DPP
MASTER DATA PRIVACY POLICY (DPP)
Effective Date: June 18, 2026
Entity: MarkedUp Inc. (a Wyoming Corporation)
INTRODUCTION & B2B APPLICABILITY
This Data Privacy Policy (“Policy”) governs the collection, processing, protection, and systematic destruction of data by MarkedUp Inc. (“Company,” “we,” “our,” or “us”). MarkedUp Inc. provides an automated, cloud-native business-to-business (B2B) quality assurance software platform engineered to perform Internal Consistency Reviews of architectural and engineering drawings.
B2B BUSINESS EXCLUSION: The MarkedUp Inc. platform serves corporate enterprise clients ("Customers") exclusively for commercial, business-to-business transactions. This service is not intended for, nor made available to, individual consumers. Consequently, standard consumer-centric retail privacy frameworks (such as the Children’s Online Privacy Protection Act [COPPA] or state-level retail consumer-specific privacy laws) do not apply to the operational project data processed by our service.
This Policy is incorporated by reference into the MarkedUp Inc. Master Services Agreement (MSA) and governs all interactions with our platform, whether accessed via direct web upload or through headless architectural integrations.
1. PLATFORM CONTEXT & DATA COLLECTION INVENTORY
To provide our Internal Consistency Reviews, secure system access, and maintain platform integrity, we collect and process distinct categories of operational, credential, and system data:
- Operational Data (Proprietary Customer IP): We ingest construction drawings, architectural schematics, and engineering project files strictly in PDF format (supporting file sizes up to $S \le 200\text{ MB}$ under standard commercial tiers). This data is ingested either via direct user upload or through our authorized "headless" API integrations (including Bluebeam, Procore, SharePoint, Slack, and Microsoft Teams).
- Business Credentials & Account Information: We collect corporate identifiers, names of authorized users, and business email domains. Our systems algorithmically differentiate and log user email domains to enforce enterprise security boundaries (e.g., distinguishing between generic public domains like
@gmail.comand authenticated corporate domains like@firm.com). - Headless Integration Credentials & Metadata: When our platform is connected via OAuth or API to external customer systems, we collect and securely store the associated access tokens, refresh tokens, and webhook metadata necessary to facilitate uninterrupted file transfer.
- System Telemetry: We collect performance data, system logs, processing speeds, and routing metadata to ensure platform stability.
2. DATA GOVERNANCE & THE SYSTEMATIC DELETION ARCHITECTURE
MarkedUp Inc. recognizes that construction geometries and project schematics represent highly sensitive proprietary intellectual property. Our entire data lifecycle is designed to minimize risk by limiting the lifecycle of Customer IP.
- The Ironclad 14-Day Purge Rule: To absolutely protect Customer intellectual property, all raw uploaded PDFs, proprietary project data, and system-generated audit outputs/markups (collectively, "Processed Project Assets") are hosted temporarily. Under standard operations, they are automatically, systematically, and permanently deleted from our primary production databases and file systems exactly $14$ days after processing.
- The "Immediate Cause Purge" Exception: Notwithstanding the standard $14\text{-day}$ timeline, in accordance with Section 5.2 of our MSA, if a Customer's account is frozen, suspended, or terminated due to a suspected breach of the Agreement (including violations of the Competitor Ban or reverse-engineering provisions), all uploaded PDFs, data caches, and generated outputs associated with the account shall be purged and deleted immediately from our servers, overriding the standard $14\text{-day}$ window.
- Backup & Disaster Recovery Retention: To the extent that technical database snapshots or disaster recovery backups (e.g., AWS S3/RDS backups) capture Processed Project Assets during their $14\text{-day}$ production lifecycle, such backups are highly encrypted, isolated, and automatically overwritten or purged on a rolling cycle not to exceed $30$ days from the initial file ingest date.
- Headless Token & Metadata Lifecycle: Integration credentials, API session keys, and OAuth tokens are systematically revoked and permanently deleted from our systems within $48$ hours of a Customer disconnecting an integration. API webhook logs containing transaction payload markers are subjected to the same strict $14\text{-day}$ automated purge as primary operational files.
- PROPRIETARY & SELF-HOSTED ZERO-TRAINING COVENANT: MarkedUp Inc. operates a fully isolated, self-hosted machine learning infrastructure. All language, vision, and geometry processing models (including large language models [LLMs] and vision-language models [VLMs]) are hosted on our private cloud servers. No customer data, drawings, or texts are ever shared with, sent to, or cached by third-party public AI providers (such as OpenAI, Anthropic, or Azure AI). We NEVER use customer-uploaded PDFs, drawing geometries, or raw proprietary text inputs to train, tune, align, or otherwise improve our base models or any cross-customer public Artificial Intelligence (AI) or Machine Learning (ML) models.
