Effective date: May 8th, 2023
Data Privacy Framework Statement
The Federal Trade Commission (FTC) has jurisdiction over Sovos’ compliance with the Data Privacy Framework .
Sovos US entities adhering to the EU-U.S. DPF), the UK Extension to the EU-U.S. DPF and Swiss-U.S DPF (“Other Covered Entities”): 1099 Pro LLC, ACA Comply LLC, Booke Seminars LLC, Convey Compliance Systems LLC, Eagle Technology Management Inc., Imaging Science and Services Inc., Invoiceware Brazil LLC, Invoiceware Finance LLC, Invoiceware International LLC, Lemberger & Taubman Inc., New Dawn Ventures LLC, Six88 Solutions Inc., Sovos Keystone LLC, TINCheck LLC.
“Personal Information” or “Information” means information that (1) is recorded in any form; (2) is about, or pertains to a specific individual; and (3) can be linked to that individual; (4) can directly or indirectly identify an individual.
“Sensitive Personal Information” means personal information that reveals race, ethnic origin, sexual orientation, political opinions, religious or philosophical beliefs, trade union membership or that concerns an individual’s health. Sovos’ services do not include the collection of Sensitive Personal Information.
Sovos collects data from the general public via the Sovos web site. This data may include information volunteered by an individual who wants to obtain more information about Sovos’ services or data which indicates who accessed Sovos’ web site and which pages they accessed. The latter type of data may or may not include Personal Information. This data is used for Sovos’ marketing and sales purposes and is not passed to third parties for any purpose other than assisting Sovos in its marketing and sales efforts. Sovos does not sell this data to third parties. Third parties who do receive this type of data are obligated to use the data only for the contracted purpose and to maintain the confidentiality of the data.
Sovos performs its tax determination, remittance, and reporting functions without retaining the personally identifiable information of consumers. Personally identifiable information is only used and retained to the extent necessary for the administration of the services with respect to exempt purchasers. Generally, Sovos does not obtain personally identifiable information directly from consumers. We primarily receive personally identifiable information as a result of consumers’ financial transactions with sellers. However, in the event Sovos collects information directly from consumers, we will obtain the personal information that is needed to provide our goods or services, to provide customer service and to fulfill any legal or regulatory requirements.f
Data collected from customers related to Sovos’ services: Sovos’ customers provide Sovos with Personal Information necessary for Sovos or its customers to make required tax, compliance and/or business-to-government reporting disclosures to taxing authorities. This may include social security numbers and the name and address of an individual, and will include information about payments Sovos’ customer has made to the individual. Sovos may also collect data about individuals from government-run or sponsored web sites, such as sites designed to verify that social security numbers are accurate. This data is used solely for the provision of Sovos’ services to its customers and is not used for any other purpose.
Individuals who have provided information to Sovos via its web site may contact Sovos to have their names and information removed from Sovos’ marketing and sales databases by contacting us at email@example.com. Sovos complies with applicable law that requires all marketing emails to include the means to opt out of such email.
Individuals whose Personal Information is collected from Sovos’ customers can opt out of Sovos’ use of their information by contacting the Sovos customer who provided the information.
Sovos does not currently collect Sensitive Personal Information. In the event that Sovos does receive Sensitive Personal Information, Sovos shall treat Sensitive Personal Information received from an individual the same as the individual would treat and identify it as Sensitive Personal Information.
As you browse Sovos.com, advertising cookies will be placed on your computer so that we can understand what you are interested in. Our display advertising partner, Google AdWords, then enables us to present you with retargeting advertising on other sites based on your previous interaction with Sovos.com.
The techniques our partners employ do not collect personal information such as your name, email address, postal address or telephone number. You can visit this page to opt out of AdWords and their partners’ targeted advertising.
Data collected from the public via the Sovos website may be transferred to:
These third parties all either: (a) have subscribed to the Data Privacy Framework Principles, (b) adopted the Model Clauses, or (c) have a contractual obligation to Sovos which prohibits them from making any use of the data beyond what is required to fulfill their obligations to Sovos. A list of these third parties is available upon request by contacting us at firstname.lastname@example.org
Data collected from customers related to Sovos’ services may be transferred to:
A list of these third parties is available upon request by contacting us at email@example.com
Sovos provides government agencies only with data required to fulfill tax reporting requirements of Sovos and its customers. Sovos’ data hosting services provider have a contractual obligation to Sovos which prohibits them from making any use of the data beyond what is required to fulfill their obligations to Sovos.
Except for disclosures to government agencies, Sovos shall ensure that any third party for which Personal Information may be disclosed subscribes to the Principles or are subject to law providing the same level of privacy protection as is required by this Policy and DPF Principles or agree in writing to provide an adequate level of privacy protection.
In certain rare instances, law enforcement officials or a court may issue a subpoena that obligates Sovos to disclose those of its records relevant to an investigation. When that happens, Sovos makes sure that the disclosure of records is as narrow as possible. When the subpoena permits such notice, Sovos will notify the impacted individual of the subpoena and impending disclosure.
