GDPR Compliance

Last updated: 6 January 2026

Our Commitment to Data Protection

MARC is fully committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We have implemented comprehensive measures to protect personal data and support our customers in their compliance obligations.

MARC as a Data Processor

When you use MARC to send emails, we act as a data processor on your behalf. You remain the data controller and are responsible for:

  • Obtaining valid consent or establishing another lawful basis for processing
  • Ensuring the accuracy of personal data
  • Responding to data subject requests
  • Notifying data subjects of data breaches where required

As your processor, we:

  • Only process data on your documented instructions
  • Ensure staff are bound by confidentiality obligations
  • Implement appropriate security measures
  • Assist you in responding to data subject requests
  • Notify you of data breaches without undue delay
  • Delete or return data upon termination of services

Data Processing Agreement

We provide a Data Processing Agreement (DPA) that governs our processing of personal data on your behalf. The DPA includes:

  • Subject matter and duration of processing
  • Nature and purpose of processing
  • Types of personal data processed
  • Categories of data subjects
  • Your obligations and rights as controller
  • Our obligations as processor
  • Sub-processor arrangements
  • International transfer mechanisms

To request a signed DPA, contact us at [email protected].

Sub-Processors

We use the following sub-processors to provide our services:

Sub-Processor Purpose Location
Amazon Web Services Infrastructure hosting EU/UK regions available
Stripe Payment processing USA (with SCCs)

We will notify you of any changes to our sub-processors with at least 30 days' notice, allowing you to object if the change affects your compliance.

International Data Transfers

Following the UK's departure from the EU, we rely on the following mechanisms for international data transfers:

  • UK Adequacy Decisions: Transfers to countries recognised as providing adequate protection
  • International Data Transfer Agreement (IDTA): The UK's standard contractual clauses
  • UK Addendum to EU SCCs: Where applicable

We conduct Transfer Impact Assessments where required and implement supplementary measures as necessary.

Security Measures

We implement appropriate technical and organisational measures as required by Article 32 of UK GDPR:

Technical Measures

  • Encryption of data in transit using TLS 1.2+
  • Encryption of data at rest using AES-256
  • Regular vulnerability scanning and penetration testing
  • Intrusion detection and prevention systems
  • Automated security monitoring and alerting
  • Regular security patches and updates

Organisational Measures

  • Role-based access control with principle of least privilege
  • Multi-factor authentication for all staff
  • Regular staff training on data protection
  • Background checks for employees with data access
  • Documented security policies and procedures
  • Regular internal audits

Data Subject Rights

We assist you in fulfilling data subject requests. Our platform supports:

  • Right of access: Export all data associated with an email address
  • Right to erasure: Delete data for specific recipients from suppression lists and logs
  • Right to rectification: Update subscriber information via API
  • Right to restriction: Add addresses to suppression lists

Contact [email protected] for assistance with complex data subject requests.

Data Breach Notification

In the event of a personal data breach affecting your data, we will:

  • Notify you without undue delay and within 72 hours of becoming aware
  • Provide details of the nature of the breach
  • Describe the likely consequences
  • Outline measures taken or proposed to address the breach
  • Assist you in meeting your notification obligations to the ICO and data subjects

Your Compliance Responsibilities

When using MARC for email sending, you must ensure:

  • Lawful basis: You have valid consent or another lawful basis for sending emails
  • Transparency: Your privacy notice informs recipients about your use of email service providers
  • PECR compliance: Marketing emails include unsubscribe mechanisms and sender identification
  • Data minimisation: You only send necessary data through our platform
  • Accuracy: Your mailing lists are up to date and accurate

Data Retention

We retain data in accordance with data minimisation principles:

  • Email metadata: 30 days (configurable)
  • Delivery logs: 12 months
  • Suppression lists: Retained until you remove them
  • Account data: Duration of account plus 90 days

We can configure custom retention periods based on your requirements.

Records of Processing

We maintain records of processing activities as required by Article 30 of UK GDPR. These records are available to supervisory authorities upon request and can be shared with you as part of your compliance documentation.

Data Protection Impact Assessments

We can provide information to support your Data Protection Impact Assessments (DPIAs) where your use of our service requires one. Contact our DPO for assistance.

Contact Our Data Protection Officer

For GDPR-related enquiries, contact our Data Protection Officer:

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO):