Data Security

Last updated: May 2025 · Effective immediately

Plain English summary: Your data and your students' work is encrypted in transit and at rest. We store only what we need, delete it on schedule, and never share it with unauthorised parties. You can request deletion at any time.

Our security commitments

🔐

Encrypted in transit

All data transmitted between your browser and Markulate is encrypted using TLS 1.2 or higher (HTTPS). Unencrypted connections are rejected.

🗄️

Encrypted at rest

All uploaded files and account data stored on our servers are encrypted at rest using AES-256 encryption.

🏗️

Secure infrastructure

Markulate is hosted on enterprise-grade cloud infrastructure with access controls, audit logging, and regular security updates.

👥

Access controls

Only authorised Markulate staff can access system infrastructure, and only when required for operation or support. Access is logged.

🗑️

Scheduled deletion

Uploaded scripts are automatically deleted 90 days after processing. You can request immediate deletion at any time.

📵

No unauthorised sharing

Your data is never sold, shared with advertisers, or disclosed to third parties except as required to operate the service under binding agreements.

What data we store and for how long

Data type	Purpose	Retention period
Account information (name, email)	Account access and service communications	Duration of account, deleted on request
Uploaded rubrics	Generating marking suggestions	90 days after last use, or on request
Uploaded student scripts	Generating marking suggestions	90 days after processing, or on request
Marking suggestions and rationales	Audit trail and export	Duration of account, deleted on request
Usage logs	Service improvement and security	90 days, then anonymised

Student data handling

We treat uploaded student work with particular care:

Student scripts are processed solely to generate marking suggestions for the uploading educator
Scripts are not linked to student identity within our systems beyond what the educator provides
We recommend educators anonymise scripts where possible before uploading — replacing student names with ID numbers — to minimise identifiable data in our systems
Student work is never used for AI model training, analytics, research, or any purpose beyond the marking task
Scripts are automatically deleted after 90 days and can be deleted immediately on request

Requesting data deletion

You can request deletion of your account, uploaded files, or any specific data at any time by emailing hello@markulate.com with the subject line "Data Deletion Request." We will confirm deletion within 10 business days.

Institutional and compliance enquiries

If your school or university requires a Data Processing Agreement (DPA), security questionnaire, or additional compliance documentation before approving Markulate for institutional use, please contact us at hello@markulate.com. We will work with your IT or legal team to provide what you need.

Reporting a security concern

If you believe you have identified a security vulnerability in Markulate, please report it responsibly to hello@markulate.com with the subject line "Security Report." We will acknowledge your report within 48 hours and work to resolve confirmed issues promptly.

Questions

For any questions about data security, email hello@markulate.com. We respond within 5 business days.