Introduction
This Privacy Policy provides information on the processing of personal information by any affiliate of Sovos Compliance (“Sovos”, “we”, “our”, “us”) in connection with business contacts, visitors on webpages and customer data. Your privacy and integrity is important to us, and we are committed to provide you with clear and transparent information about the personal data we collect, why it is needed, how it is used and the rights you have on your data.
A Sovos Compliance Affiliate is responsible for processing your personal data described in this Privacy Policy. You can see the list of Sovos’ Affiliates and select a region and country to view the registered address and contact details of the applicable responsible Sovos affiliate.
Sovos also processes personal data on behalf of and in accordance with the instructions of our customers, as a Processor. Our processing of personal data on behalf of our customers is governed by a Data Processing Addendum for Sovos Software and Services. This Privacy Policy does not cover our processing activities as a processor.
- What personal data do we process?
- How and why do we process your personal data?
- How is personal data collected?
- How long do we keep your personal data?
- Disclosure of personal data
- International Data Transfers
- Third party websites
- What are your privacy rights?
- Use of cookies and similar technologies
- Data Security
- Your questions
- Additional information for California Residents
- Children’s Privacy
- EU-US and Swiss -US Data Privacy Framework
What personal data do we process?
- The type of personal data Sovos processes about you may be:
- Names, addresses, phone numbers, job titles, places of work, business and personal emails
- Information provided through job applications
- Information submitted as part of a support request or survey
- Demographic attributes, when tied to personal data that identifies you
- When interacting with our websites, we may collect your IP address, geographic location, and behavioral data of the internet-connected computer or device you use, such as advertisements clicked or viewed, sites, and content areas
- Transactional data, including products and services ordered, financial details, and payment methods
- Information collected through joint marketing activities, events, or sponsorships, including registration details, attendance records, and preferences shared with our partners or event sponsors
How and why do we process your personal data?
To manage business relationship with customers, suppliers, and partners
We use your personal data when you are a customer, or as a representative from a customer, supplier and partner to manage our business relationship with the company or organization that you represent. This includes contact information e.g. name, phone number, email as well as order or payment data when you contract products directly from our sites. We will process your personal data necessary for fulfilment of a contract with you on the basis of our legitimate interest as a business.
To provide good customer service and Support Services
We use personal data to provide support services such as respond to your questions when you contact our support, when you file a complaint or when we provide customer service. This includes your contact information, the interaction log with us, and user generated content such as your chat transcript or email. The processing of your personal data to provide you with good customer service is based on our legitimate interest as a business. We may also need to process your data to fulfil our support obligations under a contract. If your call is being recorded, we will ask for your consent.
To enable functionality on our websites
We use cookies and similar technologies to enable functionality on our websites which are necessary for it to function, including remembering your settings and preferences if you allow it. We also use analytics tools to understand how our products and platforms are used, which helps us identify and fix technical issues, improve user experience, optimize performance, and develop new features. This includes collecting usage data such as features accessed, pages visited, session duration, as well as technical information like device type, browser information, and IP addresses (which may be anonymized). We process this data based on our legitimate interest as a business in maintaining high-quality services, and you can opt out of non-essential analytics by contacting us. Learn more about the categories of cookies and storage period about this by clicking the button below.Cookie Settings
To manage the security of our websites
We may collect site use data, e.g. user credentials log data, for security and operations management, relying on our legitimate as a business to help keep our sites and systems secure, or to investigate and prevent potential fraud, cyber-attacks and to detect bots.
To comply with applicable laws and regulations
In some cases, we may need to process your personal data to manage, defend and exercise legal claims and rights, for example in connection with a dispute or court proceedings or to respond to a request from a regulator. In this case we will process the relevant categories of personal data necessary to satisfy our legitimate interest of managing, defending, and exercising legal claims and rights.
To market Sovos Services and Products
Sovos may use and combine your personal data to be able to generate and distribute marketing materials relevant to you, such as newsletters and recommendations, through multiple communication channels. Sovos may process your contact information (e.g. name, phone number, email address), your IP address, your geographical region, as well as user-generated data (for example, click and browsing history) to understand your preferences, personalize your experience when interacting with Sovos and to improve the content and functionality of our products, services and website, including through marketing segmentation activities.
