01Overview
AElevora LLC (“AElevora,” “we,” “our,” or “us”) provides human resources software and acts as a data processor on behalf of its clients.
We are committed to protecting Personal Data with transparency, accountability, and strict data governance practices. We do not treat data as a commodity, do not sell Personal Data, and do not engage in unauthorized data sharing. We may use trusted service providers and subprocessors as necessary to host, secure, support, and deliver our services.
02Core Commitments
- We do not sell Personal Data
Your data is never sold to third parties.
- We may use trusted subprocessors necessary to operate our services
We may share Personal Data with contracted infrastructure, hosting, authentication, communications, and support providers strictly as needed to deliver the services and subject to data protection obligations.
- We process data only to deliver contracted services
Data use is strictly scoped to what you engaged us to do.
03Roles & Responsibilities
| Role | Description |
|---|---|
| Controller (Client) | Determines the purposes and means of processing Personal Data. |
| Processor (AElevora) | Processes Personal Data strictly under Client instructions. |
04Categories of Data Processed
AElevora may process the following categories of Personal Data:
- Identifiers such as name, work email address, employee ID, government-issued identifiers, and Social Security number where required for employment administration or compliance workflows
- Contact information such as business address, phone number, emergency contact information, and work location
- Employment data such as job title, department, manager, start date, employment history, compensation, work schedule, leave status, and benefits enrollment information
- HR records and documents such as onboarding forms, employment agreements, policy acknowledgements, signed consents, leave records, and other personnel documents uploaded or generated through the service
- Customer account and administrative data such as usernames, hashed credentials, role assignments, permissions, and support communications
- System data such as audit logs, IP address, device and browser metadata, authentication events, usage telemetry, and service performance data
05Purpose of Processing
Personal Data is processed solely for the following purposes:
- Providing HR software services
- Supporting HR workflows
- Ensuring system security and performance
- Customer support
06Data Sharing & Subprocessors
How We Share Data
- We do not sell, rent, or trade Personal Data.
- We may share Personal Data with trusted subprocessors strictly as necessary to host, operate, secure, maintain, and support the services.
- All subprocessors are subject to written agreements requiring confidentiality, security controls, and use restrictions consistent with applicable law and our customer commitments.
Named Subprocessors
| Subprocessor | Purpose | Primary Processing Location |
|---|---|---|
| Microsoft Azure | Cloud infrastructure, application hosting, storage, and supporting security services | United States |
| Vercel | Frontend hosting, content delivery, deployment infrastructure, and website performance services | United States and other regions required for content delivery |
| Email and authentication providers, where enabled | Transactional communications, identity verification, login, and account security workflows | Varies by provider configuration |
We may update our subprocessor list from time to time as our service evolves. Any additional subprocessors will be engaged only where they are reasonably necessary to provide the service and subject to appropriate contractual safeguards.
Legal Disclosure
Data may be disclosed where required by applicable law, regulation, or valid legal process. We will notify clients promptly to the extent permitted by law.
07Security Measures
AElevora implements a layered security program designed to protect Personal Data against unauthorized access, disclosure, alteration, and destruction. Our controls include:
Encryption
TLS 1.2+ in transit and encryption at rest for stored customer data
Access Control
Role-Based Access Control (RBAC) with least-privilege enforcement
Authentication
Multi-Factor Authentication (MFA) required for administrative access
Monitoring
System logging, security monitoring, alerting, and vulnerability management
- Administrative access is restricted to authorized personnel with a business need to know.
- Security events and administrative activity are logged and monitored.
- We review and update safeguards as our systems, risks, and contractual obligations evolve.
08Data Retention & Deletion
Data is retained only as long as necessary to:
- Provide contracted services
- Fulfill applicable legal obligations
- Resolve legitimate security, fraud prevention, backup, and dispute-resolution needs
Retention periods vary by data type, customer configuration, controller instructions, and applicable law. The following standard retention periods apply unless a longer period is required by law, contract, customer instruction, or a documented legal hold:
| Data Category | Standard Retention Period |
|---|---|
| Applicant Data (Non-Hired) | Generally 3 to 6 months after the application process is complete, including to accommodate potential discrimination claims and similar legal requirements. |
| General Personnel File | 3 years after the end of the calendar year in which employment ends, including to support final references, disputes, and related employment matters. |
| Compensation and Employment Records | 6 to 7 years, depending on regional employment, financial, and legal recordkeeping requirements. |
| Social Security and Pension Records | 5 to 30 years, depending on the record type and any special retention requirements applicable to pension or social security obligations. |
| Valid Data Subject Deletion Requests | Where AElevora acts as processor, handled in accordance with the relevant customer's instructions and processed within 1 month of receiving a valid deletion request, unless an exception, legal hold, or extended response period is permitted by applicable law. |
09Data Subject Rights
AElevora acts as a processor for most customer data and supports Clients in responding to data subject requests. Where AElevora processes Personal Data on behalf of a Client, the relevant request should ordinarily be submitted to that Client as controller, and we will assist the Client in fulfilling the request as required by applicable law and our contractual obligations. Supported rights include:
Access
Individuals can request a copy of data held about them.
Correction
Inaccurate or incomplete data can be corrected.
Deletion
Data can be erased where legally permissible.
Portability
Data can be exported in a structured, machine-readable format.
10International Transfers
Customer data is primarily hosted in United States-based infrastructure, including Azure regions in the United States. Where Personal Data is transferred across international borders, whether through support access, service delivery, or subprocessor operations, AElevora relies on appropriate safeguards including:
- Standard Contractual Clauses (SCCs) as approved by relevant authorities
- Equivalent transfer mechanisms where applicable
- Contractual, technical, and organizational safeguards designed to protect transferred data
11Incident Response
In the event of a confirmed data breach or security incident involving Personal Data:
- We will notify affected customers without undue delay upon becoming aware of a security incident involving their Personal Data and no later than required by applicable law.
- Investigation and remediation are conducted promptly with full transparency.
- Root cause analysis and corrective actions are documented and shared upon request.
12Contact Information
| Purpose | Contact |
|---|---|
| General Privacy Inquiries | privacy@aelevora.com |
| Security Issues / Vulnerability Reports | security@aelevora.com |
| Legal Requests | legal@aelevora.com |
| Mailing Address | AElevora LLC, 1558 N 600 W Logan, UT Unit 102, 84341 |
13Compliance
AElevora aligns its practices with the following frameworks and regulations:
14Trust Statement
AElevora is built on a fundamental principle: client data is never a product.
We do not engage in hidden data monetization. We use customer data only to provide and secure the service, including through carefully selected subprocessors bound by contractual data protection obligations. We prioritize long-term trust over short-term gain - and that commitment is reflected in every architectural, contractual, and operational decision we make.