Markbase
Legal

Data Processing Addendum

Effective May 27, 2026.

Request access

Markbase is a software product operated by AltaCoda LLC (“AltaCoda”), a Delaware limited liability company with its principal place of business at 1111 Broadway, Oakland, CA 94607. This Data Processing Addendum (“DPA”) forms part of the Terms of Service (“Agreement”) between AltaCoda (“Processor,” “we,” “us,” or “our”) and the entity agreeing to the Agreement (“Controller,” “you,” or “your”), collectively referred to as the “Parties.”

This DPA applies to the extent that we process Personal Data on your behalf in connection with the provision of the Markbase platform (the “Service”), as described in the Agreement.

1. Definitions

Capitalized terms not defined in this DPA have the meanings given to them in the Agreement. In addition:

“Applicable Data Protection Law” means all applicable laws and regulations relating to the processing of Personal Data, including (a) the General Data Protection Regulation (EU) 2016/679 (“GDPR”); (b) the UK General Data Protection Regulation and the Data Protection Act 2018 (“UK GDPR”); (c) the Swiss Federal Act on Data Protection (“FADP”); (d) the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA/CPRA”); and (e) any other applicable data protection or privacy legislation, in each case as amended, superseded, or replaced from time to time.

“Controller” means the entity that determines the purposes and means of the processing of Personal Data, as defined under Applicable Data Protection Law. For the purposes of this DPA, the Controller is the customer.

“Data Subject” means an identified or identifiable natural person to whom Personal Data relates.

“EEA” means the European Economic Area.

“Personal Data” means any information relating to a Data Subject that is processed by the Processor on behalf of the Controller in connection with the Service, as further described in Annex 1.

“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.

“Processor” means the entity that processes Personal Data on behalf of the Controller, as defined under Applicable Data Protection Law. For the purposes of this DPA, the Processor is AltaCoda LLC.

“Processing” (and “process,” “processed”) means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment, combination, restriction, erasure, or destruction.

“Standard Contractual Clauses” or “SCCs” means the standard contractual clauses approved by the European Commission for the transfer of Personal Data to processors established in third countries, as set out in Commission Implementing Decision (EU) 2021/914, or any successor clauses adopted by the European Commission.

“Sub-Processor” means a third party engaged by the Processor to process Personal Data on behalf of the Controller in connection with the Service.

“Supervisory Authority” means an independent public authority responsible for monitoring the application of Applicable Data Protection Law.

“UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under Section 119A of the Data Protection Act 2018, as may be revised from time to time.

2. Scope and Applicability

2.1 Scope

This DPA applies to the Processing of Personal Data by the Processor on behalf of the Controller in connection with the provision of the Service.

2.2 Nature of the Service

The Parties acknowledge that the Service is a hosted Markdown document store reached over the Model Context Protocol (MCP). The Service stores documents, frontmatter, and typed-collection records submitted by the Controller or by agents the Controller has authorized, indexes those documents for full-text search, and serves them back to authorized MCP Clients. The categories of Personal Data processed under this DPA are those described in Annex 1.

2.3 Roles

The Controller is the data controller with respect to the Personal Data. The Processor processes Personal Data solely on behalf of the Controller and in accordance with the Controller’s documented instructions as set forth in the Agreement, this DPA, and the Controller’s use and configuration of the Service.

2.4 Precedence

In the event of a conflict between this DPA and the Agreement, this DPA shall prevail with respect to the Processing of Personal Data.

3. Controller Obligations

3.1 Compliance

The Controller shall comply with its obligations under Applicable Data Protection Law, including ensuring that it has a lawful basis for the Processing of Personal Data and for instructing the Processor to process Personal Data on its behalf.

3.2 Instructions

The Controller’s instructions to the Processor regarding the Processing of Personal Data are set forth in the Agreement, this DPA, and the Controller’s use and configuration of the Service, including the OAuth scopes the Controller (or its Authorized Users) grants to MCP Clients. The Controller may issue additional written instructions consistent with the Agreement; however, any instructions that fall outside the scope of the Agreement will require a separate written agreement between the Parties.

3.3 Authorization of MCP Clients

The Controller is responsible for the MCP Clients it authorizes to access its workspaces, including the scopes granted, the appropriateness of those scopes for the intended task, and the timely revocation of access for clients that are no longer needed.