It is our assessment that we have a legitimate interest as a business in communicating with you, especially because we provide you with all means to unsubscribe or opt out at any time from our communications for this purpose Sovos may engage in joint marketing activities, co-branded campaigns, or event sponsorships with third-party partners. In connection with these activities, we may process your personal data, including contact information, registration details, and event participation data, to: organize and manage events, webinars, or conferences; facilitate networking opportunities; send communications related to the event or activity; share relevant content and follow-up materials; and enable our partners or sponsors to contact you about their products or services that may be of interest to you. Where required by applicable law, we will obtain your consent before sharing your personal data with partners or event sponsors for their own marketing purposes.
You can unsubscribe from our communications at any time by clicking on the unsubscribe link in the communication or by contacting us.
To track your interactions in digital channels
Sovos may collect and use personal data derived from your interactions with our websites, social media, webinars, and marketing campaigns, e.g. when accepting cookies or similar technologies or by filling out a form on our website or webinar we may collect online identifiers such as IP, Mac address or similar, geographical region and user behavior like clicks, page visits and time spent on watching webinars, based on your consent, to analyze and understand how individuals interact with us and our content. These insights are used to improve our marketing efforts, target the right audience, and provide you with more personalized content in our communications with you.
Recruiting
Sovos processes your information to manage recruitment processes and process job applications as well as to evaluate submitted documentation, conduct interviews, and call references or conduct background checks in accordance with local laws and regulations and contacting you about future opportunities.
Our processing of your personal data as a candidate and job applicant, such as your contact details, information collected through Careers such as your CV, education record, job position, role interests, is based on our legitimate interest as a business as well as to facilitate our recruitment process, to facilitate and manage in-person and online meetings and assessments, to process data such as your compensation, details of your reference providers and the results of a candidate assessment with a third party provider if we have asked you to complete one during the recruitment process.
When making a hiring decision for current or future employment, we will process your personal data as part of our evaluation of your application based on legal obligations, pre contractual and contractual steps, and based on our legitimate interest in keeping records of our decision-making process.
If you are not appointed to a role, we would like to add your details to our internal talent and candidate pool so that we can contact you for future opportunities where you may be a match, and to inform you of recruitment events and news, unless you prefer not to do so.
Any processing of your sensitive personal data in connection with your job application will be based on your explicit consent, as required and applicable by law.
Please note that you can at any time withdraw your consent at any time, although this may affect our ability to consider you for employment at Sovos.
To manage event photography and video recording
When you attend our events, conferences, webinars, or decide to participate in other activities organized by Sovos, we may take photographs and record videos. This includes capturing general atmosphere shots, presentations, networking activities, and individual or group photos. We process this visual data based on our legitimate interest as a business to: document our events and activities for internal communications, create marketing and promotional materials, share event highlights on social media and our website, improve future events based on attendance and engagement.
For close-up photos, featured content, testimonials, or any external marketing use where attendees are clearly identifiable, we will obtain the attendees explicit consent before capturing or using such images.
You may opt out of being photographed by informing us at registration or by using the opt-out indicators available at our events.
You can request deletion of photos or videos where you are identifiable at any time by contacting us.
How is personal data collected?
Sovos collects most of your data directly from the Sovos customer you work for or from you directly when you interact with our sites or provide your personal data to us.
Some purchases of Sovos products or services are done via a Sovos partner company, in those cases we may collect information about you from the partner company.
In some cases, we may collect information about you from other sources. These sources may be referral partners, Sovos´ marketing partners, public sources, or social networks.
We may also collect personal data about you from our partners or event sponsors in connection with joint marketing activities, co-branded campaigns, or sponsored events. This may include information you provide when registering for an event, participating in a webinar, or engaging with content co-hosted by Sovos and a partner. We rely on our partners and event sponsors to inform you about their data sharing practices and, where required by applicable law, to obtain your consent before sharing your personal data with us.
How long do we keep your personal data?
The data you provide to us will be securely stored only as long as it is required to perform our contractual obligations. When we process your personal data based on other legal basis, such as legitimate interest, data is stored as long as necessary to fulfil the purpose for which they were provided or to comply with statutory provisions. Regarding data processing based on consent, we will retain your personal data for as long as consent is not withdrawn.
We will securely delete your personal data promptly after the purposes described above cease to apply in accordance with the prevailing market practice for such destruction.
Disclosure of personal data
Sovos Group
The Sovos group consists of many different subsidiaries, and it is important for us that we provide the best possible overall experience for you. In order to maintain this overview and insight, Sovos may share your personal data across companies in the Sovos Group.
Third parties
We may disclose personal information to third parties, including independent contractors or subcontractors (such as consultants who are engaged by Sovos), agents (recruitment agents) and service providers (such as legal and consultancy providers) who need to process your information in the course of providing services for Sovos or on behalf of Sovos for the purposes specified in this policy.
