Skip to content
Markable logo
Markable logoBack to home

Data Processing Agreement

Markable — Data Processing Agreement

Version: 1.0 Effective date: 8 May 2026

This Data Processing Agreement ("DPA") is entered into between the educational institution identified in the order or account ("School", as "Controller") and Joanne Renwick, trading as Markable ("Markable", as "Processor"). It forms part of, and is incorporated into, the Terms of Service. It is intended to satisfy the requirements of UK GDPR Article 28.

In the event of any conflict between this DPA and the Terms of Service in respect of the processing of personal data, this DPA prevails.

⚠️ Before this DPA is executed with any School, the parties' addresses must be inserted in the signature block. Markable's business address (and the School's address) is required for the DPA to be a properly executed contract under English law. Markable should secure a virtual office or other business address before going live with paying schools.

1. Definitions

Terms used in this DPA have the meanings given in UK GDPR. In addition:

  • "Applicable Data Protection Law" means UK GDPR, the Data Protection Act 2018, and any other data protection law applicable to the processing.
  • "Personal Data" means personal data processed by Markable on behalf of the School under the Terms of Service.
  • "Sub-processor" means any third party engaged by Markable to process Personal Data.
  • "Services" means the Markable platform and related services provided under the Terms of Service.

2. Roles

  • The School is the Controller of Personal Data uploaded to or created within the Services concerning its students.
  • Markable is the Processor and acts on the School's documented instructions.
  • This DPA, the Terms of Service, the Privacy Policy, and the School's in-product configuration constitute the School's documented instructions.

If Markable receives an instruction it believes infringes Applicable Data Protection Law, it will inform the School without undue delay.

3. Subject-matter, duration, nature and purpose

| Item | Detail | | --- | --- | | Subject-matter | Provision of the AI-assisted annotation and feedback platform | | Duration | Term of the Subscription plus retention periods set out in the Privacy Policy | | Nature | Storage, organisation, automated analysis, retrieval, transmission, deletion | | Purpose | Supporting teacher-led marking and feedback for assessment | | Data subjects | Students of the School; teachers and other staff users | | Categories of Personal Data | Reference codes/initials, script text, marks, comments, audit metadata; teacher identifiers and contact details | | Special category data | Should not be present. School responsible for enforcement; Markable provides PII detection at upload as a control |

4. Markable's obligations

Markable will:

a) process Personal Data only on the School's documented instructions, including with regard to international transfers, except where required by law;

b) ensure that persons authorised to process Personal Data are committed to confidentiality;

c) implement and maintain the technical and organisational measures set out in Annex II;

d) only engage Sub-processors with the prior general authorisation of the School (see section 5);

e) assist the School with data subject requests under UK GDPR Articles 12–22 (see section 7);

f) assist the School with its obligations under UK GDPR Articles 32–36 (security, breach notification, DPIA, prior consultation);

g) at the School's choice, delete or return all Personal Data after the end of the Services, except where retention is required by law;

h) make available all information necessary to demonstrate compliance with this DPA and Article 28, and contribute to audits as set out in section 9.

5. Sub-processors

The School grants Markable general authorisation to engage Sub-processors, subject to the conditions in this section.

The current list of Sub-processors is set out in Annex I. Markable will give the School at least 30 days' written notice before adding or replacing a Sub-processor that processes Personal Data. The School may object on reasonable grounds within the notice period; if a reasonable objection cannot be resolved, the School may terminate the affected Services without penalty and Markable will refund pre-paid fees for the unused period.

Markable will impose data protection obligations on each Sub-processor that are no less protective than those in this DPA, and remains liable for the acts and omissions of its Sub-processors.

6. International transfers

Where Markable transfers Personal Data outside the United Kingdom, it relies on:

  • UK adequacy decisions where one applies;
  • The UK International Data Transfer Agreement (IDTA);
  • The European Commission Standard Contractual Clauses with the UK Addendum;
  • The UK extension of the EU–US Data Privacy Framework, where the recipient is certified.

