top of page

Data Processing Agreement

Last Updated: 25 November 2025
1. Definitions

  • Data Controller: The Customer

  • Data Processor: evaluoi.ai

  • Personal Data: Any data relating to an identifiable person

  • Data Subject: Individuals whose data is processed

  • Sub-processors: Approved third parties supporting the Service

2. Scope and Purpose

evaluoi.ai processes personal data solely to provide the Service, including:

  • Measurement data collection

  • AI-generated insights

  • Data management, storage, and deletion

​​

Duration: the length of your subscription.

3. Types of Personal Data

  • Email addresses

  • Display names

  • Measurement responses

  • AI output (sentiment, themes, scores)

  • Usage metadata (IP addresses anonymized after 90 days)

4. Categories of Data Subjects

  • Account owners

  • Participants

  • Expert reviewers

  • Collaborators

5. Processor Obligations

evaluoi.ai will:

  • Act only on Controller's lawful instructions

  • Maintain confidentiality

  • Implement robust security measures (AES-256, TLS 1.3, RLS)

  • Assist with Data Subject requests

  • Delete or return personal data upon termination

  • Retain logs for 90 days

  • Notify the Controller of breaches within 72 hours

6. Sub-processors

We use the following approved sub-processors:

​

Supabase

  • Database, auth, storage

  • EU (Frankfurt)

​​

Google (Gemini AI)

  • AI-powered analysis

  • Zero-retention mode

  • Data not used for model training

  • SCCs in place

​​

Stripe

  • Payment processing

  • PCI DSS Level 1 certified

​​

Customers will be notified 30 days before new sub-processors are added.

7. Security Measures

  • Encryption at rest and transit

  • Role-based access controls

  • RLS tenant isolation

  • 90-day audit logs

  • Encrypted backups (90-day retention)

  • Incident response workflows

  • 72-hour breach reporting

8. Data Subject Rights

We assist the Controller with:

  • Access

  • Rectification

  • Deletion

  • Portability

  • Consent withdrawal

9. Breach Notification

If a breach occurs, evaluoi.ai will:

  • Notify within 72 hours

  • Provide full incident details

  • Assist in regulatory notifications

10. Audits and Documentation

The Controller may:

  • Request documentation

  • Conduct audits with reasonable notice

  • Review incident and audit logs

11. Termination

Upon termination:

  • Personal data deleted after 30 days

  • Backups purged within 90 days

  • Data export available before deletion

12. Governing Law

This DPA follows the laws of Finland and the European Union (GDPR).

13. Contact
bottom of page