Data Processing Agreement

Markus Tech Ltd Data Processing Agreement

In accordance with UK GDPR, the Data Protection Act 2018, and applicable data protection legislation
Effective Date: As of the date of the main services agreement between the parties
Parties to this Agreement
Data Controller
The Customer
Institution:To be completed on the Order or by countersigned copy
Address:As per Order
DPO / Contact:As nominated by the Customer
Data Processor
Markus Tech Ltd
Company:Markus Tech Ltd
Co. No.:16443285
Address:49 Premier Avenue, Grays, RM16 2SB
Email:info@markus.tech
Need a countersigned copy? This DPA takes effect as part of the main services agreement (see Clause 23). To request a countersigned hard or PDF copy with your institution's details, email info@markus.tech.
1. Parties

This Data Processing Agreement ("DPA") is entered into between the Customer named on the Order or countersigned copy (acting as Data Controller) and Markus Tech Ltd ("Markus", acting as Data Processor).

This DPA forms part of the agreement governing the provision of services by Markus and operates alongside the Terms & Conditions and Service Level Agreement between the parties.

2. Definitions
Controller, Processor, Personal Data, Data Subject
As defined under the UK GDPR and the Data Protection Act 2018
Processing
Any operation or set of operations performed on personal data, as defined under UK GDPR Article 4
Sub-processor
Any third party engaged by Markus to process personal data on behalf of the Customer
Services
The Markus platform and associated services as described in the Terms & Conditions
IDTA
International Data Transfer Agreement: the UK's mechanism for lawful transfers of personal data to third countries
SCCs
Standard Contractual Clauses as adopted under applicable data protection legislation
TOMs
Technical and Organisational Measures, as detailed in Schedule 1 to this DPA
3. Scope and Roles

The Customer is the Data Controller. Markus acts solely as a Data Processor, processing personal data only on documented instructions from the Customer.

Markus shall not:

  • Determine the purposes of processing
  • Use personal data for its own independent purposes
  • Process personal data in a manner inconsistent with this DPA or the Customer's documented instructions

Where Markus reasonably believes that an instruction from the Customer would breach UK GDPR or applicable data protection law, Markus shall notify the Customer promptly and may suspend acting on that instruction until the Customer provides a lawful alternative instruction.

4. Controller Warranties

The Customer warrants that:

  • It has a lawful basis for each category of processing it instructs Markus to carry out
  • All personal data provided to Markus has been collected lawfully and in accordance with applicable data protection legislation
  • It has provided appropriate notices to data subjects regarding the processing described in this DPA
  • It will promptly notify Markus of any changes that may affect the lawfulness of the processing
5. Nature and Purpose of Processing

Markus processes personal data solely to provide the following services:

  • Automated marking and feedback generation
  • Assessment delivery and submission
  • Progress tracking and analytics
  • Platform functionality, security, and maintenance
6. Categories of Personal Data

Typical personal data processed under this agreement includes:

  • Student name
  • Student email address
  • Assessment responses (including uploaded work)
  • Marks, feedback, and progress data

Markus does not process special category data as part of its standard service. The platform is designed for the submission and marking of academic assessment work. The Customer is responsible for ensuring that Authorised Users do not upload content containing special category data. Where such content is inadvertently submitted, Markus's safeguarding functionality may identify and flag it, but the Customer remains responsible for appropriate handling and response.

7. Categories of Data Subjects
  • Students (including those under the age of 18)
  • Teachers and educational staff
8. Duration of Processing

Processing continues for the duration of the agreement. Upon termination of the agreement, Markus shall cease processing and handle data in accordance with Clause 17 of this DPA.

