Data Processing Agreement (Draft)

Last updated: 17 July 2026

DRAFT: UNDER LEGAL REVIEW

This document is not yet in force and is not legally binding. It is published for transparency while we finalise it with our advisers. If your organisation needs a binding agreement in the meantime, email privacy@marklet.io and we will provide one.

This Data Processing Agreement ("DPA") sets out, in draft, how Levered AI Ltd processes personal data on your behalf, and the terms required by Article 28 UK GDPR. Once finalised it will form part of our Terms of Service and take effect when you accept them. In its current draft form it does not have contractual effect. If your organisation requires a binding, countersigned version, email privacy@marklet.io.

1. Parties and roles

This DPA is between Levered AI Ltd (company number 17149630, registered in England and Wales, registered office 167-169 Great Portland Street, 5th Floor, London, W1W 5PF), trading as Marklet ("we", "us", "our", the "Processor"), and the organisation that holds a Marklet workspace ("you", the "Customer", the "Controller").

Which role we hold depends on the data, and both roles can apply at the same time to the same workspace:

  • You are the controller and we are your processor for the block data held in your workspace: issues, emails, documents, service charge records, vendor records, and the leaseholder and resident contact details you hold. You decide what is collected and why. This DPA governs that processing.
  • We are an independent controller for the data we hold about your organisation as our customer: account and login records, billing details, support correspondence, and product usage telemetry. That processing is governed by our Privacy Policy, not this DPA.

Where you connect a third-party accounting or Open Banking service (Xero, QuickBooks Online, Sage, FreeAgent, TrueLayer or Google), that provider acts as an independent controller for the data held in your account with them, under its own terms and privacy notice. Those providers are not our sub-processors and this DPA does not cover their processing.

2. Subject matter, duration, nature and purpose

  • Subject matter: our provision of the Marklet block management platform to you.
  • Duration: for as long as your workspace is active, plus the retention period in section 9 of this DPA.
  • Nature of the processing: collection, recording, organisation, structuring, storage, retrieval, consultation, use, transmission, restriction, erasure and destruction, carried out by automated means.
  • Purpose: to provide, secure, support and maintain the platform, namely issue tracking, email tracking and import, service charge and demand records, document storage, vendor and calendar records, compliance alerts, and the AI assistant ("Ask Mark").

3. Categories of data subject and personal data

Data subjects. Leaseholders and residents of the blocks you manage; directors and committee members of your organisation; your staff and other authorised users; contractors, vendors and other correspondents whose details you record or who email your workspace address.

Categories of personal data. Names and contact details (email address, telephone number, correspondence address); flat, unit and block identifiers; issue descriptions, comments and attached photographs; email message content, metadata and attachments; documents you upload; service charge and demand records, payment statuses and arrears data; vendor and contractor records; user account, role and access records.

Special category data. Marklet is not designed for and does not require special category data as defined in Article 9 UK GDPR, or criminal offence data under Article 10. We do not ask for it. In practice, free-text fields and inbound email can contain it, for example where a leaseholder describes a health condition relevant to a repair or an accessibility need. You remain the controller for anything you or your correspondents put into those fields, and you are responsible for having a lawful basis and an Article 9 condition for it. We treat any such data under the same security measures as all other block data.

4. Processing on documented instructions

We process personal data only on your documented instructions, including on transfers outside the United Kingdom, unless we are required to process it by law. Where the law requires it, we will tell you before processing unless that law prohibits us from telling you.

Your instructions are: this DPA, our Terms of Service, the configuration choices and settings you make in the product, and any further written instruction you give us. Your use of the platform through its normal functions is an instruction to carry out the processing that function performs.

We will tell you if, in our opinion, an instruction infringes UK GDPR or other data protection law. We may suspend the affected processing until the instruction is withdrawn, amended or confirmed.

We do not use your block data to train AI models. Content sent to our AI sub-processor for inference is not used to train that provider's models, and we do not use it to train models of our own.

5. Confidentiality

We ensure that everyone authorised to process personal data under this DPA is bound by an appropriate obligation of confidentiality, whether contractual or statutory, and that the obligation survives the end of their engagement.

Access to your workspace data by our personnel is limited to the individuals who need it to operate, support or secure the platform, and is limited to what that task requires.

