Privacy Policy

Introduction

Please read this privacy policy carefully to understand Sovos’ policies and practices regarding your personal data and how we will treat it. If you do not agree with our policies and practices, your choice is not to use our Website. By accessing or using this Website, you agree to this privacy policy.

Sovos is committed to protecting personal data. This privacy policy outlines our general policy and practices for implementing personal data protection / data privacy; including the types of personal data we gather, how we use it and the notice and choice affected individuals have regarding Sovos’ use of and their ability to correct that information. This privacy policy applies to all personal data received by Sovos in whatever format it is held, whether in electronic, paper or verbal. Sovos use appropriate physical management and technical measures to protect your personal data from unauthorized access, disclosure, use, modification, damage or loss. We also provide training on security and data protection to our employees to raise their awareness.

This privacy policy applies to Sovos Compliance, LLC and its subsidiaries.


Definitions

“Personal Data” is any information which relates to an identified individual, or a person who can be identified directly or indirectly from that data.

“Sensitive Personal Data” means any personal data that reveals race, ethnic origin, sexual orientation, political opinions, religious or philosophical beliefs, trade union membership or that concerns an individual’s health, biometric or genetic data. Sovos’ services do not require the collection of Sensitive Personal Data.


Collection of Personal Data / Fair and Lawful Processing

Sovos collects personal data from you via the Sovos web site including navigational information, browsing data and how many visits are made. This data is used for Sovos internal’ analysis of trends, marketing and sales purposes and to administer our web sites and is not passed to third parties for any other purpose. Sovos does not sell this data to third parties.

Sovos performs tax determination, remittance, and reporting functions. Personal data provided by our customers requesting these functions is only used and retained to the extent necessary for the administration of the services and not processed further for other purposes.

Sovos primarily receives personal data as a result of consumers’ financial transactions with Sovos business customers. However, in the event Sovos collects personal data directly from individual consumers, we will only obtain the personal data that is necessary to provide our goods or services and to fulfill any legal, contractual, or regulatory requirements.


Data Minimization

Sovos’ customers are requested to provide Sovos with the minimal personal data necessary for Sovos or its customers to make their required tax, compliance and/or business-to-government reporting disclosures to the relevant taxing authorities. This may include social security numbers and the name and address of an individual, including information about payments the Sovos’ customer has made to the individual. Sovos may also collect personal data about individuals from government-run or sponsored web sites, in order to verify accuracy of social security numbers etc. This personal data is used solely for the provision of Sovos’ services to its customers and is not used for any other purpose.


Choice/ Purpose limitation / Legitimate Use

Individuals who have provided their personal data to Sovos directly via the web site or other means may contact Sovos to have their names and personal data amended or removed from Sovos’ marketing and sales databases, or unsubscribe from our newsletter by contacting us at [email protected] to opt-out of receiving marketing emails at any time.

Individuals whose Personal data is provided by Sovos’ customers can also opt out of Sovos’ use of their personal data by contacting the Sovos customer who has provided the data to us.

Where customers have asked us to perform services for them, it will be necessary for Sovos to process that personal data as part our contractual obligations and/ or legitimate interest use. Sovos will hold the personal data to enable it to properly and effectively administer, monitor and improve the services provided and the customer relationship it has with you.


Use of Cookies

As you browse Sovos.com, a feature known as a “cookie” will be placed on your computer so that we can understand what you are interested in. This assigns a unique identification to your computer. We use this to track your selections in order to optimise your experience on our web site. Our display advertising partner, Google AdWords, enables us to present you with retargeting advertising on other sites based on your previous interaction with Sovos.com.

The techniques our partners use do not collect personal data such as your name, email address, postal address or telephone number. You can visit this page to opt out of AdWords and their partners’ targeted advertising.


Data Protection in the European Union (EU)

As a global business Sovos may collect personal data from individuals within the EU, or European Economic Area (EEA). Sovos complies with the EU General Data Protection Regulation 2016/679 (“GDPR”) and relevant national laws in the EEA and approved countries which implement GDPR such as the UK Data Protection Act 2018.


Data Protection in the US - Privacy Shield (or its replacement)

Sovos complies with the EU-U.S. Privacy Shield Framework Principles (and its replacement) and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal data from European Union member countries (and Iceland, Liechtenstein, and Norway) and Switzerland transferred to the United States pursuant to Privacy Shield. Sovos has certified that it adheres to the Privacy Shield Principles with respect to such data and has in addition adopted the EU standard model form contract clauses (SCC’s) . To learn more about the Privacy Shield program, and to view our certification page, please visit https://www.privacyshield.gov/

The Federal Trade Commission (FTC) has jurisdiction over Sovos’ compliance with respect to the Privacy Shield.


Onward Transfers

Sovos has certified that it adheres to the Privacy Shield Principles of notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, recourse, enforcement and liability. We are subject to the investigatory and enforcement powers of the Federal Trade Commission. To learn more about the Privacy Shield Principles, and to view our certification, please visit https://www.privacyshield.gov.