In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
Sovos’ accountability for personal data that it receives in the United States under the EU-U.S. DPF and Swiss- U.S. DPF and subsequently transfers to a third party is described in the DPF Principles. In particular, Sovos remains responsible and liable under the DPF Principles if third-party agents that it engages to process the personal data on its behalf do so in a manner inconsistent with the DPF Principles, unless Sovos proves that it is not responsible for the event giving rise to the damage.
Sovos shall take reasonable steps to protect the Information from loss, misuse and unauthorized access, disclosure, alteration and destruction. Sovos has put in place appropriate physical, electronic and managerial procedures to safeguard and secure the Information from loss, misuse, unauthorized access or disclosure, alteration or destruction. Although information sent to and from Sovos is secured according to industry best practices, Sovos cannot guarantee the security of Information on or transmitted via the Internet.
Sovos shall only process Personal Information in a way that is compatible with and relevant for the purpose for which it was collected or authorized by the individual. To the extent necessary for those purposes, Sovos shall take reasonable steps to ensure that Personal Information is accurate, complete, current and reliable for its intended use.
Sovos shall allow an individual access to their Personal Information and allow the individual to correct, amend or delete inaccurate information, except where the burden or expense of providing access would be disproportionate to the risks to the privacy of the individual in the case in question or where the rights of persons other than the individual would be violated. Where the information the individual seeks to edit was provided by a Sovos customer, Sovos will need to contact the customer and will only change the information after the customer has verified that the original information was inaccurate. Access can be initiated via email to firstname.lastname@example.org.
Sovos Compliance, LLC
Attn: Office of Information Security
200 Ballardvale Street
Building 1, 4th Floor
Wilmington, MA 01887
or by email to: email@example.com
We will investigate and attempt to resolve any complaints or disputes regarding the use or disclosure of personal data within 45 days of receiving your complaint.
Sovos has further committed to refer unresolved privacy complaints under the DPF Principles to an independent dispute resolution mechanism, Data Privacy Framework Services, operated by BBB National Programs. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://bbbprograms.org/programs/all-programs/dpf-consumers/ProcessForConsumers for more information and to file a complaint. This service is provided free of charge to you.
Complaints related to human resources data should not be addressed to the Data Privacy Framework Services, operated by BBB National Programs.
If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. For information visit DPF here.
Sovos will cooperate with the United States Federal Trade Commissions and any data protection authorities of the EU Member States (“DPAs”) and/or the Swiss Federal Data Protection and Information Commissioner’s Office (“ICO”) in the investigation and resolution of complaints that cannot be resolved between Sovos and the complainant that are brought to a relevant DPA.
Data Protection for Individuals in the European Union (EU)
In addition to the above information, as Sovos is a global business we may collect data from citizens within the EU.
Transfer of Information Outside the EEA
Under the General Data Protection Regulation, we are required to tell you if we transfer or intend to transfer information which we hold on you to countries outside the European Economic Area (“EEA”).
Except as prohibited by law, the information that you will provide us with us may be stored on Sovos servers outside of Europe and other Sovos companies or business partners may process this information on Sovos’ behalf, but always under strict conditions of confidentiality. Sovos will keep this information to enable it to properly and effectively administer and monitor the customer relationship it has with you. We transfer such information outside the EEA only if:
In either case, a list of companies we may utilize outside the EEA is available upon request by contacting us at firstname.lastname@example.org.
We apply equal rigour to the security of data held and processed by us or on our behalf outside of the EEA. We have taken steps to ensure that our subsidiaries and affiliates and those who process data on our behalf enter into the standard contractual clauses approved by the European Commission, to safeguard the personal information which is transferred to and from the EEA and beyond.
As some of our servers are located in the USA, transfer of some of our data outside the EEA is necessary to enable us to operate the Site. To the extent that any personal information is provided to third parties outside the EEA, or who will access the information from outside the EEA, we take steps to ensure that approved safeguards are in place, such as the approved standard contractual clauses or the EU-US and Swiss- U.S DPF(see our Data Privacy Framework statement above).
Trusted Third Parties
We will only share your personal information with trusted third parties where we have retained them to provide services that you have requested or for our legitimate business purposes, such as IT or professional support services.
The Legal Basis for Processing your Personal Information
The Sovos website gathers and processes your personal data only if you actively give it to us. Under the GDPR, the legal basis for processing your personal information is Consent, respectively “legitimate interest”, which can mean you have asked us to provide a service (such as a newsletter) or to contact you using the details you have submitted.
To withdraw your consent, please use the unsubscribe link at the bottom of a newsletter or contact email@example.com.
Data Provided to Sovos by its customers to fulfill Sovos’ contractual obligation
Under our customer contracts, Sovos gathers and processes customers’ customers personal data only if provided to Sovos in order to fulfill its contractual obligations. Under the GDPR, the legal basis for processing your customers’ personal information is contractual obligation.