6. Security

We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking account of the state of the art, the costs of implementation, and the nature, scope, context and purposes of the processing, as required by Article 32 UK GDPR. The measures in force are described in Annex B.

We keep those measures under review and may update them as the platform develops. We will not make a change that materially reduces the overall security of the processing.

7. Sub-processors

You give us general written authorisation to engage sub-processors. The sub-processors engaged at the date of this DPA are listed in Annex A.

Where we engage a sub-processor, we impose on it by contract the same data protection obligations as those in this DPA, so far as applicable to the service it provides. If a sub-processor fails to meet its data protection obligations, we remain fully liable to you for its performance.

Changes and objections. We will give you at least 30 days' notice before adding or replacing a sub-processor, by email to your workspace administrators and by updating Annex A. If you have a reasonable objection on data protection grounds, tell us within that 30 day period and we will work with you in good faith to find an alternative. If we cannot, you may terminate the affected part of the service without penalty and receive a pro rata refund of any fees paid in advance for the unused period.

To receive sub-processor change notices, email privacy@marklet.io and we will add your address to the notification list.

8. Assistance with your obligations

Data subject rights. Taking account of the nature of the processing, we assist you by appropriate technical and organisational measures, so far as possible, to respond to requests to exercise rights under Chapter III UK GDPR (access, rectification, erasure, restriction, portability and objection). Your administrators can search, correct and delete workspace records directly in the product, which will resolve most access, rectification and erasure requests without our involvement. For requests that need a structured export of a data subject's records, contact us at privacy@marklet.io and we will produce one for you. We aim to respond to a request for assistance within 5 working days.

If a data subject makes a request to us directly about data we process on your behalf, we will not respond to it ourselves, except to acknowledge and to direct them to you. We will tell you about the request without undue delay.

Wider obligations. Taking account of the nature of the processing and the information available to us, we assist you in complying with your obligations under Articles 32 to 36 UK GDPR: security, personal data breach notification and communication, data protection impact assessments, and prior consultation with the ICO.

9. Deletion and return

At your choice, we delete or return all personal data we process on your behalf after the end of the provision of the service, and delete existing copies, unless we are required by law to keep it.

  • Return. At any time while your workspace is active, and on termination, you may ask us for a copy of your workspace data in a structured, commonly used, machine-readable format. Email privacy@marklet.io and we will produce it.
  • Deletion is immediate and irreversible. When a block is deleted from the product, its records are removed straight away and the encryption key protecting that block's files is destroyed, which makes the stored files permanently unrecoverable. There is no grace period and no recovery window, so export anything you need to keep before you delete.
  • Backups. Our database host takes a backup of the platform database once a day and retains the last 7 days. Deleted data can therefore persist in a backup for up to 7 days after it is removed from our live systems, and is then overwritten. Backups are not restored to live systems except as part of a disaster recovery event affecting the platform, and data in a backup remains subject to this DPA until it ages out.

10. Audits and information

We make available to you the information necessary to demonstrate compliance with Article 28 UK GDPR, and allow for and contribute to audits, including inspections, conducted by you or an auditor you mandate.

In the first instance we will respond to a reasonable written request for information about our processing, security measures and sub-processors, and will complete a security questionnaire. Where that does not give you the assurance you reasonably need, you may audit us on 30 days' written notice, no more than once in any 12 month period unless a personal data breach affecting your data has occurred or a supervisory authority requires it. Audits take place during business hours, must not unreasonably disrupt our operations, are subject to confidentiality, and must not require us to disclose another customer's data or information that would compromise our security.

You bear your own costs of an audit. We bear our own costs of responding, except where an audit reveals a material breach of this DPA by us, in which case we bear the reasonable costs of the audit.

11. Personal data breaches

We notify you without undue delay, and in any event within 48 hours, after becoming aware of a personal data breach affecting personal data we process on your behalf. The notice will describe, so far as we know it at the time: the nature of the breach and the categories and approximate number of data subjects and records concerned; the likely consequences; the measures we have taken or propose to take; and a contact point for more information. Where we cannot provide all of it at once, we will provide it in phases without further undue delay.

Reporting the breach to the ICO under Article 33, and to affected data subjects under Article 34, is your decision and your responsibility as controller. We will give you the information and assistance you reasonably need in order to do it.