Sovos also uses service providers that perform business functions on our behalf, such as third-party IT service and software providers, to host, store, and process data. When using these processors, Sovos will enter into a data processing agreement to safeguard your privacy, and we will make sure that the information is only transferred where reasonably necessary to enable us to fulfil the purposes set out in this Policy. If our processors are located outside of the EU/EEA, Sovos will ensure legal grounds for such international transfers on your behalf, for example by using the EU Model Clauses.
Business Partners
Sovos may share your data with our partners in the event this is legitimate from a business point of view and aligned with applicable privacy legislation.
Public Authorities
Sovos may disclose your personal information: (a) as required or permitted by, or to comply with, applicable law, regulation, court or tribunal processes or other statutory requirements; (b) to respond to requests from or disclosures required by any court, tribunal, authority, regulator or supervisory or governmental body or (c) to comply with Know Your customer and anti-money laundering requirements and references, background and other similar checks on or conducted by Sovos.
International Data Transfers
Like many global organizations, Sovos interacts with other parties globally and use global IT systems. For example, certain third-party IT systems used by us host, store and process data in and outside of the European Economic Area (EEA)Sovos may transfer your personal data from EEA, United Kingdom (UK) and Switzerland to other countries, some of which have not yet been determined by European Commission to have an adequate level of data protection. When we engage in such transfers, we use a variety of legal mechanisms, including contracts such as approved Standard Contractual Clauses and necessary supplementary measures, which includes technical, contractual and organizational measures that are necessary to guarantee the equivalent level of protection of your data.
Sovos participates in the EU-US Data Privacy Framework, the UK Extension to the EU-US Data Privacy Framework and the Swiss-US Data Privacy Framework. Click here to learn more.
Third party websites
Our websites may contain links to third party websites. Navigating through these links will redirect you away from our websites. Please note that this privacy policy is not applicable to third party websites, your use of such websites it at your own risk, we encourage you to review the applicable privacy polices of other sites you visit.
What are your privacy rights?
- Accessing your Information: right to know if and what information we hold about you.
- Verifying your information: you can always ask for update and/or correct your information if you find that we are processing inaccurate information about you.
- Ask for deletion of your personal data: upon your request and if we are not obliged to keep your data for legal purposes, we will remove it.
- Objecting to the processing of personal data: if we process your personal data based on our legitimate interests, e.g. direct marketing emails you can object against it. We will consider your request and, if there are no legal grounds to refuse it (e.g., public interest), stop the processing for such purposes.
- Withdraw your consent: You have the right to withdraw your consent at any time if you previously gave the consent to the processing.
- Restricting the processing of personal data: If you challenge the accuracy of your personal data, suspect unlawful processing, you have the right to temporarily stop the processing of your personal data to verify its consistency. During this period, we will only process the personal data for legal compliance purposes until the circumstances of restriction cease to exist.
- Ask for having your personal data transferred to another organization: upon your request we can transfer your personal data to a third party, in certain circumstances, such as where our processing of it was based on a consent.
Use of cookies and similar technologies
Cookies and similar technologies are used by Sovos, and our advertising technology partners to recognize your and/or your device(s) for the purposes specified in Section “How and why do we process your personal data.
Cookies are small text files that contain a string of characters and uniquely identify a browser on a device connected to the Internet. Depending on your jurisdiction, you may be presented with different consent options, including the option to reject all non-essential cookies, prior to Sovos placing cookies on your browser.
Visitors from all jurisdictions are provided with functionality to opt out of non-required cookies setting your preferences by clicking on “Cookies settings” link accessible via a banner pop up when you visit our websites.
If you do not want to receive cookies, you can also change your browser settings on your device that you are using to access our websites.
Data Security
We have taken technical and organizational measures to protect your data from loss, alteration, or unauthorized access. We continuously improve these security measures in line with technological development and industry standards.
Your questions
If you have any complaints regarding our compliance with this Privacy Policy, please contact us at privacy@sovos.com
We will thoroughly investigate and endeavor to resolve any complaints or disputes regarding processing of personal data in accordance with this Privacy Policy and applicable law.
If you are not satisfied with our response, you have the right to lodge a complaint with the relevant data protection authority in your country. A list of the data protection authorities here.
Additional information for California Residents
This additional information serves as a notice under California Privacy Rights Act, required by California Consumer Privacy Act (together “CCPA”) to consumers residing in California:
Purpose
To support your relationship with Sovos, or your use of our services and products, we may have collected and disclosed information within the past 12 months for the following types of business and commercial purposes: please refer to: How and why do we use your personal data?