3.4 Data Subject Communications

The Controller is responsible for responding to requests from Data Subjects and Supervisory Authorities regarding the Processing of Personal Data, except to the extent the Processor is required to respond directly under Applicable Data Protection Law.

4. Processor Obligations

4.1 Processing Instructions

The Processor shall process Personal Data only in accordance with the Controller’s documented instructions, except where required to do so by applicable law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless prohibited by law from doing so.

4.2 Confidentiality

The Processor shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality obligations or are under an appropriate statutory obligation of confidentiality.

4.3 Security

The Processor shall implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful Processing, accidental loss, destruction, or damage, as further described in Annex 2. These measures shall take into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of Processing, and the risks to Data Subjects.

4.4 Sub-Processing

The Processor shall not engage a Sub-Processor without the prior general written authorization of the Controller, which is hereby granted subject to the conditions set out in Section 5 of this DPA.

4.5 Data Subject Rights

Taking into account the nature of the Processing, the Processor shall assist the Controller, by appropriate technical and organizational measures and insofar as possible, in fulfilling the Controller’s obligation to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law. Such assistance may include providing access to, rectification of, or deletion of Personal Data, to the extent such data is within the Processor’s systems.

4.6 Assistance with Compliance

The Processor shall assist the Controller in ensuring compliance with its obligations under Applicable Data Protection Law with respect to security, breach notification, data protection impact assessments, and prior consultation with Supervisory Authorities, taking into account the nature of the Processing and the information available to the Processor.

4.7 Deletion and Return

Upon termination of the Agreement, the Processor shall, at the Controller’s election, delete or return all Personal Data and delete existing copies, unless applicable law requires retention. Deletion follows the soft-delete and scheduled-purge behavior described in the Privacy Policy. The Controller may request return or deletion by contacting the Processor at hello@altacoda.io. If the Controller does not make an election within thirty (30) days of termination, the Processor shall delete the Personal Data in accordance with its standard data deletion procedures.

4.8 Audit

The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or a third-party auditor mandated by the Controller (provided such auditor is not a competitor of the Processor and is bound by appropriate confidentiality obligations).

Audits shall be subject to the following conditions:

  • The Controller shall provide at least thirty (30) days’ prior written notice of an audit request.
  • Audits shall be conducted during normal business hours and shall not unreasonably interfere with the Processor’s operations.
  • The Controller shall bear the costs of any audit, unless the audit reveals a material breach of this DPA by the Processor.
  • Audits shall be limited to once per twelve (12) month period, unless required by a Supervisory Authority or following a Personal Data Breach.
  • Where the Processor can demonstrate compliance through an independent third-party audit report or certification (such as SOC 2 or ISO 27001), the Processor may provide such report in lieu of an on-site audit, provided the Controller has no reasonable objection.

5. Sub-Processors

5.1 Authorized Sub-Processors

The Controller provides general written authorization for the Processor to engage Sub-Processors to assist in providing the Service. A current list of authorized Sub-Processors is maintained at markbase.cloud/subprocessors.

5.2 Obligations

The Processor shall impose on each Sub-Processor, by way of a written contract, data protection obligations that are no less protective than those set out in this DPA. The Processor shall remain fully liable to the Controller for the acts and omissions of its Sub-Processors.

5.3 Changes to Sub-Processors

The Processor shall notify the Controller at least thirty (30) days in advance of any intended addition or replacement of a Sub-Processor, including the Sub-Processor’s name, location, and purpose. Notification will be provided by email to the address associated with the Controller’s Account or through the Service.

5.4 Objections

The Controller may object to a new or replacement Sub-Processor by providing written notice to the Processor within fifteen (15) days of receiving notification. The objection must state reasonable grounds related to data protection. Upon receipt of an objection, the Processor shall use commercially reasonable efforts to:

  • Make available to the Controller a change in the Service or recommend a commercially reasonable change to the Controller’s use of the Service to avoid Processing by the objected-to Sub-Processor; or
  • Cease use of the objected-to Sub-Processor with respect to the Controller’s Personal Data within a reasonable period.

If the Processor is unable to accommodate the objection within thirty (30) days, either Party may terminate the Agreement (or the affected portion of the Service) by providing written notice. Upon such termination, the Processor shall refund any prepaid fees for the period following the effective date of termination.

