Privacy Policy

Effective date: June 20th, 2024

Introduction

This Privacy Policy provides information on the processing of personal information by any affiliate of Sovos Compliance (“Sovos”, “we”, “our”, “us”) in connection with business contacts, visitors on webpages and customer data. Your privacy and integrity is important to us, and we are committed to provide you with clear and transparent information about the personal data we collect, why it is needed, how it is used and the rights you have on your data.

A Sovos Compliance Affiliate is responsible for processing your personal data described in this Privacy Policy. You can see the list of Sovos’ Affiliates and select a region and country to view the registered address and contact details of the applicable responsible Sovos affiliate.

Sovos also processes personal data on behalf of and in accordance with the instructions of our customers, as a Processor. Our processing of personal data on behalf of our customers is governed by a Data Processing Addendum for Sovos Software and Services. This Privacy Policy does not cover our processing activities as a processor.

What personal data do we process?

The type of personal data Sovos processes about you may be:

  • Names, addresses, phones numbers, job titles, places of work, business and personal emails
  • Information provided through job applications.
  • Information submitted as part of a support request, survey.
  • Demographic attributes, when tied to personal data that identifies you.
  • When interacting with our websites, we may collect your IP address, geographic location; behavioral data of the internet connected computer or device you use, such as advertisements clicked or viewed, sites and content areas.
  • Transactional data, including products and services ordered, financial details and payment methods.

Sovos does not control the content that you may post online identifying Sovos on forums or social networks or Sovos social networks which in some cases may be publicly available on the Internet.

For the purposes mentioned in the section “how and why we use your personal data”, Sovos does not process sensitive personal data about you.

How and why do we process your personal data?

To manage business relationship with customers, suppliers, and partners

We use your personal data when you are a customer, or as a representative from a customer, supplier and partner to manage our business relationship with the company or organization that you represent. This includes contact information e.g. name, phone number, email as well as order or payment data when you contract products directly from our sites.  We will process your personal data necessary for fulfilment of a contract with you  on the basis of our legitimate interest as a business.

To provide good customer service and Support Services

We use personal data to provide support services such as respond to your questions when you contact our support, when you file a complaint or when we provide customer service. This includes your contact information, the interaction log with us, and user generated content such as your chat transcript or email. The processing of your personal data to provide you with good customer service is based on our legitimate interest as a business. We may also need to process your data to fulfil our support obligations under a contract. If your call is being recorded, we will ask for your consent.

To enable functionality on our websites

We use cookies and similar technologies to enable functionality on our websites which are necessary for it to function, including remembering your settings and preferences if you allow it. Learn more the categories of cookies and storage period about this here.

To manage the security of our websites

We may collect site use data, e.g. user credentials log data, for security and operations management, relying on our legitimate as a business to help keep our sites and systems secure, or to investigate and prevent potential fraud, cyber-attacks and to detect bots.

To comply with applicable laws and regulations

In some cases, we may need to process your personal data to manage, defend and exercise legal claims and rights, for example in connection with a dispute or court proceedings or to respond to a request from a regulator. In this case we will process the relevant categories of personal data necessary to satisfy our legitimate interest of managing, defending, and exercising legal claims and rights.

To market Sovos Services and Products

Sovos may use your personal data to be able to generate and distribute marketing materials, such as newsletters and recommendations, through multiple communication channels. Sovos may process your contact information (e.g. name, phone number, email address), your IP address, your geographical region, as well as user-generated data (for example, click and browsing history). It is our assessment that we have a legitimate interest as a business in communicating with you, especially because we provide you with all means to unsubscribe or opt out at any time from our communications for this purpose.

You can unsubscribe from our communications at any time by clicking on the unsubscribe link in the communication or by contacting us.