Categories
We may have collected and disclosed the following types of information for business and commercial purposes: please refer to Which categories of personal data do we process?
We keep your personal information for as long as it is required in order to fulfill the relevant purposes described in the Privacy Policy, as permitted or may be required by law.
Sources and disclosures
We may collect Personal Information directly from you, automatically from your interactions with Sovos or from your employer, from our partner or event sponsors in connection with joint marketing activities or sponsored events and we may disclose information about you with our subsidiaries, suppliers and when appropriate, with selected partners to help us provide you, or the company you work for, with products or services, or to fulfill your requests.
We do not use or disclose sensitive personal information for any purpose not expressly permitted by the California Privacy Rights Act.
For more information, please refer to: How is personal data collected? And Disclosure of personal data
Sale and Share
Sovos does not sell personal data to third parties in exchange for money. However, in CCPA, a sale is defined to include disclosures of personal data to a third party for monetary or valuable consideration, which means the use of third-party cookies on our website may qualify as a sale under CCPA.
Therefore, you provide you with the means to opt-out of such sale:
- You can choose the option “reject all” in our cookie banner and consequently there is no sale of your personal information.
- If you have accepted cookies and you want to opt out from the sale or share of your personal information, our cookie banner allows you to manage your preferences and opt out from the sale or share at any time.
Rights
As a California resident, you have the right to:
- Know your Personal Information: you can request specifics about personal information we hold about you by submitting a request to privacy@sovos.com
- Request deletion or rectify your personal information: You can request the deletion of or seek to rectify (correct, update or modify) the Personal Information that we hold about you.
- Opt-out of Sale or Sharing of your Personal Information. To opt out of the use of cookie data for the purposes of targeted advertising, please select our cookie manager and set out your cookies preferences to reflect your decision.
- Limit the Use or Disclosure of Sensitive Personal Information: We do not use or disclose sensitive personal information for purposes that would require us to offer consumers the right to limit such use under the CCPA.
- Non-discrimination: if you choose to exercise any of the above rights, Sovos will not deny goods or services to you or provide different quality of services.
If you wish to exercise your rights, please contact us at privacy@sovos.com and please note that the rights provided for herein are subject to limitations which you can learn more about it here.
Children’s Privacy
We do not knowingly collect or solicit personal information from anyone under the age of 13. If you under 13, please do not attempt to register for our services or products or send any persona information about yourself to Sovos.
EU-US and Swiss -US Data Privacy Framework
Sovos complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce.
Sovos has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. Sovos has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit here.
If you have any inquiries or complaints about our handling of your personal information under the Data Privacy Framework, or about our privacy practices generally, please see our section “Your questions”, we will investigate and attempt to resolve any complaints or disputes regarding the use or disclosure of personal data within 45 days of receiving your complaint.
Sovos has further committed to refer unresolved privacy complaints under the DPF Principles to an independent dispute resolution mechanism, Data Privacy Framework Services, operated by BBB National Programs. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit here for ore information and to file a complaint (free of charge)
Complaints related to human resources data should not be addressed to the Data Privacy Framework Services, operated by BBB National Programs.
If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. For information visit DPF here.
Sovos will cooperate with the United States Federal Trade Commissions and any data protection authorities of the EU Member States (“DPAs”) and/or the Swiss Federal Data Protection and Information Commissioner’s Office (“ICO”) in the investigation and resolution of complaints that cannot be resolved between Sovos and the complainant that are brought to a relevant DPA.
As explained here we sometimes provide personal information to third parties to perform services on our behalf. If Sovos transfers personal information received under the Data Privacy Framework to a third party, except for disclosures to government agencies, the third party’s access, use and disclosure of the personal information must also be in compliance with our Data Privacy Framework obligations and Sovos will remain liable under the Data Privacy Framework, unless Sovos proves that it is not responsible for the event giving rise to the damage. We may be required to disclose personal information that we handle under the Data Privacy Framework in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
A list of these third parties is available upon request by contacting us at privacy@sovos.com
You can review our Data Privacy Framework registration here. The Federal Trade Commission (FTC) has jurisdiction over Sovos’ compliance with the Data Privacy Framework and Sovos US entities adhering to the EU-U.S. DPF), the UK Extension to the EU-U.S. DPF and Swiss-U.S DPF are: 1099 Pro LLC, Convey Compliance Systems, LLC, Invoiceware Brazil, LLC, New Dawn Ventures LLC, Six88 Solutions, Inc., TINCheck LLC, Aatrix Software, LLC
Introduction
Protecting consumer privacy is important to Sovos. This privacy policy outlines our general policy and practices for implementing the Principles (defined below), including the types of information we gather, how we use it and the notice and choice affected individuals have regarding our use of and their ability to correct that information. This privacy policy applies to all personal information received by Sovos whether in electronic, paper or verbal format about persons who are not Sovos employees.
