Data processing agreement

Last updated: 28th October 2025

This Data Processing Agreement (“DPA”) forms part of the Terms of Service (“ToS”), or any other agreement between Marker.io SRL (“Marker.io”, “Processor”, “we”) and the Customer (“Customer”, “Controller”, “you”) governing the use of Marker.io’s services (collectively, the “Agreement”).

1. Purpose and Scope

1.1 This DPA reflects the parties’ agreement with respect to the processing of Personal Data under the Agreement in accordance with Article 28 of the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”).

1.2 The purpose of this DPA is to ensure that Marker.io processes Personal Data on behalf of the Customer in compliance with applicable data protection laws, including the GDPR, the UK GDPR, and any applicable national implementing laws.

1.3 In the event of a conflict between this DPA and the Agreement, this DPA shall prevail with respect to the subject matter of data protection.

2. Roles and Responsibilities

2.1 Customer as Controller. The Customer acts as the data Controller, determining the purposes and means of the processing of Personal Data.

2.2 Marker.io as Processor. Marker.io acts as the data Processor, processing Personal Data solely on behalf of and in accordance with Customer’s documented instructions, as set out in this DPA and the Agreement.

2.3 Customer Responsibilities. Customer is responsible for ensuring that:

  • The processing of Personal Data under the Agreement has a valid legal basis under the GDPR.
  • It provides adequate notice to and obtains any necessary consents from data subjects.
  • Personal Data disclosed to Marker.io is accurate and relevant.

2.4 Processor Instructions. Marker.io shall process Personal Data only on documented instructions from the Customer, unless required to do so by law. Marker.io shall promptly inform the Customer if any instruction infringes applicable data protection laws.

3. Nature and Purpose of Processing

3.1 The nature, purpose, and duration of processing, as well as the types of Personal Data and categories of data subjects, are described in Annex I to this DPA.

3.2 Marker.io shall process Personal Data only for the purpose of providing the Services, improving the functionality and security of those Services, and performing its obligations under the Agreement.

3.3 The processing shall continue for the duration of the Agreement, unless otherwise required by law.

4. Processor Obligations

Marker.io shall:

4.1 Confidentiality. Ensure that all persons authorized to process Personal Data are subject to appropriate confidentiality obligations, whether contractual or statutory.

4.2 Security. Implement appropriate technical and organizational measures (“TOMs”) to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. A description of such measures is provided in Annex II.

4.3 Assistance. Assist Customer, insofar as possible, in fulfilling Customer’s obligations to respond to data subject requests (access, correction, deletion, restriction, portability, objection) and in ensuring compliance with Articles 32–36 of the GDPR (security, breach notification, data protection impact assessments, and consultations).

4.4 Breach Notification. Notify Customer without undue delay (and in any event within 48 hours) after becoming aware of a Personal Data Breach, including details of:

  • the nature of the breach,
  • categories and approximate number of data subjects and records concerned,
  • likely consequences, and
  • measures taken or proposed to address the breach.

4.5 Return or Deletion. Upon termination or expiry of the Agreement, Marker.io shall, at Customer’s option, delete or return all Personal Data and delete existing copies, unless retention is required by law.

4.6 Documentation. Make available to Customer all information necessary to demonstrate compliance with this DPA and allow for audits as described in Section 8.

5. Subprocessors

5.1 Customer authorizes Marker.io to engage subprocessors to process Personal Data on its behalf in connection with the Service.

5.2 Marker.io shall:

  • Maintain an up-to-date list of subprocessors at https://marker.io/subprocessors.
  • Provide reasonable prior notice (at least 30 days) before engaging a new subprocessor.
  • Impose on each subprocessor data protection obligations equivalent to those set out in this DPA.
  • Remain fully responsible for the acts and omissions of subprocessors.

5.3 If Customer objects to the appointment of a new subprocessor, Customer may terminate the affected Services by providing written notice prior to the subprocessor’s engagement.

6. Security Measures

6.1 Marker.io implements and maintains appropriate technical and organizational measures as described in Annex II, taking into account:

  • the nature, scope, context, and purposes of processing;
  • the risks for data subjects; and
  • the state of the art, implementation costs, and proportionality.

6.2 Marker.io shall review and update these measures periodically to maintain an appropriate level of security.

7. International Data Transfers

7.1 Personal Data may be transferred and processed outside the European Economic Area (EEA) or the United Kingdom only where appropriate safeguards are in place.

7.2 Where Marker.io transfers Personal Data to a country not deemed to provide an adequate level of protection, such transfer shall be governed by the European Commission’s Standard Contractual Clauses (SCCs), incorporated herein by reference.