To track your interactions in digital channels

Sovos may collect and use personal data derived from your interactions with our websites, social media, webinars, and marketing campaigns, e.g. when accepting cookies or similar technologies or by filling out a form on our website or webinar we may collect online identifiers such as IP, Mac address or similar, geographical region and user behavior like clicks, page visits and time spent on watching webinars, based on your consent, to analyze and understand how individuals interact with us and our content. These insights are used to improve our marketing efforts, target the right audience, and provide you with more personalized content in our communications with you.

Recruiting

Sovos processes your information to manage recruitment processes and process job applications as well as to evaluate submitted documentation, conduct interviews, and call references or conduct background checks in accordance with local laws and regulations and contacting you about future opportunities.

Our processing of your personal data as a candidate and job applicant, such as your contact details, information collected through Careers such as your CV, education record, job position, role interests, is based on our legitimate interest as a business as well as to facilitate our recruitment process, to facilitate and manage in-person and online meetings and assessments, to process data such as your compensation, details of your reference providers and the results of a candidate assessment with a third party provider if we have asked you to complete one during the recruitment process.

When making a hiring decision for current or future employment, we will process your personal data as part of our evaluation of your application based on legal obligations, pre contractual and contractual steps, and based on our legitimate interest in keeping records of our decision-making process.

If you are not appointed to a role, we would like to add your details to our internal talent and candidate pool so that we can contact you for future opportunities where you may be a match, and to inform you of recruitment events and news, unless you prefer not to do so.

Any processing of your sensitive personal data in connection with your job application will be based on your explicit consent, as required and applicable by law.

Please note that you can at any time withdraw your consent at any time, although this may affect our ability to consider you for employment at Sovos.

How is personal data collected?

Sovos collects most of your data directly from the Sovos customer you work for or from you directly when you interact with our sites or provide your personal data to us.

Some purchases of Sovos products or services are done via a Sovos partner company, in those cases we may collect information about you from the partner company.

In some cases, we may collect information about you from other sources. These sources may be referral partners, Sovos´ marketing partners, public sources, or social networks.

How long do we keep your personal data?

The data you provide to us will be securely stored only as long as it is required to perform our contractual obligations. When we process your personal data based on other legal basis, such as legitimate interest, data is stored as long as necessary to fulfil the purpose for which they were provided or to comply with statutory provisions. Regarding data processing based on consent, we will retain your personal data for as long as consent is not withdrawn.

We will securely delete your personal data promptly after the purposes described above cease to apply in accordance with the prevailing market practice for such destruction.

Disclosure of personal data

Sovos Group

The Sovos group consists of many different subsidiaries, and it is important for us that we provide the best possible overall experience for you. In order to maintain this overview and insight, Sovos may share your personal data across companies in the Sovos Group.

Third parties

We may disclose personal information to third parties, including independent contractors or subcontractors (such as consultants who are engaged by Sovos), agents (recruitment agents) and service providers (such as legal and consultancy providers) who need to process your information in the course of providing services for Sovos or on behalf of Sovos for the purposes specified in this policy.

Sovos also uses service providers that perform business functions on our behalf, such as third-party IT service and software providers, to host, store, and process data. When using these processors, Sovos will enter into a data processing agreement to safeguard your privacy, and we will make sure that the information is only transferred where reasonably necessary to enable us to fulfil the purposes set out in this Policy. If our processors are located outside of the EU/EEA, Sovos will ensure legal grounds for such international transfers on your behalf, for example by using the EU Model Clauses.

Business Partners

Sovos may share your data with our partners in the event this is legitimate from a business point of view and aligned with applicable privacy legislation.

Public Authorities

Sovos may disclose your personal information: (a) as required or permitted by, or to comply with, applicable law, regulation, court or tribunal processes or other statutory requirements;  (b) to respond to requests from or disclosures required by any court, tribunal, authority, regulator or  supervisory or governmental body or (c) to comply with Know Your customer and anti-money laundering requirements and references, background and other similar checks on or conducted by Sovos.