This privacy policy applies to Sovos Compliance, LLC, together with all of its US subsidiaries (Sovos): Image Science and Services, Inc.; Six88 Solutions, Inc.; 3PF, LLC; Convey Compliance Systems, LLC; 1099 Pro, LLC. and Invoiceware International, LLC.
For Sovos employees, this privacy policy applies to all personal information processed by Sovos for tax reporting purposes. Sovos has other privacy policies that apply to other data of its employees.
Privacy Shield Privacy Statement
Sovos complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries (and Iceland, Liechtenstein, and Norway) and Switzerland transferred to the United States pursuant to Privacy Shield. Sovos has certified that it adheres to the Privacy Shield Principles with respect to such data. If there is any conflict between the policies in this privacy policy and data subject rights under the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification page, please visit https://www.privacyshield.gov/
The Federal Trade Commission (FTC) has jurisdiction over Sovos’ compliance with the Privacy Shield.
Definitions
“Personal Information” or “Information” means information that (1) is recorded in any form; (2) is about, or pertains to a specific individual; and (3) can be linked to that individual; (4) can directly or indirectly identify an individual.
“Sensitive Personal Information” means personal information that reveals race, ethnic origin, sexual orientation, political opinions, religious or philosophical beliefs, trade union membership or that concerns an individual’s health. Sovos’ services do not include the collection of Sensitive Personal Information.
Principles
Sovos collects data from the general public via the Sovos web site. This data may include information volunteered by an individual who wants to obtain more information about Sovos’ services or data which indicates who accessed Sovos’ web site and which pages they accessed. The latter type of data may or may not include Personal Information. This data is used for Sovos’ marketing and sales purposes and is not passed to third parties for any purpose other than assisting Sovos in its marketing and sales efforts. Sovos does not sell this data to third parties. Third parties who do receive this type of data are obligated to use the data only for the contracted purpose and to maintain the confidentiality of the data.
Sovos performs its tax determination, remittance, and reporting functions without retaining the personally identifiable information of consumers. Personally identifiable information is only used and retained to the extent necessary for the administration of the services with respect to exempt purchasers. Generally, Sovos does not obtain personally identifiable information directly from consumers. We primarily receive personally identifiable information as a result of consumers’ financial transactions with sellers. However, in the event Sovos collects information directly from consumers, we will obtain the personal information that is needed to provide our goods or services, to provide customer service and to fulfill any legal or regulatory requirements.
Data collected from customers related to Sovos’ services: Sovos’ customers provide Sovos with Personal Information necessary for Sovos or its customers to make required tax, compliance and/or business-to-government reporting disclosures to taxing authorities. This may include social security numbers and the name and address of an individual, and will include information about payments Sovos’ customer has made to the individual. Sovos may also collect data about individuals from government-run or sponsored web sites, such as sites designed to verify that social security numbers are accurate. This data is used solely for the provision of Sovos’ services to its customers and is not used for any other purpose.
Choice
Individuals who have provided information to Sovos via its web site may contact Sovos to have their names and information removed from Sovos’ marketing and sales databases by contacting us at privacy@sovos.com. Sovos complies with applicable law that requires all marketing emails to include the means to opt out of such email.
Individuals whose Personal Information is collected from Sovos’ customers can opt out of Sovos’ use of their information by contacting the Sovos customer who provided the information.
Sovos does not currently collect Sensitive Personal Information. In the event that Sovos does receive Sensitive Personal Information, Sovos shall treat Sensitive Personal Information received from an individual the same as the individual would treat and identify it as Sensitive Personal Information.
Use of Cookies
As you browse Sovos.com, advertising cookies will be placed on your computer so that we can understand what you are interested in. Our display advertising partner, Google AdWords, then enables us to present you with retargeting advertising on other sites based on your previous interaction with Sovos.com.
The techniques our partners employ do not collect personal information such as your name, email address, postal address or telephone number. You can visit this page to opt out of AdWords and their partners’ targeted advertising.