6. International Data Transfers

6.1 Transfer Mechanisms

The Service’s application infrastructure is hosted in Germany and its object storage is hosted in the United States. To the extent that the Processing of Personal Data involves a transfer of Personal Data from the EEA, UK, or Switzerland to a country that has not been recognized as providing an adequate level of data protection, the Parties shall ensure that appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs): The SCCs (Module Two: Controller to Processor) are hereby incorporated by reference into this DPA. For transfers subject to the GDPR, the Parties agree to be bound by the SCCs as set out in Annex 3.
  • UK Addendum: For transfers subject to the UK GDPR, the UK Addendum to the SCCs is incorporated by reference into this DPA.
  • Swiss Transfers: For transfers subject to the FADP, the SCCs apply with the modifications necessary to comply with the FADP, including treating the Swiss Federal Data Protection and Information Commissioner as the competent Supervisory Authority.

6.2 Alternative Transfer Mechanisms

If a transfer mechanism described in Section 6.1 is invalidated, replaced, or superseded by Applicable Data Protection Law, the Parties shall cooperate in good faith to implement a replacement transfer mechanism that provides adequate safeguards in compliance with Applicable Data Protection Law.

6.3 Disclosure Requests

If the Processor receives a request from a public authority for disclosure of Personal Data transferred under this DPA, the Processor shall:

  • Promptly notify the Controller, unless prohibited by law.
  • Challenge the request if there are reasonable grounds to consider it unlawful.
  • Provide only the minimum amount of Personal Data necessary to comply with the request.

7. Personal Data Breach

7.1 Notification

The Processor shall notify the Controller without undue delay and in any event within seventy-two (72) hours of becoming aware of a Personal Data Breach affecting the Controller’s Personal Data. Notification shall be provided by email to the address associated with the Controller’s Account.

7.2 Content of Notification

The notification shall, to the extent reasonably possible, include:

  • A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and Personal Data records concerned.
  • The name and contact details of the Processor’s point of contact for further information.
  • A description of the likely consequences of the Personal Data Breach.
  • A description of the measures taken or proposed to be taken to address the Personal Data Breach, including measures to mitigate its adverse effects.

7.3 Ongoing Cooperation

If it is not possible to provide all required information at the time of initial notification, the Processor shall provide the information in phases without further undue delay. The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the Personal Data Breach.

7.4 Notification Not an Acknowledgment

The Processor’s obligation to notify or respond to a Personal Data Breach under this Section shall not be construed as an acknowledgment of fault or liability.

8. CCPA/CPRA Provisions

To the extent that the CCPA/CPRA applies to the Processing of Personal Data under this DPA:

  • The Processor is a “service provider” as defined under the CCPA/CPRA. The Processor shall not sell or share (as those terms are defined under the CCPA/CPRA) any Personal Data received from the Controller.
  • The Processor shall not retain, use, or disclose Personal Data for any purpose other than the business purposes specified in the Agreement, or as otherwise permitted by the CCPA/CPRA.
  • The Processor shall not combine Personal Data received from the Controller with Personal Data received from or on behalf of another person or collected from its own interactions with Data Subjects, except as permitted by the CCPA/CPRA.
  • The Processor certifies that it understands and will comply with the obligations set forth in this Section.
  • The Controller may take reasonable steps to ensure that the Processor uses Personal Data in a manner consistent with the Controller’s obligations under the CCPA/CPRA.
  • The Processor shall notify the Controller if it determines that it can no longer meet its obligations under the CCPA/CPRA.

9. Term

This DPA shall remain in effect for the duration of the Agreement. Sections 4.7, 4.8, 7, and any provisions that by their nature should survive termination shall survive the termination or expiration of this DPA.

10. Limitation of Liability

Each Party’s total aggregate liability arising out of or related to this DPA shall be subject to the limitations of liability set forth in the Agreement. Nothing in this DPA shall be construed to limit either Party’s liability with respect to the rights of Data Subjects under Applicable Data Protection Law.

11. General

11.1 Governing Law

This DPA shall be governed by and construed in accordance with the laws of the State of California, United States, without regard to conflict-of-law principles, except to the extent that Applicable Data Protection Law requires the application of the law of another jurisdiction.

