Get in touch

How your data is kept safe

← Back to Markis home

Sending your customer database to a supplier is a leap of faith. You're handing over names, contact details, sometimes deeply personal information about donors, members or recipients. You're trusting that the supplier knows what they're doing, won't lose it, and won't repurpose it.

This page is the long answer. What we promise, what we actually do, where your data lives, who can see it, how long it stays. If you're under pressure from your own compliance team, this is the page to send them.

What we promise

  • We don't sell your data. Not to advertisers, not to data brokers, not to anyone.
  • We don't aggregate it across customers. Your data is yours and stays separate.
  • We don't repurpose it for marketing — not ours, not anyone else's.
  • We don't feed it to AI training systems.
  • We don't use it for anything other than running the job you've briefed us on.
  • When the job is done, we delete it.

Where your data lives while we're running your job

On local production systems. Physical servers and workstations in our production room. Not in the cloud. Not on third-party processors. Not in someone else's data centre.

Data is encrypted at rest and held behind multiple authentication steps. Access is single-operator: one set of hands runs the data through every step from receipt to deletion. There are no internal handoffs that introduce additional people to the data, and no contract data-processors who would.

One reason we're cautious about who handles your data: a breach is rarely a single event in isolation. Stolen records get cross-matched against records leaked elsewhere — phone numbers, addresses, account identifiers — building richer profiles for fraud and identity theft over time. The fewer hands your data passes through, the smaller the surface for that compounding risk.

Transferring your data to us

Always contact us before you send data. We'll guide you on the right transfer method for the sensitivity of what you're sending — typically encrypted file transfer or password-protected archives. We never want to receive sensitive data as a plain email attachment.

If you'd like to use a particular secure-transfer protocol you already work with — SFTP, your existing secure file-share — we can almost always meet you there.

For the most sensitive jobs, some customers prefer to hand-deliver the data on a USB stick. We support that. Let us know in advance, we'll process the file directly into our local production environment, then wipe and return the USB.

Retention

We don't retain your data longer than your job requires. Retention timing is set per-job and confirmed in your brief.

Compliance engagement

Customer compliance teams are welcome to engage with us during procurement and through the lifecycle of a job. Document-based review and remote engagement are our usual approach.

Track record

We've been doing this since 2008. Across eighteen years, hundreds of customers and millions of records, customer data we've handled has included government databases at state and federal level, a five-year engagement with an ASX-listed company, member organisations, NFP donor files, and confidential personal information across a range of organisations. Privacy and discretion are operational defaults here, not policies we paste on a page.

A few honest distinctions

Procurement readers regularly ask whether we hold particular certifications. The honest answers:

  • PCI DSS compliance is a payment-industry certification — it governs how credit card data is handled, not how mail-house customer databases are handled. We don't process payments, so PCI DSS doesn't apply to us.
  • ISO 27001 certification — we don't carry it. We're a one-operator business, and the audit and re-certification overhead would meaningfully change our cost structure for every customer. We rely on operational discipline and a single set of hands instead. That trade-off suits some buyers and not others, and we don't pretend otherwise.
  • Cloud-based or distributed data processing — not how we work. Our processing is intentionally on-premises and local. The data doesn't traverse a third-party network at any point during processing.
  • Larger doesn't necessarily mean safer. Public data-breach registers are full of large enterprises whose data sits across many internal teams, third-party processors and cloud platforms. The honest framing of going small isn't "less secure" — it's "fewer points of access." That suits some buyers and not others; weigh it against your specific risk profile.

Questions?

This is the kind of conversation we'd rather have early than late. If your industry imposes specific data-handling requirements — banking, healthcare, education, government — get in touch and we'll talk through what fits.

Get in touch →