International Data Transfers

Like many global organizations, Sovos interacts with other parties globally and use global IT systems. For example, certain third-party IT systems used by us host, store and process data in and outside of the European Economic Area (EEA)Sovos may transfer your personal data from EEA, United Kingdom (UK) and Switzerland to other countries, some of which have not yet been determined by European Commission to have an adequate level of data protection. When we engage in such transfers, we use a variety of legal mechanisms, including contracts such as approved Standard Contractual Clauses and necessary supplementary measures, which includes technical, contractual and organizational measures that are necessary to guarantee the equivalent level of protection of your data.

Sovos participates in the EU-US Data Privacy Framework, the UK Extension to the EU-US Data Privacy Framework and the Swiss-US Data Privacy Framework. Click here to learn more.

Third party websites

Our websites may contain links to third party websites. Navigating through these links will redirect you away from our websites. Please note that this privacy policy is not applicable to third party websites, your use of such websites it at your own risk, we encourage you to review the applicable privacy polices of other sites you visit.

What are your privacy rights?

  • Accessing your Information: right to know if and what information we hold about you.
  • Verifying your information: you can always ask for update and/or correct your information if you find that we are processing inaccurate information about you.
  • Ask for deletion of your personal data: upon your request and if we are not obliged to keep your data for legal purposes, we will remove it.
  • Objecting to the processing of personal data: if we process your personal data based on our legitimate interests, e.g. direct marketing emails you can object against it. We will consider your request and, if there are no legal grounds to refuse it (e.g., public interest), stop the processing for such purposes.
  • Withdraw your consent: You have the right to withdraw your consent at any time if you previously gave the consent to the processing.
  • Restricting the processing of personal data:  If you challenge the accuracy of your personal data, suspect unlawful processing, you have the right to temporarily stop the processing of your personal data to verify its consistency. During this period, we will only process the personal data for legal compliance purposes until the circumstances of restriction cease to exist.
  • Ask for having your personal data transferred to another organization: upon your request we can transfer your personal data to a third party, in certain circumstances, such as where our processing of it was based on a consent.

Use of cookies and similar technologies

Cookies and similar technologies are used by Sovos, and our advertising technology partners to recognize your and/or your device(s) for the purposes specified in Section “How and why do we process your personal data.

Cookies are small text files that contain a string of characters and uniquely identify a browser on a device connected to the Internet. Depending on your jurisdiction, you may be presented with different consent options, including the option to reject all non-essential cookies, prior to Sovos placing cookies on your browser.

Visitors from all jurisdictions are provided with functionality to opt out of non-required cookies setting your preferences by clicking on “Cookies settings” link accessible via a banner pop up when you visit our websites.

If you do not want to receive cookies, you can also change your browser settings on your device that you are using to access our websites.

Data Security

We have taken technical and organizational measures to protect your data from loss, alteration, or unauthorized access. We continuously improve these security measures in line with technological development and industry standards.

Your questions

If you have any complaints regarding our compliance with this Privacy Policy, please contact us at privacy@sovos.com

We will thoroughly investigate and endeavor to resolve any complaints or disputes regarding processing of personal data in accordance with this Privacy Policy and applicable law.

If you are not satisfied with our response, you have the right to lodge a complaint with the relevant data protection authority in your country. A list of the data protection authorities here.

Additional information for California Residents

This additional information serves as a notice under California Privacy Rights Act, required by California Consumer Privacy Act (together “CCPA”) to consumers residing in California:

Purpose

To support your relationship with Sovos, or your use of our services and products, we may have collected and disclosed information within the past 12 months for the following types of business and commercial purposes: please refer to:  How and why do we use your personal data?

Categories

We may have collected and disclosed the following types of information for business and commercial purposes: please refer to Which categories of personal data do we process?

We keep your personal information for as long as it is required in order to fulfill the relevant purposes described in the Privacy Policy, as permitted or may be required by law.

Sources and disclosures

We may collect Personal Information directly from you, automatically from your interactions with Sovos or from your employer and we may disclose information about you with our subsidiaries, suppliers and when appropriate, with selected partners to help us provide you, or the company you work for, with products or services, or to fulfill your requests.