9. Processor Obligations

Markus shall:

  • Process personal data only on documented instructions from the Customer, unless required to do so by applicable law
  • Ensure that all personnel authorised to process personal data are subject to written confidentiality obligations
  • Restrict access to personal data to those personnel who require it for the performance of the Services
  • Implement and maintain appropriate technical and organisational measures as set out in Schedule 1
  • Assist the Customer in responding to data subject rights requests within timeframes that allow the Customer to meet its obligations under UK GDPR (typically within 5 working days of Markus receiving the request)
  • Assist the Customer with Data Protection Impact Assessments (DPIAs) and regulatory compliance where reasonably required
  • Notify the Customer of any personal data breach without undue delay and in accordance with Clause 15
  • Maintain records of processing activities as required under UK GDPR Article 30
  • Make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA
10. Confidentiality

Markus shall ensure that any person authorised to process personal data under this DPA:

  • Is subject to a binding written obligation of confidentiality with respect to such personal data
  • Processes personal data only to the extent necessary for the performance of the Services
  • Does not disclose personal data to any third party other than authorised sub-processors

This obligation of confidentiality survives the termination of this DPA.

11. Security Measures

Markus implements appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage. Full details are set out in Schedule 1 (Technical and Organisational Measures).

Markus does not currently use third party analytics tools, tracking systems, or external logging providers.
12. Records of Processing Activities

In accordance with UK GDPR Article 30(2), Markus maintains records of all categories of processing activities carried out on behalf of customers. These records include:

  • The name and contact details of Markus and, where applicable, relevant personnel
  • The categories of processing carried out on behalf of each customer
  • Details of international transfers and the safeguards in place
  • A general description of the technical and organisational security measures

Records are made available to the ICO upon request.

13. Sub-processors

The Customer provides general written authorisation for Markus to engage sub-processors in connection with the delivery of the Services. Markus shall:

  • Maintain and make available a current list of sub-processors upon request
  • Provide a minimum of 30 days' advance written notice of any intended addition or replacement of a sub-processor
  • Give the Customer a reasonable opportunity to object to the change on legitimate data protection grounds
  • Ensure all sub-processors are bound by written data protection obligations no less protective than those in this DPA
  • Remain fully liable to the Customer for the performance of any sub-processor's obligations

Current sub-processor categories include cloud hosting providers, AI processing providers, and authentication providers. The current sub-processor list is available on the Markus website (Sub-Processor List) and referenced in Schedule 2.

14. International Data Transfers

Where personal data is transferred outside the United Kingdom or European Economic Area, Markus ensures that a lawful transfer mechanism is in place. Mechanisms used include:

  • International Data Transfer Agreement (IDTA): the UK's primary mechanism for international transfers under UK GDPR
  • Standard Contractual Clauses (SCCs): where applicable for transfers involving EEA based entities
  • Adequacy decisions where the destination country has been recognised as adequate by the UK Government

Where required, Markus conducts Transfer Risk Assessments (TRAs) and applies supplementary technical and organisational measures to ensure an equivalent level of protection.

All international transfers are carried out in accordance with UK GDPR Chapter V and applicable guidance from the ICO.
15. Breach Notification

In the event of a confirmed or suspected personal data breach, Markus shall:

  • Notify the Customer without undue delay and within 48 hours of becoming aware of the breach
  • Provide sufficient information to enable the Customer to assess its regulatory notification obligations
  • Include, as a minimum: the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed
  • Take prompt and reasonable steps to contain, investigate, and remediate the breach
  • Cooperate with the Customer and relevant authorities as required

Where information cannot be provided in full at the time of initial notification, it shall be provided in phases as it becomes available.

16. Data Subject Rights

Markus shall provide reasonable and timely assistance to the Customer in responding to data subject rights requests, including:

  • Right of access (Article 15)
  • Right to rectification (Article 16)
  • Right to erasure (Article 17)
  • Right to restriction of processing (Article 18)
  • Right to data portability (Article 20)
  • Right to object (Article 21)

The Customer remains responsible as Data Controller for responding to data subjects directly and within statutory timeframes. Markus shall not respond to data subjects directly without the Customer's prior authorisation, except where required by law.

17. Data Deletion and Return

Upon termination of the agreement:

  • The Customer may request an export of their data prior to deletion
  • All personal data will be securely and permanently deleted within 60 days of the termination date
  • Upon request, Markus will provide written confirmation that deletion has been completed
  • Markus may retain anonymised and aggregated data that is no longer capable of identifying any individual
A written deletion certificate is available upon request following completion of the deletion process.
18. Audit and Compliance

Markus shall make available all information reasonably necessary to demonstrate compliance with this DPA and UK GDPR Article 28.