Onward Transfers
Sovos has certified that it adheres to the Privacy Shield Principles of notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, recourse, enforcement and liability. We are subject to the investigatory and enforcement powers of the Federal Trade Commission. To learn more about the Privacy Shield Principles, and to view our certification, please visit https://www.privacyshield.gov.
Data collected from the public via the Sovos website may be transferred to:
- Sovos’ Customer Resource Management (“CRM”) provider
- Firms which assist Sovos in sales and marketing
- Sovos’ data hosting services providers
- Sovos’ printing partners
These third parties all either: (a) have subscribed to the Privacy Shield Principles, (b) adopted the Model Clauses, or (c) have a contractual obligation to Sovos which prohibits them from making any use of the data beyond what is required to fulfill their obligations to Sovos. A list of these third parties is available upon request by contacting us at privacy@sovos.com.
Data collected from customers related to Sovos’ services may be transferred to:
- Government agencies: Sovos may transfer tax-reporting related data to government agencies
- Sovos’ data hosting services providers
- Applicable member states of the Streamlined Sales Tax Initiative
- Sovos’ print services providers
A list of these third parties is available upon request by contacting us at privacy@sovos.com.
Sovos lacks the power to dictate what government agencies do with the data. Sovos provides government agencies only with data required to fulfill tax reporting requirements of Sovos and its customers. Sovos’ data hosting services provider have a contractual obligation to Sovos which prohibits them from making any use of the data beyond what is required to fulfill their obligations to Sovos.
Except for disclosures to government agencies, Sovos shall ensure that any third party for which Personal Information may be disclosed subscribes to the Principles or are subject to law providing the same level of privacy protection as is required by the Principles or agree in writing to provide an adequate level of privacy protection.
In certain rare instances, law enforcement officials or a court may issue a subpoena that obligates Sovos to disclose those of its records relevant to an investigation. When that happens, Sovos makes sure that the disclosure of records is as narrow as possible. When the subpoena permits such notice, Sovos will notify the impacted individual of the subpoena and impending disclosure.
In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
Sovos’ accountability for personal data that it receives in the United States under the Privacy Shield and subsequently transfers to a third party is described in the Privacy Shield Principles. In particular, Sovos remains responsible and liable under the Privacy Shield Principles if third-party agents that it engages to process the personal data on its behalf do so in a manner inconsistent with the Principles, unless Sovos proves that it is not responsible for the event giving rise to the damage.
Data Security
Sovos shall take reasonable steps to protect the Information from loss, misuse and unauthorized access, disclosure, alteration and destruction. Sovos has put in place appropriate physical, electronic and managerial procedures to safeguard and secure the Information from loss, misuse, unauthorized access or disclosure, alteration or destruction. Although information sent to and from Sovos is secured according to industry best practices, Sovos cannot guarantee the security of Information on or transmitted via the Internet.
Data Integrity
Sovos shall only process Personal Information in a way that is compatible with and relevant for the purpose for which it was collected or authorized by the individual. To the extent necessary for those purposes, Sovos shall take reasonable steps to ensure that Personal Information is accurate, complete, current and reliable for its intended use.
Access
Sovos shall allow an individual access to their Personal Information and allow the individual to correct, amend or delete inaccurate information, except where the burden or expense of providing access would be disproportionate to the risks to the privacy of the individual in the case in question or where the rights of persons other than the individual would be violated. Where the information the individual seeks to edit was provided by a Sovos customer, Sovos will need to contact the customer and will only change the information after the customer has verified that the original information was inaccurate. Access can be initiated via email to privacy@sovos.com.
Enforcement
Sovos uses a self-assessment approach to assure compliance with this privacy policy and periodically verifies that the policy is accurate, comprehensive for the information intended to be covered, prominently displayed, completely implemented and accessible and in conformity with the Privacy Shield Principles. We encourage interested persons to raise any concerns using the contact information provided and we will investigate and attempt to resolve any complaints and disputes regarding use and disclosure of Personal Information in accordance with the Privacy Shield Principles.
Dispute Resolution
In compliance with the EU-U.S. and the Swiss-U.S. Privacy Shield Frameworks, Sovos is committed to resolving complaints about your privacy and our collection or use of your Personal Information. Individuals with inquiries or complaints regarding this privacy policy should first contact Sovos at:
Sovos Compliance, LLC
Attn: Office of Information Security
200 Ballardvale Street
Building 1, 4th Floor
Wilmington, MA 01887
or by email to: privacy@sovos.com
We will investigate and attempt to resolve any complaints or disputes regarding the use or disclosure of personal data within 45 days of receiving your complaint.
