Skip to content
⏵ pre-releaseHovermarks is in active development. Try the preview atappdev.hovermark.co.uk
Hovermarks

Legal

Data Processing Agreement

Last updated May 3, 2026

This Data Processing Agreement ("DPA") forms part of the agreement between Hovermarks ("processor") and the customer ("controller") for the provision of the Hovermarks platform.

It reflects the requirements of the UK GDPR, the EU GDPR (where applicable), and the UK Data Protection Act 2018.

1. Roles

The customer is the data controller for any personal data processed within their tenant. Hovermarks is the data processor and will only process personal data on the customer's documented instructions.

2. Subject matter and duration

  • Subject matter: provision of the Hovermarks inspection, compliance, and maintenance platform.
  • Duration: the term of the underlying agreement, plus a 30-day grace period for data export, after which all customer data is permanently deleted.
  • Categories of data subjects: customer's employees, contractors, and (where the customer chooses) end-customers, tenants, or visitors interacting with assets.
  • Categories of personal data: name, email, role, IP address, photographs taken during inspections, digital signatures.

3. Sub-processors

The customer authorises Hovermarks to engage the following sub-processors. We will provide 30 days' prior notice of changes to this list and the customer may object on reasonable grounds.

Sub-processorPurposeRegion
Microsoft AzureHosting, storage, identityUK
Microsoft Entra IDAuthentication / SSOUK / EU
Microsoft GraphTransactional and notification email via Microsoft 365UK / EU
Plausible AnalyticsMarketing-site analytics ONLY (the in-app dashboard does not run Plausible)EU

A PCI-DSS certified billing provider will be added to this list before billing is switched on at general availability.

The full, version-controlled list is published at hovermarks.com/legal/dpa (hovermarks.co.uk/legal/dpa for UK customers) and notified to controllers' DPO contacts on each change.

4. Security measures

Hovermarks implements appropriate technical and organisational measures, including:

  • TLS 1.2+ in transit. Encryption at rest: AES-256 with Azure-managed keys. Customer-managed keys may be configured for bespoke Enterprise engagements.
  • Multi-tenant logical isolation enforced at every database query via per-row tenant filtering, audited centrally.
  • Microsoft Entra ID SSO via OIDC + PKCE on Professional and Enterprise. MFA enforced via per-tenant Conditional Access.
  • Role-based access control and an immutable audit log of all admin and inspector actions.
  • Independent penetration testing scheduled before general availability and at least annually thereafter; the most recent report summary is available to Enterprise customers under NDA.
  • Incident response process with notification to controllers within 72 hours of becoming aware of a breach affecting their data.

5. International transfers

Customer data is hosted in Microsoft Azure (UK) and is not replicated outside the UK without the controller's written consent. Where corporate functions require transfers (e.g. transactional email), they are governed by the UK International Data Transfer Agreement and/or the EU Standard Contractual Clauses, as applicable.

6. Data subject rights

Hovermarks provides controllers with self-service tools to handle access, rectification, restriction, portability, and erasure requests within their tenant. Where the controller cannot fulfil a request via the platform, Hovermarks will assist on request.

7. Audit

Once per 12 months, on 30 days' notice and at the controller's cost, the controller may audit Hovermarks's compliance with this DPA, subject to confidentiality. Hovermarks will share its trust packet (penetration test summary, architecture diagrams, sub-processor list) under NDA in lieu of an on-site audit where the controller agrees.

8. Return and deletion

On termination, the controller may export their data within 30 days. After 30 days, Hovermarks will delete all customer data. Backups: encrypted Azure SQL backups retained for 30 days, then permanently deleted. Hovermarks will provide written confirmation of deletion on request.

Contact

DPO / data protection contact: privacy@hovermarks.com.

This document was last updated on 9 May 2026.

This document is a launch placeholder. Final wording will be reviewed by our DPO and external counsel before general availability.