Trust Center

Quick Answers (for Procurement)

Security Measures

Summary of key technical and organizational measures (TOMs) for Markifact.

Data Protection

• Encryption in transit and storage: Data is protected using encryption and security protocols during transmission and storage.
• Encrypted integration tokens: OAuth tokens (access/refresh tokens) are stored in encrypted form in our databases and used solely to maintain authorized connections.
• Access to customer data: We do not access Customer Data unless required for support (at your request), security purposes, or legal compliance.

Infrastructure & Hosting

• Markifact stores and processes data in the European Union (EU) using Google Cloud Platform and Vercel, configured to use EU data centers.

Authentication & Account Security

• Customers are responsible for maintaining the confidentiality of account access (including magic links, authentication credentials, API keys, and connected integrations).
• Customers must notify us if they become aware of unauthorized access to or use of their account.

Operational Logging

• We retain workflow execution logs/history for a limited period based on the customer's plan.
• Security and fraud-prevention logs may be retained longer where necessary to protect the Service.

Backups & Recovery

Backups are maintained for disaster recovery purposes only and are not guaranteed for individual data recovery requests. Customers are responsible for exporting and backing up any critical data through their account dashboard.

GDPR & Data Protection

Roles

For most customers:

• You (Customer) act as the Data Controller for Customer Data you connect/upload.
• Markifact (OPTIMIZATION UP L.L.C-FZ) acts as the Data Processor to provide the Service.

Legal Basis (EEA/UK Users)

If you are located in the EEA/UK, Markifact processes personal data under:

• Contract (providing the Service)
• Legitimate interests (security, fraud prevention, product improvement, support)
• Consent (marketing emails and non-essential cookies where required)
• Legal obligation (tax/accounting and lawful requests)

Data Minimization

• Markifact primarily processes integration data in real-time during workflow execution.
• We minimize storage of data pulled from connected platforms, except where needed for features you configure (such as logs, alerts, exports).
• Workflow execution history is retained temporarily based on the customer's plan.

AI Data Use

• Markifact does not use customer data to develop, improve, or train generalized AI/ML models.
• AI steps run only when explicitly configured by the user.
• If you use BYOK (bring your own key), AI requests are sent using your credentials and are subject to your AI provider's terms and privacy policy.

International Data Transfers

Markifact stores and processes data in the European Union (EU) using Google Cloud Platform and Vercel configured to use EU data centers. For EEA/UK/Switzerland users, we rely on appropriate safeguards for transfers, including Standard Contractual Clauses where applicable.

Google API Limited Use

Markifact's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Google API data is used only to provide user-requested functionality and is not used to train generalized AI/ML models.

Data Processing Agreement (DPA)

Business customers who require a DPA can request one by emailing contact@markifact.com. When you email, include:

• Your company legal name
• Your billing email/domain
• Whether you need SCCs included
• Any vendor questionnaire you want answered

Subprocessors

Subprocessors are vendors we use to operate Markifact that may process personal data on our behalf. We may update subprocessors from time to time; any new providers are bound by appropriate confidentiality and security obligations.

Current Subprocessors

Customer-Authorized Platforms

Markifact integrates with many third-party platforms (e.g., ad platforms, analytics, CRMs). These are connected and authorized by the customer. Your use of these platforms remains subject to their terms and privacy policies. These are not Markifact subprocessors.

Subprocessor Updates

If you would like to be notified about material changes to our subprocessors list for vendor management purposes, email contact@markifact.com and we will coordinate a notification method.

Cookies & Website Analytics

Markifact uses cookies and similar technologies to operate the website and improve the product experience.

• Essential cookies: required for core functionality (for example, session management and security).
• Analytics: we use Google Analytics on markifact.com to understand usage and improve performance. Where required by law, analytics are enabled only with your consent.
• Managing preferences: you can manage cookie preferences via the cookie banner (where shown) and/or your browser settings.

For more details, see the Tracking Technologies section of our Privacy Policy.

Security Documents & Reviews

If your security or procurement team needs additional documentation, email contact@markifact.com. Depending on your request and context, we can typically help with:

• Vendor questionnaires (SIG Lite, CAIQ-style, or custom forms)
• Data Processing Agreement (DPA) and SCCs where applicable
• Subprocessor list confirmation and data residency overview
• Product security overview (high-level TOMs and architecture notes)

Data Retention & Deletion

Retention While Your Account Is Active

• Workflow execution history: retained temporarily based on your subscription plan (1–30 days).
• AI agent conversation history (if you use AI agent features): stored so you can review past interactions. You can delete this history at any time.
• Integrations data: Markifact minimizes storage of data pulled from connected platforms, except where needed for features you configure (logs, alerts, exports). Data is primarily processed in real-time during workflow execution.

After Cancellation

• After cancellation, you have 30 days to export or download your data.
• After this period, we may permanently delete your Customer Data.

What We May Retain Longer

Even after deletion, we may retain certain data for legal, security, or compliance purposes, including:

• Billing and invoice records (as required by tax law)
• Fraud prevention and security logs
• Anonymized or aggregated usage data

How to Request Deletion

Email contact@markifact.com with subject: Data Deletion Request. We delete or anonymize data within a reasonable timeframe (typically within 30 days), except where retention is required for legal, tax, security, or fraud-prevention purposes.

Incident Response & Breach Notification

Markifact maintains incident response procedures and regularly tests security measures to prevent and detect breaches.

Incident Handling

When we detect a suspected security incident, we generally follow this flow:

1. Triage & containment: identify scope and contain impact
2. Investigation: determine what happened and what data may be affected
3. Remediation: deploy fixes, rotate credentials where needed, strengthen controls
4. Communication: notify customers when required or appropriate
5. Post-incident review: document learnings and preventive actions

Breach Notification

If a breach affects personal information, we will:

• Notify relevant supervisory authorities within 72 hours where required by law (such as GDPR)
• Notify affected users without undue delay where required by law or where the breach is likely to result in a high risk to rights and freedoms
• Provide details on the nature of the breach, data affected, steps taken, and recommended actions

Reporting a Security Issue

If you believe you found a security issue, email contact@markifact.com with:

• Steps to reproduce
• Impact description
• Any relevant logs/screenshots
• Your preferred contact details

AI & Data

Markifact includes optional AI-powered features. Here's how we handle data when AI is involved.

AI Providers

When using Markifact-managed AI, requests may be processed by one of the following providers:

• OpenAI
• Google (Gemini)
• Anthropic

Data is sent only for the specific AI request and is not stored by Markifact beyond workflow execution logs. Where supported, we enable available provider controls intended to prevent training on submitted data.

BYOK (Bring Your Own Key)

Users can also connect their own AI API key and choose their preferred provider. When using BYOK, AI requests are sent using your credentials. Processing, retention, and training policies are governed entirely by your chosen AI provider's terms — not Markifact.

Key Commitments

• Markifact does not use customer data to develop, improve, or train generalized AI/ML models.
• AI steps only run when explicitly added and configured by the user in a workflow.
• All core functionality works without AI — you can use Markifact without enabling any AI features.
• AI-generated output may contain errors. You are responsible for reviewing and verifying any AI output before use.

Security Questionnaire (Quick Responses)

Common enterprise questions answered in one place — useful for procurement and vendor reviews.

---

Security & Privacy Contact

For security or compliance requests (DPA, questionnaires, vendor review), contact: contact@markifact.com

For full details, see our Privacy Policy and Terms & Conditions.