11.2 Severability

If any provision of this DPA is found to be unenforceable or invalid, that provision shall be limited or eliminated to the minimum extent necessary, and the remaining provisions shall remain in full force and effect.

11.3 Modifications

This DPA may be modified by the Processor to reflect changes in Applicable Data Protection Law by providing at least thirty (30) days’ prior notice to the Controller.

11.4 Entire Agreement

This DPA, together with the Agreement, Annexes, and any SCCs incorporated by reference, constitutes the entire agreement between the Parties with respect to the Processing of Personal Data in connection with the Service.

Annex 1: Details of Processing

This Annex describes the Processing of Personal Data carried out in connection with the Service.

Categories of Data Subjects

  • Employees, contractors, and agents of the Controller who are Authorized Users of the Service.
  • Individuals whose Personal Data is included in documents, typed-collection records, or other Content that the Controller (or an agent the Controller has authorized) submits to the Service.

Categories of Personal Data

  • Account data: Name, email address, organization name, and identifiers returned by Google when an Authorized User signs in.
  • Authentication data: Session identifiers, IP addresses, login timestamps. OAuth access tokens (signed RS256 with rotating keys), refresh tokens (hashed at rest, rotated on each use), and authorization codes (hashed at rest, single-use, 10-minute TTL).
  • Connection metadata: The list of MCP Clients the Controller has authorized, the scopes granted, and last-seen timestamps.
  • Usage data: API endpoints called, response statuses, request rates, timestamps, and rate-limit counters.
  • Workspace Content: Any Personal Data that the Controller (or its authorized agents) chooses to submit to the Service in documents, frontmatter, typed-collection records, or _markbase.md files. The Service is content-agnostic; it does not require, infer, or extract specific personal data categories from Content.
  • Billing data (when applicable): Limited payment card information (card brand, last four digits, expiration date) and billing address, as received from the payment processor.
  • Support data: Email addresses, message content, and attachments submitted in the course of support communications.

Sensitive Data

The Service is not designed for the processing of special categories of Personal Data (as defined in Article 9 GDPR). The Controller agrees not to use the Service to process special categories of Personal Data without first agreeing additional safeguards with the Processor in writing.

Processing Activities

  • Providing and operating the Service, including user authentication, OAuth authorization, session management, and access control.
  • Storing documents in versioned object storage and serving them back to authorized MCP Clients on request.
  • Maintaining a full-text search index over the documents in each workspace.
  • Running the OAuth Authorization Server, including Dynamic Client Registration, the authorization-code grant with PKCE, refresh-token rotation, and revocation.
  • Operating the dashboard for human Authorized Users, including the Connections page for client management.
  • Processing payments and managing subscriptions through the payment processor, when billing is enabled.
  • Delivering transactional notifications.
  • Operating the marketing site at markbase.cloud, including the use of Google Analytics for aggregate visitor measurement.
  • Operating product analytics within the dashboard and Service through Mixpanel.

Retention

Personal Data is retained in accordance with the data retention periods set forth in the Privacy Policy:

  • Account data: Duration of the Account, plus any legally required retention period.
  • Workspace Content: For as long as the workspace exists; deleted items are soft-deleted and purged on a scheduled basis (currently daily).
  • OAuth tokens: Access tokens 1 hour; refresh tokens 30 days (rotated on use); authorization codes 10 minutes (single-use).
  • Billing records: Up to 7 years, as required by tax and accounting obligations.
  • Server logs: 90 days.

Location of Processing

Application infrastructure (API, Authorization Server, database, search index) is hosted in Germany (Hetzner Online GmbH). Object storage for documents is hosted in the United States (Amazon Web Services S3, us-east-1). The marketing site and dashboard SPA are delivered from the United States and a global edge network (Amazon Web Services Amplify and CloudFront). A full list of Sub-Processors and their locations is available at markbase.cloud/subprocessors.

Annex 2: Technical and Organizational Security Measures

The Processor implements and maintains the following technical and organizational measures to protect Personal Data:

Access Control

  • Role-based access controls for all internal systems.
  • Multi-factor authentication for administrative access to production systems.
  • Principle of least privilege applied to all system and database access.
  • Unique user accounts for all personnel; no shared credentials.
  • Workspace isolation: all object-storage and search-index access is scoped per workspace and per organization.

