Markaloud

Legal

Data Processing Agreement

Template DPA for institutions deploying Markaloud. Download, complete Schedule 1 with your institution's details, and countersign.

This is a template. Fields marked [INSTITUTION] and [DATE] should be completed before signing. Contact privacy@markaloud.com for a pre-filled version.

Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the service agreement between:

Data Controller:[INSTITUTION NAME], of [INSTITUTION ADDRESS] ("the Controller")

Data Processor:Markaloud Ltd, ("the Processor")

Effective from: [DATE]

1. Definitions

In this DPA, "Personal Data", "Processing", "Data Subject", "Controller", and "Processor" have the meanings given in the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Scope and Purpose

The Processor shall process Personal Data on behalf of the Controller solely for the purpose of providing the Markaloud transcription and feedback generation service, which includes:

  • Receiving and storing audio recordings of verbal academic feedback
  • Transcribing audio recordings into text using third-party speech-to-text services
  • Processing transcripts through AI language models to generate structured feedback
  • Storing transcripts, generated feedback, and associated metadata
  • Providing the Controller's authorised users with access to the above data

3. Types of Personal Data

The Processor may process the following categories of Personal Data:

  • Audio recordings containing verbal feedback about identifiable students
  • Student names (where provided by the Controller's users)
  • Text transcripts derived from audio recordings
  • AI-generated feedback text relating to identified students
  • Teacher/staff names and email addresses for account management
  • Assessment scores and rubric evaluations

4. Data Subjects

The categories of Data Subjects are:

  • Students of the Controller whose work is being assessed
  • Teaching staff and academic employees of the Controller who use the service

5. Processor Obligations

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller, unless required to do so by law
  • Ensure that persons authorised to process Personal Data have committed to confidentiality
  • Implement appropriate technical and organisational security measures, including:
    • Encryption of data in transit (TLS/HTTPS)
    • Access controls and authentication for all users
    • Audit logging of data access and processing activities
    • Regular security updates and vulnerability monitoring
  • Not engage another processor without prior written authorisation of the Controller (see Section 6)
  • Assist the Controller in responding to Data Subject rights requests
  • Delete or return all Personal Data at the end of the service period, at the Controller's choice
  • Make available all information necessary to demonstrate compliance and allow for audits

6. Sub-Processors

The Controller hereby provides general written authorisation for the Processor to engage the following sub-processors:

Sub-ProcessorPurposeLocationData Retention
OpenAI, Inc.Speech-to-text transcription (Whisper API)United StatesZero retention — data deleted after processing
Anthropic, PBCAI feedback generation (Claude API)United StatesZero retention — data deleted after processing

The Processor shall inform the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object. Data Processing Agreements are in place with all sub-processors listed above. Neither sub-processor uses API data for model training.

7. International Transfers

Personal Data is transferred to sub-processors located in the United States. These transfers are subject to appropriate safeguards including:

  • Standard Contractual Clauses (SCCs) as approved by the UK Information Commissioner
  • Data Processing Agreements with each sub-processor
  • Zero data retention policies — data is processed and immediately discarded by sub-processors

8. Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data breach. The notification shall include:

  • The nature of the breach, including categories and approximate number of Data Subjects affected
  • The likely consequences of the breach
  • Measures taken or proposed to address the breach
  • Contact details of the Processor's data protection point of contact

9. Data Retention and Deletion

The Processor shall retain Personal Data only for as long as necessary to provide the service. Upon termination of the agreement, the Processor shall:

  • Delete all Personal Data within 30 days of termination, unless retention is required by law
  • Provide written confirmation of deletion upon request
  • Offer data export in a structured, machine-readable format (JSON) prior to deletion

Individual users may delete their own data at any time through the application's account settings, which removes all associated submissions, audio files, transcripts, and feedback.

10. Duration and Termination

This DPA shall remain in effect for the duration of the service agreement between the parties. It shall automatically terminate upon expiry or termination of the service agreement, subject to the data deletion obligations in Section 9.

11. Governing Law

This DPA shall be governed by and construed in accordance with the laws of England and Wales, and the parties submit to the exclusive jurisdiction of the courts of England and Wales.

Signatures

Data Controller

Signed

Name

Title

Date

Data Processor

Signed

Name

Title

Date

For questions or to request a pre-filled version of this agreement, contact privacy@markaloud.com.