Trust Center
Last updated April 24, 2026
Markifact is a marketing automation platform operated by OPTIMIZATION UP L.L.C-FZ, registered in Meydan Free Zone, Dubai, UAE. This Trust Center is designed to help your security, privacy, and compliance teams review how Markifact handles customer data. For full details, see our Privacy Policy and Terms & Conditions.
This Trust Center is provided for informational purposes only and does not create contractual obligations. If there is a conflict between this page and your agreement with Markifact, the agreement controls.
Quick Answers (for Procurement)
No passwords to phish or leak. Sign-in via Google OAuth (inherits your Google 2FA) or email magic link.
Application servers and database are configured in EU regions (Google Cloud, Vercel, Neon on AWS EU). Some sub-processors may process limited data outside the EU under appropriate safeguards — see the DPA.
TLS for all traffic; OAuth tokens for connected platforms stored encrypted in the database.
We don't train models on customer data. For Markifact-managed AI, we use provider controls and API terms intended to prevent training on submitted data.
Our DPA applies to every customer automatically — no email, no signature.
EU SCCs (Module 2), UK Addendum, Swiss FADP, and CCPA service- provider terms covered in the DPA.
Markifact is a small, focused team. We do not currently hold SOC 2 or ISO 27001 certifications. We are transparent about what we do and do not have — see the Security tab for the full list of measures.
Security Measures
Summary of key technical and organizational measures (TOMs) for Markifact.
Data Protection
- Encryption in transit and storage: Data is protected using encryption and security protocols during transmission and storage.
- Encrypted integration tokens: OAuth tokens (access/refresh tokens) are stored in encrypted form in our databases and used solely to maintain authorized connections.
- Access to customer data: We do not access Customer Data unless required for support (at your request), security purposes, or legal compliance.
Infrastructure & Hosting
- Markifact stores and processes data in the European Union (EU). Application servers run on Google Cloud Platform and Vercel (EU regions); the production PostgreSQL database is hosted on Neon in AWS EU regions.
Authentication & Account Security
Markifact is passwordless. We do not store, transmit, or accept user passwords — so there are no passwords to phish, reuse, guess, or leak from breaches of other sites. Sign-in works in one of two ways:
- Google sign-in (OAuth): authentication is delegated to Google. Any 2FA, hardware key, or device check the user has enforced on their Google account is automatically applied to their Markifact sign-in. We never see the user's Google password.
- Email magic link: a one-time, time-limited link is sent to the user's verified email address and must be clicked from that inbox to complete sign-in. Each new session re-proves control of the inbox — effectively a possession-factor check on top of the mailbox owner's own account security (which itself is typically MFA- protected at major providers like Google, Microsoft, etc.).
- OAuth tokens for connected platforms (Google Ads, Meta, LinkedIn, TikTok, etc.) are stored encrypted at rest in our databases and used only to maintain the integration the customer authorized. They are never exposed in the UI or sent to AI providers.
- Recommendation: enable 2FA / a passkey on the email account or Google account you use to sign in to Markifact — doing so transitively secures your Markifact account too.
- Customers are responsible for the confidentiality of their sign-in email, magic links, API keys, and connected integrations, and must notify us at contact@markifact.com if they become aware of unauthorized account access.
Vulnerability & Patch Management
- We monitor security advisories for our runtime, framework, and dependencies, and apply security patches on a risk-prioritised basis.
- Production changes are deployed through a controlled CI/CD process. Security-sensitive changes receive additional review before release where appropriate.
- We do not currently publish a formal pentest report. Customers on custom or enterprise plans may discuss targeted security review as part of contracting.
Audit & Activity Logs
- Workflow execution history is available to customers in their account dashboard for the retention window of their plan.
- Server-side application and security logs are kept for operational and fraud-prevention purposes and are accessible only to a small number of authorised Markifact personnel.
Vendor & Subprocessor Management
- We only engage subprocessors that are necessary to operate the Service and that offer adequate technical and organisational measures.
- A current list, including the role and processing region of each subprocessor, is published in the Subprocessors tab and in Annex 3 of the DPA.
Operational Logging
- We retain workflow execution logs/history for a limited period based on the customer's plan.
- Security and fraud-prevention logs may be retained longer where necessary to protect the Service.
Backups & Recovery
Backups are maintained for disaster recovery purposes only and are not guaranteed for individual data recovery requests. Customers are responsible for exporting and backing up any critical data through their account dashboard.
Is Markifact GDPR / DSGVO compliant?
Yes. Markifact is built to be compliant with the EU GDPR, UK GDPR, Swiss FADP (revFADP / nFADP), and the German DSGVO (the German translation of the GDPR — same regulation):
- Markifact's application servers and production database are configured in EU regions (Google Cloud Platform + Vercel for application hosting, Neon on AWS EU for our database). Some subprocessors may process limited data outside the EU under appropriate safeguards, as described in our DPA.