Sovos has further committed to refer unresolved privacy complaints under the EU-U.S. Privacy Shield Principles BBB EU PRIVACY SHIELD, a non-profit alternative dispute resolution provider located in the United States and operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/EU-privacy-shield/for-eu-consumers/ for more information and to file a complaint.
If your complaint involves human resources data transferred to the United States from the EU and/or Switzerland in the context of the employment relationship, and Sovos does not address it satisfactorily, Sovos commits to cooperate with the panel established by the EU data protection authorities (DPA Panel) and/or the Swiss Federal Data Protection and Information Commissioner, as applicable and to comply with the advice given by the DPA panel and/or Commissioner, as applicable with regard to such human resources data. To pursue an unresolved human resources complaint, you should contact the state or national data protection or labor authority in the appropriate jurisdiction. Contact details for the EU data protection authorities can be found at http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm. Complaints related to human resources data should not be addressed to the BBB EU PRIVACY SHIELD.
Under certain limited circumstances, individuals in the EEA may invoke binding Privacy Shield arbitration as a last resort if all other forms of dispute resolution (discussed above) have been unsuccessful. To learn more about this method of resolution and its availability to you, please visit https://www.privacyshield.gov/.
Data Protection for Individuals in the European Union (EU)
In addition to the above information, as Sovos is a global business we may collect data from citizens within the EU.
Through this section of the Privacy Policy, we aim to inform you about the types of personal data we may collect from European individuals, the purposes for which we use the data and the ways in which the data is handled. We also aim to satisfy the obligation of transparency under the EU General Data Protection Regulation 2016/679 (“GDPR”) and national laws implementing GDPR.
Transfer of Information Outside the EEA
Under the General Data Protection Regulation, we are required to tell you if we transfer or intend to transfer information which we hold on you to countries outside the European Economic Area (“EEA”).
Except as prohibited by law, the information that you will provide us with us may be stored on Sovos servers outside of Europe and other Sovos companies or business partners may process this information on Sovos’ behalf, but always under strict conditions of confidentiality. Sovos will keep this information to enable it to properly and effectively administer and monitor the customer relationship it has with you. We transfer such information outside the EEA only if:
a) your product or service enquiry is are best handled by one of our companies located outside the EEA; or
b) the service you have requested, such as a newsletter, is delivered through a third-party located outside the EEA.
In either case, a list of companies we may utilize outside the EEA is available upon request by contacting us at privacy@sovos.com.
We apply equal rigour to the security of data held and processed by us or on our behalf outside of the EEA. We have taken steps to ensure that our subsidiaries and affiliates and those who process data on our behalf enter into the standard contractual clauses approved by the European Commission, to safeguard the personal information which is transferred to and from the EEA and beyond.
As some of our servers are located in the USA, transfer of some of our data outside the EEA is necessary to enable us to operate the Site. To the extent that any personal information is provided to third parties outside the EEA, or who will access the information from outside the EEA, we take steps to ensure that approved safeguards are in place, such as the approved standard contractual clauses or the EU-US Privacy Shield (see our Privacy Shield statement above).
Trusted Third Parties
We will only share your personal information with trusted third parties where we have retained them to provide services that you have requested or for our legitimate business purposes, such as IT or professional support services.
The Legal Basis for Processing your Personal Information
Sovos’ website
The Sovos website gathers and processes your personal data only if you actively give it to us. Under the GDPR, the legal basis for processing your personal information is Consent, respectively “legitimate interest”, which can mean you have asked us to provide a service (such as a newsletter) or to contact you using the details you have submitted.
To withdraw your consent, please use the unsubscribe link at the bottom of a newsletter or contact privacy@sovos.com.
Data Provided to Sovos by its customers to fulfill Sovos’ contractual obligation
Under our customer contracts, Sovos gathers and processes customers’ customers personal data only if provided to Sovos in order to fulfill its contractual obligations. Under the GDPR, the legal basis for processing your customers’ personal information is contractual obligation.
