilities

Named roles within Markable:

  • Compliance Lead: Joanne Renwick
  • Data Protection Lead: Joanne Renwick
  • Security Lead: Joanne Renwick

These can be the same individual at POC scale.

A standing quarterly review covers the risk register, open compliance items, complaints, safeguarding flag rates, sub-processor changes, and incidents.

6. Available on request

The following are available to school DPOs (and to relevant awarding organisations) on request, under reasonable confidentiality terms:

  • The full DPIA;
  • The LIA;
  • The Transfer Risk Assessment;
  • Penetration test summaries;
  • Security questionnaire responses;
  • A platform demonstration.

7. Contact

Markable (sole trader, proprietor: Joanne Renwick) support@markable.uk ICO Registration: C1917001

8. Review

This statement will be reviewed at least annually, before scaled deployment, on any material change to the platform, and on any material change to applicable law or regulator guidance.