- Our Data Processing Agreement auto-applies to every customer — no signature required
- Standard Contractual Clauses (SCCs) and the UK Addendum are incorporated for cross-border processing
- Article 33 breach notification, data subject rights support, encryption in transit and at rest
- No customer data is used to train AI models
GDPR / DSGVO & Data Protection
Roles
For most customers:
- You (Customer) act as the Data Controller for Customer Data you connect/upload.
- Markifact (OPTIMIZATION UP L.L.C-FZ) acts as the Data Processor to provide the Service.
Legal Basis (EEA/UK Users)
If you are located in the EEA/UK, Markifact processes personal data under:
- Contract (providing the Service)
- Legitimate interests (security, fraud prevention, product improvement, support)
- Consent (marketing emails and non-essential cookies where required)
- Legal obligation (tax/accounting and lawful requests)
Data Minimization
- Markifact primarily processes integration data in real-time during workflow execution.
- We minimize storage of data pulled from connected platforms, except where needed for features you configure (such as logs, alerts, exports).
- Workflow execution history is retained temporarily based on the customer's plan.
AI Data Use
- Markifact does not use customer data to develop, improve, or train generalized AI/ML models.
- AI steps run only when explicitly configured by the user.
- If you use BYOK (bring your own key), AI requests are sent using your credentials and are subject to your AI provider's terms and privacy policy.
International Data Transfers
Markifact stores and processes data in the European Union (EU). Application hosting runs on Google Cloud Platform and Vercel in EU regions, and our production database (PostgreSQL) is hosted on Neon in AWS EU regions. For EEA/UK/Switzerland users, we rely on appropriate safeguards for transfers, including Standard Contractual Clauses where applicable.
Google API Limited Use
Markifact's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Google API data is used only to provide user-requested functionality and is not used to train generalized AI/ML models.
Data Processing Agreement (DPA)
Markifact's standard DPA applies automatically to every customer and is incorporated into our Terms & Conditions by reference. No email, request, or separate signature is required. You can view, save, or print the DPA at any time at /dpa.
Counter-signed copies, custom legal review, vendor questionnaires, and bespoke security reviews are available only as part of custom or enterprise agreements.
Cookies & Website Analytics
Markifact uses cookies and similar technologies to operate the website and improve the product experience.
- Essential cookies: required for core functionality (for example, session management and security).
- Analytics: we use Google Analytics on markifact.com to understand usage and improve performance. Where required by law, analytics are enabled only with your consent.
- Managing preferences: you can manage cookie preferences via the cookie banner (where shown) and/or your browser settings.
For more details, see the Tracking Technologies section of our Privacy Policy.
Subprocessors
Subprocessors are third-party vendors that Markifact engages to operate the Service and that may process Customer Personal Data on our behalf. The list below uses each vendor's legal entity name. Cookie / website- analytics providers used on markifact.com are not subprocessors of Customer Personal Data — they are disclosed in the Cookies & Website Analytics section.
Current Subprocessors
Last updated: 24 April 2026
Hosting region: all Markifact application servers and the production database are configured in the European Union. The legal-entity names below reflect each vendor's parent company; the actual processing of Customer Personal Data takes place in their EU regions for hosting and database services.
| Subprocessor | Purpose | Data Involved |
|---|---|---|
| Google LLC | Cloud hosting & infrastructure (Google Cloud Platform, EU region) | Account data, encrypted tokens, logs, service data needed to run workflows |
| Vercel, Inc. | Web application hosting and edge delivery (EU region) | Website/app delivery data, request logs |
| Neon, LLC | Managed PostgreSQL database (AWS EU region) | Account data, workflow data, encrypted integration tokens, service metadata |
| Amazon Web Services, Inc. | Transactional & notification email delivery (SES, EU region) | Email address, email delivery metadata |
| Stripe, Inc. | Payment processing and billing | Billing details, invoices (payment-card data is handled directly by Stripe) |
| OpenAI, LLC | AI services for user-enabled AI features; not used to train models on customer data | Only the prompt/data sent for the specific AI request the customer triggers |
| Anthropic, PBC | AI services for user-enabled AI features; not used to train models on customer data | Only the prompt/data sent for the specific AI request the customer triggers |
| Google LLC (Gemini) | AI services for user-enabled AI features; not used to train models on customer data | Only the prompt/data sent for the specific AI request the customer triggers |
AI subprocessors only receive data when a customer enables AI features and triggers a specific request. For Markifact-managed AI, we use the provider controls intended to prevent training on submitted data. Any retention is governed by the provider's API terms and our configuration with that provider.
Customer-Authorized Platforms
Markifact integrates with many third-party platforms (e.g., ad platforms, analytics, CRMs). These are connected and authorized by the customer. Your use of these platforms remains subject to their terms and privacy policies. These are not Markifact subprocessors.