The Customer may request a formal audit subject to the following conditions:

  • Reasonable written notice must be provided (minimum 30 days unless agreed otherwise)
  • Audits must be proportionate and conducted during normal business hours
  • Audits must not compromise the security or confidentiality of other customers' data
  • The Customer shall bear the reasonable costs of any formal audit
  • No more than one formal audit per calendar year, unless there is reasonable evidence of a material breach
19. Liability

Liability under this DPA is subject to the limitations set out in the main Terms & Conditions. Each party shall be individually liable for breaches of data protection law attributable to their own actions.

Nothing in this DPA limits liability for:

  • Fraud or fraudulent misrepresentation
  • Death or personal injury caused by negligence
  • Any liability that cannot be limited or excluded by applicable law
20. Governing Law

This DPA is governed by the laws of England and Wales. Any disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales.

21. Order of Precedence

In the event of conflict between the documents forming the agreement, the following order of precedence applies:

1
This Data Processing Agreement (DPA)
2
Terms & Conditions
3
Service Level Agreement (SLA)
22. Entire Agreement and Variation

This DPA, together with the Terms & Conditions and SLA, constitutes the entire agreement between the parties with respect to data processing and supersedes all prior agreements or understandings on the same subject.

Any variation to this DPA must be agreed in writing by both parties. Markus may update this DPA to reflect changes in applicable law or operational practice, with reasonable written notice provided to the Customer.

23. Incorporation
This DPA is incorporated into the agreement between the parties and takes effect upon acceptance of the main services agreement. A separate countersignature is not required unless explicitly requested. To request a countersigned copy, contact info@markus.tech.
Schedule 1: Technical and Organisational Measures (TOMs)
Measures implemented by Markus Tech Ltd to protect personal data
Infrastructure & Hosting
  • All data hosted on Google Cloud Platform within the EU (europe-west3, Frankfurt)
  • No data processed or stored outside the EU or UK without an appropriate transfer mechanism
  • Infrastructure subject to Google Cloud's own ISO 27001 aligned security controls
Encryption
  • All data encrypted in transit using TLS 1.2 or higher
  • All data encrypted at rest using AES 256 or equivalent
  • Encryption keys managed securely and not accessible to unauthorised personnel
Access Controls
  • Role based access controls (RBAC) applied across all systems
  • Access to personal data restricted to personnel who require it for service delivery
  • Federated authentication enforced via Microsoft or Google OAuth
  • Multi factor authentication applied where technically feasible
  • Access rights reviewed regularly and revoked promptly upon role change or departure
Data Minimisation & Retention
  • Only data necessary to deliver the Services is processed
  • No behavioural tracking, profiling, or advertising data collected
  • Data retained only for the duration of the agreement and deleted within 60 days of termination
  • Sub-processor data retention limited and monitored
System Integrity & Monitoring
  • Regular review of system access logs and integrity checks
  • No third party analytics, tracking, or external logging providers used
  • Platform updates and security patches applied on a regular and risk based basis
  • Incident response procedures in place for data breaches and security events
Organisational Measures
  • Certified under the UK Government-backed Cyber Essentials scheme (whole organisation scope, renewed annually)
  • All staff with access to personal data subject to written confidentiality obligations
  • Data protection awareness maintained across relevant personnel
  • Sub-processors subject to due diligence and equivalent contractual obligations
  • Data protection considerations embedded in product development and system design
Schedule 2: Sub-processor Categories
Current categories of sub-processors engaged by Markus Tech Ltd
Cloud Hosting
Google Cloud Platform (Google Commerce Limited), EU region hosting and infrastructure
AI Processing
OpenAI, L.L.C.: Processing of assessment data for automated marking and feedback generation. International transfer via IDTA or SCCs
Authentication
Microsoft (Microsoft Corporation and/or Microsoft Ireland Operations Limited): Institutional SSO. Google Commerce Limited: Google OAuth. These providers receive only authentication tokens and identity verification data (typically name and email). They do not receive assessment content, marks, feedback, or any other platform data.

The full and current sub-processor list, including legal entity names, data locations, and transfer mechanisms, is published at /Home/SubProcessors and is also available on request. Markus will provide a minimum of 30 days' notice of any intended changes to sub-processors.