Back to Home

Data Processing Agreement (DPA)

Last updated: January 24, 2026

This Data Processing Agreement applies when a school or educational institution ("Customer") uses FeedbackFlow.AI (MarkMate) to process student work. It sets out how FeedbackFlow.AI processes personal data on behalf of the Customer under UK GDPR and EU GDPR.

Processor: FeedbackFlow.AI (Daniel). Contact: daniel@feedbackflow.ai

Download: DPA Template (PDF)

1. Roles and Scope

Customer (School): Data Controller for student data uploaded to the service.

FeedbackFlow.AI: Data Processor for student data; Data Controller for account and billing data.

This DPA covers processing of student work, feedback, and related metadata provided by the Customer.

2. Processing Details

  • Subject matter: Student work, teacher feedback, and assessment artifacts.
  • Duration: For the term of the Customer's account, plus defined retention periods in the Privacy Policy.
  • Nature and purpose: Transcription, marking assistance, and educational feedback workflows.
  • Data subjects: Students and teachers.
  • Categories of data: Student names (if provided), handwritten essays (PDF), transcribed text, grades, feedback, and class metadata.

3. Processor Obligations

  • Process personal data only on documented instructions from the Customer.
  • Ensure staff and contractors are bound by confidentiality.
  • Implement appropriate technical and organizational security measures.
  • Assist the Customer with data subject rights requests.
  • Notify the Customer without undue delay of any personal data breach.
  • Allow audits or provide evidence of compliance on request.

4. Sub-Processors

FeedbackFlow.AI uses the following sub-processors for infrastructure and processing:

  • Supabase (EU-West-2): Database and storage hosting.
  • Cloudflare (EU-West-2): Hosting and edge functions.
  • Google Gemini API: AI transcription and marking assistance (no training or retention for API data).
  • Stripe: Payment processing.

We will notify Customers of material changes to sub-processors via the Privacy Policy and service updates.

5. International Transfers

If processing involves transfers outside the UK/EU (e.g., Google Gemini), we rely on Standard Contractual Clauses and applicable UK Addendum safeguards, as described in the Privacy Policy.

6. Security Measures

  • Encryption in transit (TLS 1.2+).
  • Encryption at rest for database and file storage.
  • Row Level Security for tenant isolation.
  • Access controls with least privilege.

7. Data Retention & Deletion

On termination, FeedbackFlow.AI will delete or return personal data in accordance with the Privacy Policy and Customer instructions, unless retention is required by law.

8. Contact

For DPA questions or requests, email daniel@feedbackflow.ai.