Encryption

  • Encryption of data in transit using TLS 1.2 or higher for all external communications.
  • Encryption of data at rest for the database and for object storage.
  • OAuth access tokens signed with rotating RS256 keys (multi-kid rotation).
  • Refresh tokens and authorization codes stored as one-way hashes at rest.

Data Minimization

  • Personal Data collection is limited to what is necessary for the provision of the Service.
  • The Service is content-agnostic and does not extract or enrich Personal Data from Content.

Infrastructure Security

  • Production infrastructure hosted in professionally managed data centers with physical access controls.
  • Network-level firewalls and security group rules restricting access to production systems.
  • Regular patching and updates to operating systems and application dependencies.
  • Rate limits on the MCP endpoint, OAuth flows, and Dynamic Client Registration to mitigate abuse.
  • Stolen-token detection on refresh-token rotation; reuse triggers revocation of the affected chain.

Monitoring and Logging

  • Centralized logging of access to production systems and databases.
  • Monitoring for anomalous activity, unauthorized access attempts, and system errors.
  • Log retention consistent with the retention periods described in Annex 1.

Incident Response

  • Documented incident response procedures for identifying, containing, and remediating security incidents.
  • Defined escalation paths and notification procedures for Personal Data Breaches, as described in Section 7 of this DPA.

Business Continuity

  • Regular backups of databases and critical systems.
  • Backup integrity verification.
  • Bucket-level versioning on object storage so prior versions of documents can be recovered in the event of accidental or unauthorized modification.

Personnel

  • Confidentiality obligations for all personnel with access to Personal Data.
  • Security awareness training for personnel involved in the Processing of Personal Data.

Vendor Management

  • Due diligence assessments conducted on Sub-Processors prior to engagement.
  • Written agreements with Sub-Processors imposing data protection obligations no less protective than those in this DPA.

Annex 3: Standard Contractual Clauses

To the extent that the Processing of Personal Data involves a transfer of Personal Data from the EEA to the United States or another country without an adequacy decision, the Parties agree to be bound by the Standard Contractual Clauses (Module Two: Controller to Processor) as approved by the European Commission in Implementing Decision (EU) 2021/914.

The SCCs are completed as follows:

Clause 7 — Docking Clause

The optional docking clause is included, permitting additional parties to accede to the SCCs.

Clause 9 — Use of Sub-Processors

Option 2 (General written authorization) is selected. The Processor shall inform the Controller of any intended changes to the list of Sub-Processors, giving the Controller the opportunity to object in accordance with Section 5 of this DPA.

Clause 11 — Redress

The optional clause on independent dispute resolution is not included.

Clause 13 — Supervision

Where the data exporter is established in an EU Member State, the Supervisory Authority of that Member State shall act as the competent Supervisory Authority. Where the data exporter is not established in an EU Member State but falls within the territorial scope of the GDPR, the Supervisory Authority of the Member State where the data exporter’s EU representative is established shall act as the competent Supervisory Authority. Where the data exporter is not established in the EU and has not appointed an EU representative, the Irish Data Protection Commission shall act as the competent Supervisory Authority.

Clause 17 — Governing Law

Option 1 is selected. The SCCs shall be governed by the law of Ireland.

Clause 18 — Choice of Forum and Jurisdiction

Disputes arising from the SCCs shall be resolved by the courts of Ireland.

Annex I to the SCCs

Annex I.A (List of Parties):

  • Data exporter: The Controller (as identified in the Agreement).
  • Data importer: AltaCoda LLC, 1111 Broadway, Oakland, CA 94607. Contact: hello@altacoda.io. Role: Processor.

Annex I.B (Description of Transfer): As set forth in Annex 1 of this DPA.

Annex I.C (Competent Supervisory Authority): As determined in accordance with Clause 13 above.

Annex II to the SCCs

The technical and organizational measures implemented by the data importer are as set forth in Annex 2 of this DPA.

Annex III to the SCCs

The current list of Sub-Processors is maintained at markbase.cloud/subprocessors.

Contact: AltaCoda LLC 1111 Broadway Oakland, CA 94607 Email: hello@altacoda.io

Last updated: May 27, 2026