Data security
Where Markaroo data is stored and processed, how it's protected, and the sub-processors we rely on. We expect IT leads and data-protection officers to read this in detail.
A formal Data Processing Agreement (DPA) and security questionnaire are provided to subscribing schools. This page is a summary, current as of May 2026.
At a glance
- Hosting: UK-based cloud infrastructure.
- Encryption: TLS 1.2+ in transit; AES-256 at rest.
- Authentication: per-user accounts; passwords stored with industry-standard one-way hashing.
- Access control: least-privilege model; only on-call engineers can reach production data, and access is logged.
- Backups: daily automated backups, retained for 30 days, encrypted at rest.
- AI training: uploaded content is not used to train any AI model — ours or any third party's.
Where your data lives
The Markaroo application database, file storage (uploaded PDFs), and audit logs sit on UK-based servers operated by our infrastructure provider. AI grading inference runs through Google Cloud's Gemini service. Content sent for inference is processed under terms that prohibit training use and is not retained beyond the inference request lifecycle.
Sub-processors
We work with a short list of vendors whose services are required to deliver Markaroo. Each is bound by data-processing terms aligned with UK GDPR.
| Vendor | Purpose | Region |
|---|---|---|
| Cloud hosting | Application servers, database, file storage | UK |
| Google Cloud (Gemini) | AI inference for grading and feedback | EU / UK regions |
| Transactional email | Account-related emails (password resets, notifications) | EU |
| Error monitoring | Detecting and diagnosing production faults | EU |
The current, named sub-processor list is provided to subscribing schools and updated when it changes. We give at least 30 days' notice before adding a new sub-processor.
How we handle student data
- Minimisation — we collect only what's needed to deliver the service.
- Segregation — students see only their own work; teachers see only the workspaces they belong to.
- No advertising data — Markaroo carries no advertising and shares no data with advertising platforms.
- Pseudonymisation in analytics — the Leaderboard dashboard uses initials only.
Retention & deletion
Workspace data persists while the workspace is active. Deletion removes the workspace and its content from primary systems within 30 days, and from encrypted backups within 90 days. Schools may request immediate erasure at any point; we'll confirm completion in writing.
Incident response
We monitor for security events 24/7. In the event of a personal-data breach, we will notify affected schools without undue delay and within 72 hours where the threshold under UK GDPR Article 33 is met, with information on impact and remediation.
Penetration testing & reviews
The platform undergoes periodic third-party security review. Pilot and subscribing schools may request the latest summary report under NDA.
Contact
Data-protection or security questions? Email parth@markaroo.co.uk — we respond within two working days, faster for urgent matters.