To report a suspected security issue to us, email security@marklet.io.

12. International transfers

Your workspace database and the files you upload are stored in Ireland, and the application server that processes them runs in the Netherlands. Some processing nevertheless takes place outside the UK and the EU. In particular, transactional email is delivered by a provider that stores message data in the United States; inbound email routing and bot protection run on a global edge network; and several of our sub-processors are companies established in the United States, which is a restricted transfer even where the data itself stays in Europe. Annex A identifies, for each sub-processor, where it processes data and which safeguard we rely on.

Where personal data is transferred outside the UK, we ensure an appropriate safeguard under Chapter V UK GDPR is in place, being one or more of: the UK International Data Transfer Agreement; the EU Standard Contractual Clauses together with the UK Addendum; UK adequacy regulations for the country concerned; or certification under the UK Extension to the EU-US Data Privacy Framework. We carry out transfer risk assessments where required and apply supplementary measures where they are needed.

You authorise us to enter into transfer safeguards with sub-processors on your behalf, as your agent, for the purpose of protecting the personal data we process for you.

13. Liability, precedence and changes

The limitations and exclusions of liability in our Terms of Service apply to this DPA, except where UK GDPR does not permit them to.

If this DPA conflicts with our Terms of Service or Privacy Policy, this DPA prevails for processing carried out on your behalf as processor. If you and we have signed a separate written data processing agreement, that agreement prevails over this one.

We may update this DPA to reflect changes in law, guidance, our sub-processors or the platform. We will give notice of material changes by email to workspace administrators at least 30 days before they take effect. The "last updated" date at the top of this page shows when it last changed.

14. Governing law

This DPA is governed by the law of England and Wales, and the courts of England and Wales have exclusive jurisdiction, consistent with our Terms of Service.

Annex A: Sub-processors

These are the sub-processors we engage to process personal data on your behalf, as at the date shown at the top of this page. Each is bound by a written data processing agreement containing obligations equivalent to those in this DPA. Where a sub-processor is established outside the UK, the transfer safeguard we rely on is named.

  • Supabase, Inc. (United States) - database, authentication, file storage and our encryption key store. Your workspace database and files are stored in Ireland (eu-west-1). Transfers are covered by the EU Standard Contractual Clauses together with the UK Addendum. Supabase is not certified under the EU-US Data Privacy Framework and we do not rely on that framework for this transfer.
  • Railway Corporation (United States) - application hosting. Railway runs the Marklet server process and handles server logs and environment data. The Marklet server is deployed in Railway's EU West region (Amsterdam, Netherlands). Transfers are covered by the EU Standard Contractual Clauses together with the UK Addendum.
  • Anthropic Ireland, Limited (Ireland) - AI inference for issue categorisation, email summarisation and the "Ask Mark" assistant. Issue content, email content and chat messages, together with a summary of the block's context, are transmitted for processing. Because Marklet contracts with Anthropic's Irish entity, this is not itself a restricted transfer; Anthropic's onward transfer to the United States is covered by the EU Standard Contractual Clauses and the UK International Data Transfer Addendum. Under Anthropic's commercial terms, your content is not used to train Anthropic's models. Anthropic deletes inputs and outputs within 30 days by default, and may retain content for longer where needed to enforce its usage policy.
  • Plus Five Five, Inc., trading as Resend (United States) - transactional email delivery: sign-in links, invitations, issue notifications and compliance reminders. Recipient email addresses, names and message content pass through this service. Resend stores email data in the United States. Its regional sending options do not change where data is stored. Transfers are covered by the EU Standard Contractual Clauses together with the UK Addendum. Resend also holds an active certification under the UK Extension to the EU-US Data Privacy Framework for non-HR data. Resend retains message data for 30 days.
  • Cloudflare, Inc. (United States) - edge network, TLS termination, inbound email routing to your workspace address, and bot protection on public forms. Inbound email content, attachments and sender details pass through Cloudflare's email routing on the way to your workspace. Transfers are covered by the EU Standard Contractual Clauses together with the UK Addendum. Cloudflare also holds an active certification under the UK Extension to the EU-US Data Privacy Framework.