We do not use or disclose sensitive personal information for any purpose not expressly permitted by the California Privacy Rights Act.

For more information, please refer to: How is personal data collected? And Disclosure of personal data

Sale and Share 

Sovos does not sell personal data to third parties in exchange for money. However, in CCPA, a sale is defined to include disclosures of personal data to a third party for monetary or valuable consideration, which means the use of third-party cookies on our website may qualify as a sale under CCPA.

Therefore, you provide you with the means to opt-out of such sale:

  • You can choose the option “reject all” in our cookie banner and consequently there is no sale of your personal information.
  • If you have accepted cookies and you want to opt out from the sale or share of your personal information, our cookie banner allows you to manage your preferences and opt out from the sale or share at any time.

Rights

As a California resident, you have the right to:

  • Know your Personal Information: you can request specifics about personal information we hold about you by submitting a request to privacy@sovos.com
  • Request deletion or rectify your personal information: You can request the deletion of or seek to rectify (correct, update or modify) the Personal Information that we hold about you.
  • Opt-out of Sale or Sharing of your Personal Information. To opt out of the use of cookie data for the purposes of targeted advertising, please select our cookie manager and set out your cookies preferences to reflect your decision.
  • Limit the Use or Disclosure of Sensitive Personal Information: We do not use or disclose sensitive personal information for purposes that would require us to offer consumers the right to limit such use under the CCPA.
  • Non-discrimination: if you choose to exercise any of the above rights, Sovos will not deny goods or services to you or provide different quality of services.

If you wish to exercise  your rights, please contact us at privacy@sovos.com and please note that the rights provided for herein are subject to limitations which you can learn more about it here.

Children’s Privacy

We do not knowingly collect or solicit personal information from anyone under the age of 13. If you under 13, please do not attempt to register for our services or products or send any persona information about yourself to Sovos.

EU-US and Swiss -US Data Privacy Framework

Sovos complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce.

Sovos has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. Sovos has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit here.

If you have any inquiries or complaints about our handling of your personal information under the Data Privacy Framework, or about our privacy practices generally, please see our section “Your questions”, we will investigate and attempt to resolve any complaints or disputes regarding the use or disclosure of personal data within 45 days of receiving your complaint.

Sovos has further committed to refer unresolved privacy complaints under the DPF Principles to an independent dispute resolution mechanism, Data Privacy Framework Services, operated by BBB National Programs. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit here for ore information and to file a complaint (free of charge)

Complaints related to human resources data should not be addressed to the Data Privacy Framework Services, operated by BBB National Programs.

If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms.  For information visit DPF here.

Sovos will cooperate with the United States Federal Trade Commissions and any data protection authorities of the EU Member States (“DPAs”) and/or the Swiss Federal Data Protection and Information Commissioner’s Office (“ICO”) in the investigation and resolution of complaints that cannot be resolved between Sovos and the complainant that are brought to a relevant DPA.

As explained here we sometimes provide personal information to third parties to perform services on our behalf. If Sovos transfers personal information received under the Data Privacy Framework to a third party, except for disclosures to government agencies, the third party’s access, use and disclosure of the personal information must also be in compliance with our Data Privacy Framework obligations and Sovos will remain liable under the Data Privacy Framework, unless Sovos proves that it is not responsible for the event giving rise to the damage. We may be required to disclose personal information that we handle under the Data Privacy Framework in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

A list of these third parties is available upon request by contacting us at privacy@sovos.com

You can review our Data Privacy Framework registration here. The Federal Trade Commission (FTC) has jurisdiction over Sovos’ compliance with the Data Privacy Framework and Sovos US entities adhering to the EU-U.S. DPF), the UK Extension to the EU-U.S. DPF and Swiss-U.S DPF are: 1099 Pro LLC, Convey Compliance Systems, LLC, Invoiceware Brazil, LLC, New Dawn Ventures LLC, Six88 Solutions, Inc., TINCheck LLC, Aatrix Software, LLC.