Data processing agreement
This Data Processing Agreement (“DPA”) forms part of the Terms of Service (“ToS”), or any other agreement between Marker.io SRL (“Marker.io”, “Processor”, “we”) and theCustomer (“Customer”, “Controller”, “you”) governing the use of Marker.io’s services (collectively, the “Agreement”).
1. Purpose and Scope
1.1 This DPA reflects the parties’ agreement with respectto the processing of Personal Data under the Agreement in accordance with Article28 of the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”).
1.2 The purpose of this DPA is to ensure that Marker.io processes Personal Data on behalf of the Customer in compliance with applicable data protection laws, including the EU GDPR, the UK GDPR, and any applicable national implementing laws.
1.3 This DPA commences on the DPA Effective Date and terminates upon expiration or termination of the Agreement unless Marker.io continues to process Personal Data after the termination of the Agreement. In that case, the DPA terminates on the date that Marker.io ceases all processing of Personal Data on behalf of the Customer.
1.4 In the event of a conflict between this DPA and the Agreement, this DPA shall prevail with respect to the subject matter of data protection.
2.Roles and Responsibilities
2.1 Customer as Controller. The Customer acts as the data Controller, determining the purposes and means of the processing of Personal Data.
2.2 Marker.io as Processor. Marker.io acts as the data Processor, processing Personal Data solely on behalf of and in accordance with (1) Customer’s documented instructions, as set out in this DPA and the Agreement, and (2) Marker.io’s obligations to comply with applicable law.
2.3 Customer Responsibilities. Customer is responsible for ensuring that:
● The processing of Personal Data under the Agreement has a valid legal basis under the GDPR and any other applicable laws. Marker.io has no obligation to actively monitor Customer’s compliance with Data Protection laws.
● It provides adequate notice to and obtains any necessary consents from data subjects.
● Personal Data disclosed to Marker.io is accurate and relevant.
2.4 Processor Instructions. Marker.io shall process Personal Data only on documented instructions from the Customer, unless required to do so by law. Marker.io shall promptly inform the Customer if any instruction infringes applicable data protection laws.
3.Nature and Purpose of Processing
3.1 The nature, purpose, and duration of processing, as well as the types of Personal Data and categories of data subjects, are described in Annex I to this DPA.
3.2 Marker.io shall process Personal Data only for the purpose of providing the Services, improving the functionality and security of those Services, and performing its obligations under the Agreement.
3.3 The processing shall continue for the duration of the Agreement, unless otherwise required by law.
4.Processor Obligations
Marker.io shall:
4.1 Confidentiality. Ensure that all persons authorized to process Personal Data are subject to appropriate confidentiality obligations, whether contractual or statutory.
4.2 Security. Implement appropriate technical and organizational measures (“TOMs”) to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Marker.io will regularly monitor its compliance with TOMs using the controls described in Annex II.
4.3 Assistance. Assist Customer, insofar as possible, in fulfilling Customer’s obligations to respond to data subject requests (access, correction, deletion, restriction, portability, objection) and in ensuring compliance with Articles 32–36 of the GDPR (security, breach notification, data protection impact assessments, and consultations) provided that Customer cannot reasonably fulfill such requests independently (including through use of the Service).
4.4 Breach Notification. Notify Customer without undue delay (and in any event within 48 hours) after becoming aware of a Personal Data Breach, including details of:
● the nature of the breach,
● categories and approximate number of data subjects and records concerned,
● likely consequences, and
● measures taken or proposed to address and remediate the breach.
4.5 Customer acknowledges that Marker.io’s notification of a Personal Data Breach is not an acknowledgement by Marker.io of its fault or liability.
4.6 Return or Deletion. Upon termination or expiry of the Agreement, Marker.io shall, at Customer’s option, delete or return all Personal Data and delete existing copies, unless retention is required by law. In the event that Marker.io is required by law to retain any Personal Data, Marker.io will maintain the confidentiality of, and otherwise comply with, the applicable provisions of this DPA.
4.7 Documentation. Make available to Customer all information necessary to demonstrate compliance with this DPA and allow for audits as described in Section 8.
5.Subprocessors
5.1 Customer authorizes Marker.io to engage subprocessors to process Personal Data on its behalf in connection with the Service.
5.2 Marker.io shall:
● Maintain an up-to-date list of subprocessors at https://marker.io/subprocessors.
● Provide reasonable prior notice (at least thirty (30) days) before engaging a new subprocessor.
● Enter into a written agreement with each subprocessor data protection obligations equivalent to those set out in this DPA.
● Remain fully responsible for the acts and omissions of subprocessors that directly cause Marker.io to breach any of its obligations under this DPA.
5.3 If Customer objects to the appointment of a new subprocessor based on reasonable data protection concerns, Customer must notify Marker.io, in writing, of such objection a minimum of fifteen (15) days prior to the subprocessor’s engagement. The parties will discuss such concerns in good faith and attempt to reach a reasonable solution. If the parties are unable to reach a mutually agreeable resolution to Customer’s objection, Customer may, at its sole discretion, terminate the affected Services.
6.Security Measures
6.1 Marker.io implements and maintains appropriate technicaland organizational measures as described in Annex II,taking into account:
● the nature, scope, context, and purposes of processing;
● the risks for data subjects; and
● the state of the art, implementation costs, and proportionality.