How Long We Will Hold Your Information
|Category of Personal Data||Storage Time Period|
|Contact details for sales enquiries||2 years after last contact|
|Email address for newsletter||Until you unsubscribe|
|Job applications & CVs Outside EU||Indefinitely|
|Job applications & CVs – EU Citizens||1 year (or until consent withdrawn, whichever is earlier)|
Complaints from European Individuals
If you are unhappy about our use of your personal information, you can contact us using the details in the contact details below. You are also entitled to lodge a complaint with the UK Information Commissioner’s Office using any of the below contact methods:
Telephone: 0303 123 1111
Post: Information Commissioner’s Office
You may prefer to, and are entitled to, lodge a complaint with a different supervisory authority in a country of your choice. A list of Supervisory Authorities is available here.
Privacy Notice for California Residents
Data Protection for California Consumers under the California Consumer Privacy Act
If you are a visitor, user, or other individual who resides in the State of California (“consumer”), you have the right to: (a) request that Sovos disclose what personal information it collects, uses, discloses and sells about you, (b) request deletion of the personal information you have provided to Sovos, and (c) be free from discrimination by Sovos as a result of you exercising your rights under the California Consumer Privacy Act of 2018 (“CCPA”).
We note that the CCPA temporarily exempts personal information reflecting a written or verbal business-to-business communication from some of its requirements, such that the rights to access and delete your personal information do not apply with respect to such information.
In addition, under the CCPA, none of the rights set forth in this Notice apply to, and “personal information” does not include, certain categories of information, such as (i) publicly available information from government records, (ii) deidentified or aggregated consumer information, (iii) health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data, and (iv) information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994.
If you wish to exercise any of these rights, you must submit a Verifiable Consumer Request, which can be submitted here, or by emailing firstname.lastname@example.org. The procedures Sovos uses to evaluate your request can be found here. Furthermore, in accordance with the CCPA, you can designate a third party agent to exercise your CCPA rights on your behalf by following the procedures that can be found here.
Categories of Personal Information We Collect
Sovos has collected the following types of personal information about consumers in the preceding 12 months:
|A. Identifiers.||A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers.||YES|
|B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).||A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.||YES|
|C. Protected classification characteristics under California or federal law.||Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information).||YES|
|D. Commercial information.||Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.||YES|
|E. Biometric information.||Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data.||NO|
|F. Internet or other similar network activity.||Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement.||YES|
|G. Geolocation data.||Physical location or movements.||NO|
|H. Sensory data.||Audio, electronic, visual, thermal, olfactory, or similar information.||NO|
|I. Professional or employment-related information.||Current or past job history or performance evaluations.||YES|
|J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)).||Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.||YES|
|K. Inferences drawn from other personal information.||Profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.||NO|
Sources of Personal Information Collected
Sovos obtains the categories of personal information listed above from the following categories of sources: (a) directly from you, for example, if you contact us via our website; (b) indirectly from you, for example, via Internet cookies; and (c) from customers.
Disclosures for a Business or Commercial Purpose
In the preceding 12 months, Sovos has disclosed the following types of personal information to its service providers and affiliates for business purposes: A. Identifiers; B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)); C. Protected classification characteristics under California or federal law; D. Commercial information; F. Internet or other similar network activity; I. Professional or employment-related information; and J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)).
California Consumers’ Right to Know
If you are a consumer, you have the right to request the following information regarding Sovos’ practices regarding your personal information: (a) the categories of personal information we have collected about you; (b) the categories of sources from which the personal information about you was collected; (c) the business or commercial purpose for which we collect or sell your personal information; (d) the categories of third parties with whom we share your personal information; (e) the specific pieces of personal information we have collected about you; (f) the categories of personal information that we sold about you, and categories of third parties to whom the information was sold; and (g) the categories of personal information that we disclosed about you for a business or commercial purpose.
California Consumers’ Right to Request Deletion
If you are a consumer, you have the right to request that Sovos delete the personal information that Sovos has collected about you that you provided to Sovos. Please note that in certain instances we may not be able to process your request, such as (i) due to the existence of a legal obligation, (ii) to detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities, or (iii) in order to complete a transaction for which your personal information was collected.
California Consumers’ Right to Opt Out
Sovos has not sold the personal information of any California consumer to third parties in the preceding 12 months. Sovos does not sell the personal information of minors under 16 years of age without affirmative authorization.
Further Information on Data Protection and Personal Privacy
If you have any enquiries or if you would like to contact us about our processing of your personal information, including to exercise your rights as outlined above, please contact us by one of the methods listed below. When you contact us, we will ask you to verify your identity –
Sovos Compliance, LLC
Attn: Office of Information Security
200 Ballardvale Street
Building 1, 4th Floor
Wilmington, MA 01887