How Long We Will Hold Your Information
We will retain your personal information only for the time necessary to provide the Services we perform for you, or stated by the purposes outlined in this Privacy Policy. In particular, we will store certain categories of your personal information for the following periods of time:
| Category of Personal Data | Storage Time Period |
| Contact details for sales enquiries | 2 years after last contact |
| Email address for newsletter | Until you unsubscribe |
| Job applications & CVs Outside EU | Indefinitely |
| Job applications & CVs – EU Citizens | 1 year (or until consent withdrawn, whichever is earlier) |
Complaints from European Individuals
If you are unhappy about our use of your personal information, you can contact us using the details in the contact details below. You are also entitled to lodge a complaint with the UK Information Commissioner’s Office using any of the below contact methods:
Telephone: 0303 123 1111
Website: https://ico.org.uk/concerns/
Post: Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
You may prefer to, and are entitled to, lodge a complaint with a different supervisory authority in a country of your choice. A list of Supervisory Authorities is available here: http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm
Privacy Notice for California Residents
Data Protection for California Consumers under the California Consumer Privacy Act
If you are a visitor, user, or other individual who resides in the State of California (“consumer”), you have the right to: (a) request that Sovos disclose what personal information it collects, uses, discloses and sells about you, (b) request deletion of the personal information you have provided to Sovos, and (c) be free from discrimination by Sovos as a result of you exercising your rights under the California Consumer Privacy Act of 2018 (“CCPA”).
We note that the CCPA temporarily exempts personal information reflecting a written or verbal business-to-business communication from some of its requirements, such that the rights to access and delete your personal information do not apply with respect to such information.
In addition, under the CCPA, none of the rights set forth in this Notice apply to, and “personal information” does not include, certain categories of information, such as (i) publicly available information from government records, (ii) deidentified or aggregated consumer information, (iii) health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data, and (iv) information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994.
If you wish to exercise any of these rights, you must submit a Verifiable Consumer Request, which can be submitted here, or by emailing privacy@sovos.com. The procedures Sovos uses to evaluate your request can be found here. Furthermore, in accordance with the CCPA, you can designate a third party agent to exercise your CCPA rights on your behalf by following the procedures that can be found here.
Categories of Personal Information We Collect
Sovos has collected the following types of personal information about consumers in the preceding 12 months:
| Categories | Examples | Collected |
| A. Identifiers. | A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers. | YES |
| B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)). | A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. | YES |
| C. Protected classification characteristics under California or federal law. | Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information). | YES |
| D. Commercial information. | Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. | YES |
| E. Biometric information. | Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data. | NO |
| F. Internet or other similar network activity. | Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement. | YES |
| G. Geolocation data. | Physical location or movements. | NO |
| H. Sensory data. | Audio, electronic, visual, thermal, olfactory, or similar information. | NO |
| I. Professional or employment-related information. | Current or past job history or performance evaluations. | YES |
| J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)). | Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records. | YES |
| K. Inferences drawn from other personal information. | Profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. | NO |
Sources of Personal Information Collected
Sovos obtains the categories of personal information listed above from the following categories of sources: (a) directly from you, for example, if you contact us via our website; (b) indirectly from you, for example, via Internet cookies; and (c) from customers.
Disclosures for a Business or Commercial Purpose
In the preceding 12 months, Sovos has disclosed the following types of personal information to its service providers and affiliates for business purposes: A. Identifiers; B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)); C. Protected classification characteristics under California or federal law; D. Commercial information; F. Internet or other similar network activity; I. Professional or employment-related information; and J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)).
California Consumers’ Right to Know
If you are a consumer, you have the right to request the following information regarding Sovos’ practices regarding your personal information: (a) the categories of personal information we have collected about you; (b) the categories of sources from which the personal information about you was collected; (c) the business or commercial purpose for which we collect or sell your personal information; (d) the categories of third parties with whom we share your personal information; (e) the specific pieces of personal information we have collected about you; (f) the categories of personal information that we sold about you, and categories of third parties to whom the information was sold; and (g) the categories of personal information that we disclosed about you for a business or commercial purpose.
California Consumers’ Right to Request Deletion
If you are a consumer, you have the right to request that Sovos delete the personal information that Sovos has collected about you that you provided to Sovos. Please note that in certain instances we may not be able to process your request, such as (i) due to the existence of a legal obligation, (ii) to detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities, or (iii) in order to complete a transaction for which your personal information was collected.
California Consumers’ Right to Opt Out
Sovos has not sold the personal information of any California consumer to third parties in the preceding 12 months. Sovos does not sell the personal information of minors under 16 years of age without affirmative authorization.
Further Information on Data Protection and Personal Privacy
If you have any enquiries or if you would like to contact us about our processing of your personal information, including to exercise your rights as outlined above, please contact us by one of the methods listed below. When you contact us, we will ask you to verify your –
Sovos Compliance, LLC
Attn: Office of Information Security
200 Ballardvale Street
Building 1, 4th Floor
Wilmington, MA 01887
privacy@sovos.com