A Transfer Risk Assessment is maintained for each non-UK Sub-processor and is available to the School on request.

7. Data subject rights — assistance to the School

When the School receives a data subject request:

  1. The School authenticates the request and decides whether to comply.
  2. The School sends Markable a Processor Assistance Request at support@markable.uk.
  3. Markable will respond within 5 working days and assist in the manner needed to allow the School to meet its UK GDPR deadline.

Markable will not respond directly to data subjects in respect of Controller data, except to refer them to the School. Markable does not charge for reasonable assistance with data subject rights.

8. Personal data breach

Markable will notify the School without undue delay and in any event within 24 hours of becoming aware of a personal data breach affecting the School's Personal Data, providing the information required to help the School meet its own obligations under UK GDPR Articles 33 and 34.

9. Audits

The School may, on reasonable prior notice and not more than once per year (unless required by a regulator or following a breach), audit Markable's compliance with this DPA. Audits will be conducted during business hours, will not unreasonably disrupt Markable's operations, and will respect confidentiality of other customers.

Markable may satisfy audit obligations by providing independent assurance reports, recent penetration test summaries, security questionnaire responses, and access to its policies and DPIA.

10. Return and deletion

On termination, the School may within a 30-day grace period export its data through the Services. After that period, Markable will delete the School's Personal Data within a further 30 days, except for backups (deleted on rolling 30-day cycle), audit-trail records held to support assessment integrity, and statutory billing records.

On request, Markable will provide written confirmation of deletion.

11. Liability

Liability under this DPA is governed by the Terms of Service. Where Article 82 UK GDPR allocates liability between Controller and Processor, that allocation applies.

12. Term and order of precedence

This DPA is effective from the date the Services first process Personal Data and continues until the later of: (a) the end of the Subscription; or (b) deletion of all Personal Data in accordance with section 10.

In the event of conflict between this DPA and any other agreement between the parties, this DPA prevails in respect of the processing of Personal Data.

Annex I — Sub-processors

| Sub-processor | Function | Region | Personal Data processed | | --- | --- | --- | --- | | Anthropic, PBC | LLM inference | USA | Script text only — no student personal data | | Supabase | Database and file storage | EU (AWS Frankfurt) | All platform data | | Vercel | Application hosting | UK / EU / USA | No persistent personal data | | Stripe | Payment processing | UK / EU / USA | Teacher billing data | | Inngest | Background jobs | USA | Script identifiers and job status | | Microsoft Corporation (mailbox hosting via GoDaddy as reseller) | Business and transactional email | UK | Teacher email | | HighLevel Inc. (Go High Level) | CRM and email automation | USA | Teacher email |

The current authoritative list is at markable.uk/sub-processors.

Annex II — Technical and organisational measures

Confidentiality: Multi-factor authentication mandatory for all teacher accounts; role-based, least-privilege staff access; confidentiality undertakings for staff and contractors.

Integrity: Encryption in transit (TLS 1.2+) and at rest (AES-256); row-level security in the application database; input validation.

Availability: Backups with point-in-time recovery; rolling 30-day window; routine restore testing; documented disaster recovery plan.

Pseudonymisation and minimisation: Schools required to use reference codes; direct identifiers excluded from data sent to LLM; PII scanner alerts teachers to detected real-world identifiers.

Vendor management: Sub-processors bound by contracts no less protective than this DPA; security review of each Sub-processor.

Testing and assurance: Documented patching cadence (critical 72 hours, high 7 days, medium 30 days); documented incident response procedure.

Audit logging: Authentication events, finalisation events, AI inference metadata, dismissed safeguarding flags, and administrative actions logged; logs retained for at least 12 months.

Governance: Named Data Protection Lead; named Compliance Lead; DPIA, LIA, TRA and risk register maintained and reviewed.