Data Processing Agreement

    Last updated: July 4, 2026

    MaturityHR is a product of evaluoi.ai Oy Ltd (Business ID: 3582911-8). This Data Processing Agreement (DPA) applies to the processing of personal data in the MaturityHR service available at maturityhr.com and forms an integral part of the Terms of Service and Subscription Agreement.

    1. Definitions

    • Data Controller: The Customer
    • Data Processor: evaluoi.ai Oy Ltd
    • Personal Data: Any data relating to an identifiable person
    • Data Subject: Individuals whose data is processed
    • Sub-processors: Approved third parties supporting the Service

    2. Scope and Purpose

    evaluoi.ai Oy Ltd processes personal data solely to provide the MaturityHR Service, including:

    • Collection of competence management maturity assessment data
    • Tracking of development initiatives and their impact
    • Data management, storage, and deletion

    Duration: the length of your subscription.

    3. Types of Personal Data

    • Email addresses
    • Display names
    • Assessment responses
    • Usage metadata (IP addresses anonymized after 90 days)

    4. Categories of Data Subjects

    • Account owners
    • Assessment participants
    • Collaborators

    5. Processor Obligations

    evaluoi.ai Oy Ltd will:

    • Act only on Controller's lawful instructions
    • Maintain confidentiality
    • Implement robust security measures (AES-256, TLS 1.3, RLS)
    • Assist with Data Subject requests
    • Delete or return personal data upon termination
    • Retain logs for 90 days
    • Notify the Controller of breaches within 72 hours

    6. Sub-processors

    We use the following approved sub-processors:

    Supabase

    • Database, authentication, data storage, and authentication emails
    • EU region (AWS eu-west-1, Ireland)
    • GDPR compliant

    Vercel

    • Application hosting and cookieless web analytics
    • GDPR compliant

    Stripe

    • Payment processing
    • PCI DSS Level 1 certified

    Customers will be notified 30 days before new sub-processors are added.

    7. Security Measures

    • Encryption at rest and in transit
    • Role-based access controls
    • RLS tenant isolation
    • 90-day audit logs
    • Encrypted backups (90-day retention)
    • Incident response workflows
    • 72-hour breach reporting

    8. Data Subject Rights

    We assist the Controller with:

    • Access
    • Rectification
    • Deletion
    • Portability
    • Consent withdrawal

    9. Breach Notification

    If a breach occurs, evaluoi.ai Oy Ltd will:

    • Notify within 72 hours
    • Provide full incident details
    • Assist in regulatory notifications

    10. Audits and Documentation

    The Controller may:

    • Request documentation
    • Conduct audits with reasonable notice
    • Review incident and audit logs

    11. Termination

    Upon termination:

    • Personal data deleted after 30 days
    • Backups purged within 90 days
    • Data export available before deletion

    12. Governing Law

    This DPA follows the laws of Finland and the European Union (GDPR).

    13. Contact

    hello@evaluoi.ai