Legal
Data Processing Agreement
Last updated 1 April 2026
This Data Processing Agreement ("DPA") forms part of the agreement between Hovermark Ltd ("processor") and the customer ("controller") for the provision of the Hovermark platform.
It reflects the requirements of the UK GDPR, the EU GDPR (where applicable), and the UK Data Protection Act 2018.
1. Roles
The customer is the data controller for any personal data processed within their tenant. Hovermark is the data processor and will only process personal data on the customer's documented instructions.
2. Subject matter and duration
- Subject matter: provision of the Hovermark inspection, compliance, and maintenance platform.
- Duration: the term of the underlying agreement, plus a 30-day grace period for data export, after which all customer data is permanently deleted.
- Categories of data subjects: customer's employees, contractors, and (where the customer chooses) end-customers, tenants, or visitors interacting with assets.
- Categories of personal data: name, email, role, IP address, photographs taken during inspections, digital signatures, GPS coordinates of inspections.
3. Sub-processors
The customer authorises Hovermark to engage the following sub-processors. We will provide 30 days' prior notice of changes to this list and the customer may object on reasonable grounds.
| Sub-processor | Purpose | Region |
|---|---|---|
| Microsoft Azure | Hosting, storage, identity | West Europe |
| Microsoft Entra ID | Authentication / SSO | UK / EU |
| Stripe | Subscription billing | UK / US |
| Twilio SendGrid | Transactional email | EU / US |
The list above reflects integrations called out in the product brief. Final sub-processor entries (CDN, status-page, support tooling) will be confirmed by the DPO before general availability.
The full, version-controlled list is published at hovermark.com/legal/dpa and notified to controllers' DPO contacts on each change.
4. Security measures
Hovermark implements appropriate technical and organisational measures, including:
- TLS 1.2+ in transit; AES-256 at rest with Azure-managed keys (CMK on Enterprise).
- Multi-tenant logical isolation with row-level security and per-tenant encryption scopes.
- Microsoft Entra ID SSO with PKCE on Professional; SAML on Enterprise.
- Role-based access control and an immutable audit log of all admin and inspector actions.
- Annual third-party penetration testing; SOC 2 Type II in progress (target: 2026).
- Incident response process with notification to controllers within 72 hours of becoming aware of a breach affecting their data.
5. International transfers
Customer data is hosted in Microsoft Azure West Europe (Netherlands) and is not replicated outside the European Economic Area without the controller's written consent. Where corporate functions require transfers (e.g. transactional email), they are governed by the UK International Data Transfer Agreement and/or the EU Standard Contractual Clauses, as applicable.
6. Data subject rights
Hovermark provides controllers with self-service tools to handle access, rectification, restriction, portability, and erasure requests within their tenant. Where the controller cannot fulfil a request via the platform, Hovermark will assist on request.
7. Audit
Once per 12 months, on 30 days' notice and at the controller's cost, the controller may audit Hovermark's compliance with this DPA, subject to confidentiality. Hovermark will share its trust packet (penetration test summary, SOC 2 report once available, architecture diagrams) under NDA in lieu of an on-site audit where the controller agrees.
8. Return and deletion
On termination, the controller may export their data within 30 days. After 30 days, Hovermark will delete all customer data, including from backups within 90 days. Hovermark will provide written confirmation of deletion on request.
Contact
DPO / data protection contact: privacy@hovermark.com.
This document was last updated on 1 April 2026.
This document is a launch placeholder. Final wording will be reviewed by our DPO and external counsel before general availability.