Sub-Processor List

Markus Sub-Processor List

Prepared in accordance with UK GDPR data processor obligations

Markus uses a limited number of carefully selected sub-processors to deliver its services. All sub-processors are subject to due diligence, contractual data protection obligations, and ongoing review in line with UK GDPR requirements.

1. Infrastructure & Hosting
Sub-Processor Legal Entity Purpose of Processing Data Location International Transfers
Google Cloud Platform Google Commerce Limited Cloud infrastructure hosting, storage, and processing of application data European Union
europe-west3, Frankfurt		 No
Data hosted and processed within EU region
2. AI Processing Services
Sub-Processor Legal Entity Purpose of Processing Data Location International Transfers
OpenAI OpenAI, L.L.C. Processing of student assessment data to generate automated marking and feedback United States Yes
SCCs in place
3. Authentication & Identity Providers
Sub-Processor Legal Entity Purpose of Processing Data Location International Transfers
Microsoft Microsoft Corporation and/or Microsoft Ireland Operations Limited User authentication via institutional Single Sign-On (SSO) EU / UK / Global
Customer tenant controlled		 Yes
SCCs where applicable
Google Google Commerce Limited (contracting entity within Google group) User authentication via Google OAuth EU / Global Yes
SCCs where applicable
4. Data Protection & Safeguards
  • Markus operates as a data processor and processes data only on documented instructions from the data controller
  • All sub-processors are bound by data processing agreements with UK GDPR compliant obligations
  • Where data is transferred outside the UK or EU, Markus relies on Standard Contractual Clauses (SCCs) and appropriate supplementary safeguards
  • No sub-processor uses customer data for model training or any independent purposes. Markus uses API based access to AI providers where data is not used for model training
  • Limited temporary retention may occur for abuse monitoring purposes:
    • OpenAI retains API data for up to 30 days, after which it is deleted
  • Markus applies a data minimisation approach, typically limited to name, email, and assessment data
  • Markus does not currently use third party analytics, tracking, or external logging providers
5. Sub-Processor Change Management
Markus operates a general authorisation model for sub-processors. Customers will be notified of any intended changes to sub-processors in advance and given the opportunity to object where required under UK GDPR.