- Heuristic Data Exception: Notwithstanding the above, MarkedUp Inc. retains a perpetual, irrevocable right to collect, analyze, and utilize aggregated, completely anonymized heuristic data, platform telemetry, and system metadata (including, but not limited to, processing speeds, error logs, and anonymized token counts). This non-identifying data is utilized strictly for system optimization, latency reduction, and platform defense, and does not contain any proprietary Customer geometries or raw drawing text.
3. TECHNICAL AND ORGANIZATIONAL MEASURES (TOMs)
While MarkedUp Inc. does not currently claim independent SOC 1 or SOC 2 entity-level certification, our entire technical ecosystem is architected upon and strictly adheres to the following rigorous infrastructure standards:
- Infrastructure Isolation & Zero-Trust Architecture: All core processing engines, self-hosted AI models, and database instances are deployed exclusively inside private subnets within an Amazon Web Services (AWS) Virtual Private Cloud (VPC). These subnets feature absolutely no routable public IP addresses and are strictly isolated from the public internet. Access is managed via Stateful Firewalls (Security Groups) and Stateless Firewalls (Network ACLs). Google Cloud Platform (GCP) components operate under Google’s BeyondCorp Zero-Trust architecture.
- Encryption at Rest: All data stored across our primary infrastructure—including AWS S3 object storage, Elastic Block Store (EBS) volumes, Relational Database Service (RDS), and persistent storage layers—is automatically encrypted using the industry-standard $\text{AES-256}$ cryptographic algorithm, managed via centralized Hardware Security Modules (HSMs).
- Encryption in Transit: All external communications, inter-service API traffic, and internal database/cache routing require robust cryptographic protocols, restricted strictly to $\text{TLS 1.2}$ or higher.
- Cache Containment: Our Redis cache layers run exclusively within restricted private subnets. They are governed by strict Role-Based Access Control (RBAC) and feature transit-layer $\text{TLS 1.2+}$ encryption alongside $\text{AES-256}$ storage encryption to prevent in-memory data exposure.
- Access Control & Administration: Internal system administration is governed by the Principle of Least Privilege (PoLP). All administrative access requires hardware-backed Multi-Factor Authentication (MFA) and is continuously logged for audit purposes.
4. B2B REGIONAL PRIVACY COMPLIANCE (CPRA & GDPR)
While our services are B2B and exempt from consumer-specific privacy laws regarding Operational Data, we recognize that regional frameworks (such as the California Consumer Privacy Act as amended by the California Privacy Rights Act [CCPA/CPRA] and the General Data Protection Regulation [GDPR]) apply to the business contact information and personal identifiers of corporate employees using our platform.
- User Deletion & PII Rights: Authorized corporate users may request access to, correction of, or deletion of their personal business credentials (such as corporate email, name, and profile settings) by contacting our compliance team. These requests are processed in accordance with regional laws and are handled independently from our automated $14\text{-day}$ operational project file purge.
- No Sale or Share: MarkedUp Inc. does not "sell" or "share" (for cross-context behavioral advertising) any corporate user personal data collected under this Policy.
5. THIRD-PARTY PARITY & COMMERCIAL ALIGNMENT
Our data privacy standards extend beyond our internal infrastructure, aligning directly with our commercial MSA frameworks and third-party vendor agreements.
- Sub-Processor Parity: MarkedUp Inc. contractually mandates, via binding Data Processing Agreements (DPAs), that any third-party infrastructure sub-processors (such as cloud hosting and system analytics tools) maintain data protection, encryption, and confidentiality standards that meet or exceed the rigorous mandates outlined in this Policy. Because our AI pipelines are fully self-hosted, we do not utilize third-party AI model APIs as sub-processors.
- Commercial Tier Access Restrictions: Data processing access is dictated by the commercial tier executed in the MSA:
- Pay-on-Demand Tier: Users operating under transactional Pay-on-Demand agreements retain global access to process files from any geographic location, subject to standard authentication.
- Unlimited Tier: To mitigate enterprise risk, Unlimited Tier subscriptions are strictly geofenced and restricted. Processing access is granted exclusively to Assigned Site Users operating directly from, or reporting directly to, a registered physical "Licensed Office" address as defined in the applicable MSA.
6. JURISDICTION & DISPUTE RESOLUTION
- Governing Law: This Policy, and any disputes arising directly or indirectly from the collection or processing of data by MarkedUp Inc., shall be governed by and construed in accordance with the laws of the State of Wyoming, USA, without regard to its conflict of law principles.
- Binding Arbitration: As detailed in our MSA, any privacy-related disputes, claims, or controversies shall be subject to mandatory, confidential, and binding arbitration. All arbitration proceedings shall be exclusively venued and held in Sheridan County, Wyoming.
For data privacy inquiries, self-hosted infrastructure audits, or to exercise administrative data rights, authorized corporate administrators may contact the MarkedUp Inc. Data Protection Officer (DPO) at customer@markedup.com.