Data Processing Agreement
Last updated: July 4, 2026
MaturityHR is a product of evaluoi.ai Oy Ltd (Business ID: 3582911-8). This Data Processing Agreement (DPA) applies to the processing of personal data in the MaturityHR service available at maturityhr.com and forms an integral part of the Terms of Service and Subscription Agreement.
1. Definitions
- Data Controller: The Customer
- Data Processor: evaluoi.ai Oy Ltd
- Personal Data: Any data relating to an identifiable person
- Data Subject: Individuals whose data is processed
- Sub-processors: Approved third parties supporting the Service
2. Scope and Purpose
evaluoi.ai Oy Ltd processes personal data solely to provide the MaturityHR Service, including:
- Collection of competence management maturity assessment data
- Tracking of development initiatives and their impact
- Data management, storage, and deletion
Duration: the length of your subscription.
3. Types of Personal Data
- Email addresses
- Display names
- Assessment responses
- Usage metadata (IP addresses anonymized after 90 days)
4. Categories of Data Subjects
- Account owners
- Assessment participants
- Collaborators
5. Processor Obligations
evaluoi.ai Oy Ltd will:
- Act only on Controller's lawful instructions
- Maintain confidentiality
- Implement robust security measures (AES-256, TLS 1.3, RLS)
- Assist with Data Subject requests
- Delete or return personal data upon termination
- Retain logs for 90 days
- Notify the Controller of breaches within 72 hours
6. Sub-processors
We use the following approved sub-processors:
Supabase
- Database, authentication, data storage, and authentication emails
- EU region (AWS eu-west-1, Ireland)
- GDPR compliant
Vercel
- Application hosting and cookieless web analytics
- GDPR compliant
Stripe
- Payment processing
- PCI DSS Level 1 certified
Customers will be notified 30 days before new sub-processors are added.
7. Security Measures
- Encryption at rest and in transit
- Role-based access controls
- RLS tenant isolation
- 90-day audit logs
- Encrypted backups (90-day retention)
- Incident response workflows
- 72-hour breach reporting
8. Data Subject Rights
We assist the Controller with:
- Access
- Rectification
- Deletion
- Portability
- Consent withdrawal
9. Breach Notification
If a breach occurs, evaluoi.ai Oy Ltd will:
- Notify within 72 hours
- Provide full incident details
- Assist in regulatory notifications
10. Audits and Documentation
The Controller may:
- Request documentation
- Conduct audits with reasonable notice
- Review incident and audit logs
11. Termination
Upon termination:
- Personal data deleted after 30 days
- Backups purged within 90 days
- Data export available before deletion
12. Governing Law
This DPA follows the laws of Finland and the European Union (GDPR).