6.2 Marker.io shall review and update these measuresperiodically to maintain an appropriate level of security.
7.International Data Transfers
7.1 Personal Data may be transferred and processed outside the European Economic Area (EEA) or the United Kingdom only where appropriate safeguards are in place.
7.2 Where Marker.io transfers Personal Data to a country not deemed to provide an adequate level of protection, such transfer shall be governed by the European Commission’s Standard Contractual Clauses(SCCs), incorporated herein by reference.
7.3 For transfers from the UK, the UK Addendum to the SCCsshall apply.
7.4 Where subprocessors are engaged outside the EEA/UK,Marker.io shall ensure that equivalent safeguards are in place.
8.Audit and Compliance
8.1 Marker.io will keep records of its Processing in compliance with Data Protection laws. Upon Customer’s written request, Marker.io shall provide information reasonably necessary to demonstrate compliance with this DPA (e.g. security certifications, audit summaries, penetration test reports).
8.2 If such documentation does not suffice, Customer may conduct an audit, at its own cost, no more than once per year, subject to:
● Thirty (30) days’ prior written notice,
● A mutually agreed-upon Audit plan that limits the scope to matters reasonably required for Customer to assess Marker.io’s compliance with this DPA and the parties’ compliance with applicable Data Protection laws,
● execution of a confidentiality agreement, and
● performance during normal business hours without unreasonable disruption.
8.3 Marker.io may satisfy audit requests by providing independent third-party audit reports (e.g., SOC 2) or equivalent evidence of compliance.
9.Data Retention and Deletion
9.1 Marker.io shall retain Personal Data only as long as necessary to provide the Service and fulfill its obligations under theAgreement.
9.2 Upon termination, Marker.io shall delete or returnPersonal Data as specified in Section 4.6.
9.3 Marker.io may retain minimal Personal Data (e.g., billing or account records) where required by law.
10.Liability and Limitation
10.1 Each party’s liability arising out of or in connection with this DPA shall be subject to the limitations of liability set out in the Agreement.
10.2 Nothing in this DPA limits either party’s liability where such limitation is prohibited by law.
Processing operations: Storage, transmission, analysis, organization, and deletion as required to provide the Service
11.Governing Law and Jurisdiction
This DPA shall be governed by and construed in accordancewith the laws of Belgium.
Any dispute arising from or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of Brussels, Belgium.
ANNEX I — Details of Processing
Subject matter: Provision of Marker.io bug-reporting and feedback collection software
Duration: Duration of the Agreement + 30 days post-termination
Nature and purpose: Processing to provide, support, and improve the Service
Categories of data subjects: Customer employees, contractors, or users reporting feedback via Marker.io
Types of personal data: Names, email addresses, user IDs, organization names, device/IP data, messages, attachments, metadata
Special categories of data: None (Marker.io does not require or intend to process special categories)
ExhibitB
The following includes the information required by Annex I and Annex III of the EU SCCs, and Appendix 1 of the UK SCCs.
1. The Parties
Data exporter(s):
Name: Customer, as stated and defined in the applicable Order (as such term is defined under the Agreement)
Address: Customer’s registered business address and any address provided to Marker.io at the time that Customer uses the Services.
Contact person’s name, position and contact details: Customer’s contact for the purposes of the SCC’s will be the contact of the person that properly accepts and binds Customer to the Agreement unless another contact person’s information is specifically provided to Marker.io in writing.
Activities relevant to the data transferred under these Clauses:
Signature and date: The UK SCC’s and EU SCC’s will beconsidered executed upon Customer’s proper acceptance of the Agreement.
Role (controller/processor): Controller
Data importer(s):
Name:Marker.io SRL
Address: Avenue Louise 231, 1050 Brussels, Belgium
Email: hello@marker.io
Name: Gary Gaspar, CEO
Date: 28-Oct-2025
Role (controller/processor): Processor
ANNEX II — Technical and Organizational Measures
Marker.io maintains, at a minimum, the following controls:
1. Access Control
o Unique user authentication and password policies.
o Role-based access controls limiting data access to authorized personnel.
o Multi-factor authentication for administrative accounts.
2. Data Encryption
o Encryption of data in transit (TLS 1.2+) and at rest(AES-256).
o Secure key management and regular rotation.
3. Infrastructure Security
o Hosting on secure, ISO 27001-certified infrastructure(AWS).
o Regular patching and vulnerability scanning.
4. Data Backup and Recovery
o Daily backups with integrity checks and secure storage.
o Tested disaster recovery procedures.
5. Monitoring and Logging
o Continuous system monitoring and logging of access andadministrative actions.
o Intrusion detection and alerting.
6. Personneland Training
o Employee confidentiality agreements.
o Mandatory privacy and security awareness training.
7. Incident Response
o Documented incident management and breach notification process.
o Regular testing of response procedures.
ANNEX III — Authorized Subprocessors
Marker.io maintains an up-to-date list at https://marker.io/subprocessors
ANNEX IV — Data Breach Procedure Summary
● Detection via automated monitoring and manual review.
● Internal escalation to security team within 2 hours of detection.
● Assessment and classification of incident.
● Notification to affected customers within 48 hours.
● Corrective action, containment, and post-incident review.
IN WITNESS WHEREOF, this DPA is entered into and forms part of the Agreement between Marker.io and Customer.
Marker.io SRL
Avenue Louise 231, 1050 Brussels, Belgium
BE0556685968
For any privacy-related inquiries, Marker.io’s Data Protection Officer can be contacted at
Email: support@marker.io