Bot protection and independent controller processing. Our public forms use Cloudflare Turnstile, which collects the visitor's IP address, TLS fingerprint, user agent and the originating site. Cloudflare acts as our processor when using that data to decide whether a visitor is a bot, but acts as an independent controller when using it to improve the Turnstile service, relying on its own legitimate interests. That second use falls outside this DPA and outside Article 28. See Cloudflare's Turnstile privacy policy for details.

Not sub-processors. Xero, Intuit (QuickBooks Online), Sage, FreeAgent, TrueLayer and Google are independent controllers for data held in the account you connect to Marklet, under their own terms. They act on your instructions through your relationship with them, not ours, so they are not engaged by us as sub-processors and are not listed above.

Annex B: Technical and organisational measures

These are the measures in force at the date shown at the top of this page. We keep them under review and may change them as the platform develops, but not in a way that materially reduces the overall security of the processing.

Encryption of stored files and credentials. Documents and their versions, issue and email attachments, complaint evidence, vendor materials, Section 20 attachments, alteration drawings, announcement attachments and service charge invoice PDFs are encrypted with AES-256-GCM using envelope encryption: each file receives its own randomly generated data key, which is itself wrapped by a key held for your block or estate in an isolated key store. Credentials for accounting and Open Banking integrations are encrypted the same way. Email message bodies, their preview text and the AI-generated thread summaries derived from them are encrypted under the same envelope scheme, each with a data key wrapped by a key held for your block. The encryption path fails closed, meaning that if a key is unavailable the write is rejected rather than stored unencrypted. A scheduled canary tests the encrypt and decrypt round trip every 15 minutes and alerts our platform administrators on failure.

What that covers, and what it does not. Envelope encryption applies to stored files, email message bodies and integration credentials. Other database fields, including names, contact details, issue text, email subject lines and service charge figures, are not separately encrypted at the application layer and rely on the encryption at rest provided by our database host. We state this plainly rather than describe all personal data as encrypted at rest.

Encryption in transit. Traffic is served over TLS. We send HTTP Strict Transport Security with a one year max-age including subdomains, a Content Security Policy, X-Frame-Options set to DENY, X-Content-Type-Options set to nosniff, a Referrer-Policy, a Permissions-Policy, and no-store cache directives on API responses.

Access control. Access is governed by a role-based permission matrix covering each resource and action, across five role levels (leaseholder, block manager, estate manager, estate administrator and platform administrator). Your administrators can tailor the matrix for your organisation. Access to your workspace by our own personnel is limited to those who need it to operate, support or secure the platform.

Tenant separation. Workspaces are logically separated. Separation is enforced in the application layer: queries are scoped by a tenant identifier derived on the server from the authenticated session rather than taken from client input. Separation is not enforced by the database itself, and workspaces are not physically separated.

Authentication. Sessions use JSON Web Tokens issued by our authentication provider and verified on the server on every request. Sign-in is passwordless, by one-time code or link sent to a verified email address, so there are no stored passwords to breach. The server rejects tokens for unconfirmed email addresses, and binds each confirmed identity one-to-one to its membership records, so a second identity claiming the same address is refused.

Audit trail. Changes to documents, Section 20 consultations, complaints, announcements, folders, calendar entries, alterations, issues and service charge years are recorded in an append-only audit log capturing who acted, what changed and when, including before and after values. The log is deliberately excluded from deletion cascades, so the trail survives deletion of the record it describes. Managers and above can read it, scoped to their block.

Abuse prevention. Rate limits apply per client per route, at 60 requests per minute on authentication routes and 180 per minute on other API routes. Request bodies are capped, known-malicious path probes are blocked, and a bot check protects public forms. A client IP address is trusted only when presented by our edge proxy together with a shared secret compared in constant time.

Cryptographic erasure. Deleting a block destroys the key protecting that block's files, which renders them unrecoverable regardless of where copies of the ciphertext exist.

Security review. We carry out periodic internal white-box review of our source code, most recently on 3 July 2026, together with non-intrusive black-box verification against production, and we track findings through to remediation. This is an internal process. We do not currently commission independent third-party penetration testing and do not represent that we do.

15. Contact

Data protection enquiries, countersigned copies of this DPA, security questionnaires and sub-processor notification requests: privacy@marklet.io.

Levered AI Ltd, 167-169 Great Portland Street, 5th Floor, London, W1W 5PF. Registered with the Information Commissioner's Office under reference ZC199153.