Subprocessor Updates
If you would like to be notified about material changes to our subprocessors list for vendor management purposes, email contact@markifact.com and we will coordinate a notification method.
Security Documents & Reviews
Most security and privacy questions are already answered in this Trust Center, our Privacy Policy, Terms & Conditions, DPA, and subprocessor list.
For standard self-serve plans, we do not complete custom vendor questionnaires (SIG, CAIQ, etc.) or sign customer-provided DPAs or security addenda. The published documents above are designed to satisfy the typical procurement and vendor-review process.
For custom or enterprise agreements, we can support reasonable security reviews, vendor questionnaires, and counter-signed DPA requests as part of the contracting process.
Data Retention & Deletion
Retention While Your Account Is Active
- Workflow execution history: retained temporarily based on your subscription plan (1–30 days).
- AI agent conversation history (if you use AI agent features): stored so you can review past interactions. You can delete this history at any time.
- Integrations data: Markifact minimizes storage of data pulled from connected platforms, except where needed for features you configure (logs, alerts, exports). Data is primarily processed in real-time during workflow execution.
After Cancellation
- After cancellation, you have 30 days to export or download your data.
- After this period, we may permanently delete your Customer Data.
What We May Retain Longer
Even after deletion, we may retain certain data for legal, security, or compliance purposes, including:
- Billing and invoice records (as required by tax law)
- Fraud prevention and security logs
- Anonymized or aggregated usage data
How to Request Deletion
Email contact@markifact.com with subject: Data Deletion Request. We delete or anonymize data within a reasonable timeframe (typically within 30 days), except where retention is required for legal, tax, security, or fraud-prevention purposes.
Incident Response & Breach Notification
Markifact maintains incident response procedures and reviews security measures to help prevent and detect breaches.
Incident Handling
When we detect a suspected security incident, we generally follow this flow:
- Triage & containment: identify scope and contain impact
- Investigation: determine what happened and what data may be affected
- Remediation: deploy fixes, rotate credentials where needed, strengthen controls
- Communication: notify customers when required or appropriate
- Post-incident review: document learnings and preventive actions
Breach Notification
If a breach affects personal information, we will:
- Notify relevant supervisory authorities within 72 hours where required by law (such as GDPR)
- Notify affected users without undue delay where required by law or where the breach is likely to result in a high risk to rights and freedoms
- Provide details on the nature of the breach, data affected, steps taken, and recommended actions
Reporting a Security Issue
If you believe you found a security issue, email contact@markifact.com with:
- Steps to reproduce
- Impact description
- Any relevant logs/screenshots
- Your preferred contact details
AI & Data
Markifact includes optional AI-powered features. Here's how we handle data when AI is involved.
AI Providers
When using Markifact-managed AI, requests may be processed by one of the following providers:
- OpenAI
- Google (Gemini)
- Anthropic
Data is sent only for the specific AI request. Markifact may retain related workflow execution logs and AI agent conversation/task history so customers can review past activity, subject to the retention controls described in this Trust Center. Where supported, we enable available provider controls intended to prevent training on submitted data.
BYOK (Bring Your Own Key)
Users can also connect their own AI API key and choose their preferred provider. When using BYOK, AI requests are sent using your credentials. Processing, retention, and training policies are governed entirely by your chosen AI provider's terms — not Markifact.
Key Commitments
- Markifact does not use customer data to develop, improve, or train generalized AI/ML models.
- AI steps only run when explicitly added and configured by the user in a workflow.
- All core functionality works without AI — you can use Markifact without enabling any AI features.
- AI-generated output may contain errors. You are responsible for reviewing and verifying any AI output before use.
Security Questionnaire (Quick Responses)
Common enterprise questions answered in one place — useful for procurement and vendor reviews.
Company & Platform
Authentication
Data Handling
AI
Compliance
Data Processing Agreement (DPA)
Our standard Data Processing Agreement applies automatically to every Markifact customer and is incorporated into the Terms & Conditions by reference. No signature is required.
The DPA covers GDPR / DSGVO Article 28 obligations, the EU Standard Contractual Clauses (Module 2: Controller → Processor), the UK Addendum, Swiss FADP modifications, and CCPA service-provider terms. It includes Annex 1 (description of processing), Annex 2 (technical and organisational measures), and Annex 3 (sub-processor list).
Counter-signed copies of the DPA are issued only as part of custom or enterprise plan contracts and are not available on standard self-serve plans. The published DPA forms part of the Terms & Conditions for all Markifact customers — you do not need to email us to make it effective.
Other Legal Documents
Security & Privacy Contact
For security or compliance requests (DPA counter-signature, questionnaires, vendor review), contact: contact@markifact.com