7.3 For transfers from the UK, the UK Addendum to the SCCs shall apply.

7.4 Where subprocessors are engaged outside the EEA/UK, Marker.io shall ensure that equivalent safeguards are in place.

8. Audit and Compliance

8.1 Upon Customer’s written request, Marker.io shall provide information reasonably necessary to demonstrate compliance with this DPA (e.g. security certifications, audit summaries, penetration test reports).

8.2 If such documentation does not suffice, Customer may conduct an audit, at its own cost, no more than once per year, subject to:

  • 30 days’ prior written notice,
  • execution of a confidentiality agreement, and
  • performance during normal business hours without unreasonable disruption.

8.3 Marker.io may satisfy audit requests by providing independent third-party audit reports (e.g., SOC 2) or equivalent evidence of compliance.

9. Data Retention and Deletion

9.1 Marker.io shall retain Personal Data only as long as necessary to provide the Service and fulfill its obligations under the Agreement.

9.2 Upon termination, Marker.io shall delete or return Personal Data as specified in Section 4.5.

9.3 Marker.io may retain minimal Personal Data (e.g., billing or account records) where required by law.

10. Liability and Limitation

10.1 Each party’s liability arising out of or in connection with this DPA shall be subject to the limitations of liability set out in the Agreement.

10.2 Nothing in this DPA limits either party’s liability where such limitation is prohibited by law.

‍Processing operations: Storage, transmission, analysis, organization, and deletion as required to provide the Service

11. Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws of Belgium.
Any dispute arising from or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of Brussels, Belgium.

ANNEX I — Details of Processing

Subject matter: Provision of Marker.io bug-reporting and feedback collection software

Duration: Duration of the Agreement + 30 days post-termination

‍Nature and purpose: Processing to provide, support, and improve the Service

‍Categories of data subjects: Customer employees, contractors, or users reporting feedback via Marker.io

‍Types of personal data: Names, email addresses, user IDs, organization names, device/IP data, messages, attachments, metadata

‍Special categories of data: None (Marker.io does not require or intend to process special categories)

Exhibit B

The following includes the information required by Annex I and Annex III of the EU SCCs, and Appendix 1 of the UK SCCs.

1. The Parties

Data exporter(s):

Name: Customer, as stated and defined in the applicable Order (as such term is defined under the Agreement)

Address: Customer’s registered business address and any address provided to Marker.io at the time that Customer uses the Services.

Contact person’s name, position and contact details: Customer’s contact for the purposes of the SCC’s will be the contact of the person that properly accepts and binds Customer to the Agreement unless another contact person’s information is specifically provided to Marker.io in writing.

Activities relevant to the data transferred under these Clauses:

Signature and date: The UK SCC’s and EU SCC’s will be considered executed upon Customer’s proper acceptance of the Agreement.

Role (controller/processor): Controller

Data importer(s):

Name: Marker.io SRL
Address: Avenue Louise 231, 1050 Brussels, Belgium
Email: hello@marker.io
Name: Gary Gaspar, CEO
Date: 28-Oct-2025
Role (controller/processor): Processor

‍

ANNEX II — Technical and Organizational Measures

Marker.io maintains, at a minimum, the following controls:

  1. Access Control
    • Unique user authentication and password policies.
    • Role-based access controls limiting data access to authorized personnel.
    • Multi-factor authentication for administrative accounts.
  2. Data Encryption
    • Encryption of data in transit (TLS 1.2+) and at rest (AES-256).
    • Secure key management and regular rotation.
  3. Infrastructure Security
    • Hosting on secure, ISO 27001-certified infrastructure (AWS).
    • Regular patching and vulnerability scanning.
  4. Data Backup and Recovery
    • Daily backups with integrity checks and secure storage.
    • Tested disaster recovery procedures.
  5. Monitoring and Logging
    • Continuous system monitoring and logging of access and administrative actions.
    • Intrusion detection and alerting.
  6. Personnel and Training
    • Employee confidentiality agreements.
    • Mandatory privacy and security awareness training.
  7. Incident Response
    • Documented incident management and breach notification process.
    • Regular testing of response procedures.

ANNEX III — Authorized Subprocessors

Marker.io maintains an up-to-date list at https://marker.io/subprocessors

ANNEX IV — Data Breach Procedure Summary

  • Detection via automated monitoring and manual review.
  • Internal escalation to security team within 2 hours of detection.
  • Assessment and classification of incident.
  • Notification to affected customers within 48 hours.
  • Corrective action, containment, and post-incident review.

IN WITNESS WHEREOF, this DPA is entered into and forms part of the Agreement between Marker.io and Customer.

Marker.io SRL
Avenue Louise 231, 1050 Brussels, Belgium
BE0556685968

For any privacy-related inquiries, Marker.io’s Data Protection Officer can be contacted at
Email: support@marker.io

‍

Download DPA in PDF