Data collected from the public via the Sovos web site may be transferred to:

•Sovos’ Customer Resource Management (“CRM”) provider

• Third parties which assist Sovos in sales and marketing

• Sovos’ data hosting services providers

• Sovos’ printing partners


All third parties to whom Sovos may disclose personal data (excepting government agencies), all either: (a) have subscribed to the Privacy Shield Principles, (b) adopted the EU Standard Model Clauses, or (c) have a contractual obligation to Sovos which prohibits them from making any use of the data beyond what is required to fulfill their contractual obligations to Sovos. A list of these third parties is available upon request by contacting us at [email protected]

Data collected from customers related to Sovos’ services may be transferred to:

• Government agencies: Sovos may transfer tax-reporting related data to government agencies

• Sovos’ data hosting services providers

• Applicable member states of the Streamlined Sales Tax Initiative

• Sovos’ print services providers


A list of these third parties is available upon request by contacting us at [email protected]

Note: Sovos does not decide what government agencies will do with the data. Sovos provides government agencies only with such data as is required to fulfill tax reporting requirements of Sovos and its customers.

In certain situations, Sovos may be required to disclose personal data it holds in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. or a court subpoena / order. In this event, Sovos will try to ensure that the disclosure is minimised and will notify (where legally permitted) the individual or customer in advance.




Accountability

Sovos’ is accountable for the personal data that it receives and subsequently transfers to a third party. In particular, Sovos remains responsible and liable for the third-party agents / sub-contractors that it engages to process the personal data on its behalf.




Data Security and Confidentiality

Sovos has put in place appropriate physical, electronic and managerial procedures to safeguard and secure the personal data from loss, misuse, unauthorized access or disclosure, alteration or destruction. Although personal data sent to and from Sovos is secured according to industry best practices, Sovos cannot guarantee the security of any information on or transmitted via the internet.




Data Integrity

Sovos shall only process personal data in a way that is compatible with and relevant for the purpose for which it was collected or authorized by the individual. To the extent necessary for those purposes, Sovos shall take reasonable steps to ensure that all personal data is accurate, complete, current and reliable for its intended use.




Access / Data Accuracy

Sovos shall allow an individual access to their personal data and allow the data subject / individual to correct, amend or delete inaccurate information, except where there is an overriding legitimate interest (such as a legal obligation), or the burden or expense of providing access would be disproportionate to the risks to the privacy of the individual in the case in question or where the rights of persons other than the individual would be violated. Where the data the individual seeks to edit was provided by a Sovos business customer, Sovos will need to contact the customer and will only change the information after the customer has verified that the original information was inaccurate. Access can be initiated via email to [email protected]




Data Portability

You have a right to receive any personal data that we hold about you in a structured, commonly used and machine-readable format; and can ask us to transmit that data to you, or directly to a third party organisation. This right only exists in respect of personal data that: (a) you have provided to us previously; and (b) is processed by us using automated means. While Sovos are happy for such requests to be made, we are not able to guarantee technical compatibility with a third party organisation's systems.


Enforcement

Sovos uses a self-assessment approach to assure compliance with this privacy policy and periodically verifies that the policy is accurate, comprehensive for the personal data intended to be covered, prominently displayed, completely implemented and accessible and in conformity with the Privacy Shield Principles. We encourage interested persons to raise any concerns using the contact information provided and we will investigate and attempt to resolve any complaints and disputes regarding use and disclosure of personal data in accordance with the Privacy Shield Principles.


Transfer of Personal Data - Outside the EU / EEA and US

Under the General Data Protection Regulation, we are required to tell you if we transfer, or intend to transfer personal data which we hold on you to countries outside the European Economic Area (“EEA”).

As a global company, your personal data collected by Sovos may be processed or accessed in the country where you use our products and services or in other countries outside of the EEA where Sovos or its affiliates and partners do business, and where some of our servers are located. These countries / jurisdictions may have different data protection laws. In such circumstances Sovos will take all required measures to ensure that personal data is processed as required by this Privacy Policy and applicable laws to ensure that it has an adequate level of protection.

If you visit our Sovos web site from outside of the United States, your connection will be through and to servers situated in the United States. Any information (including personal data) will be held and maintained in servers and Sovos internal systems located inside the United States.

Except as prohibited by law, the personal data that you provide may be stored on Sovos servers outside of Europe and the EEA and other Sovos companies or business partners may process this personal data on Sovos’ behalf (subcontractors and sub-processors) , however, this will always be under strict conditions of data processing agreements and confidentiality. We transfer such personal data outside the EEA only if:

a) your product or service enquiry is best handled by one of our companies located outside the EEA; and / or

b) the service you have requested (such as a newsletter), is delivered through a third-party located outside the EEA.

A list of companies we may utilize outside the EEA is available upon request by contacting us at [email protected]

We apply the same level of security of data held and processed by us, or our subcontractors outside of the EEA. We have taken steps to ensure that our subsidiaries and affiliates and those who process data on our behalf located outside of the EEA enter into the EU standard model contractual clauses approved by the European Commission, to safeguard the personal data which is transferred to and from the EEA and beyond, or the EU-US Privacy Shield.


Third Parties / Linked pages

We will only share your personal data with trusted third parties where we have retained them to provide services that you have requested, or for our legitimate business purposes, such as IT or professional support services. To benefit from your experience on our web site you may also receive content or web links from third parties other than Sovos and our partners. Sovos does not have the right to control such parties, you have the choice whether to view such content or access such links provided by third parties. Sovos cannot control the privacy practices and data protection policies of third parties that are not subject to this Privacy Policy, Therefore, when you submit personal data to such third parties, please read and refer to the privacy protection policy of the third party.


How Long We Hold you Personal Data For/ Storage Minimization?

Sovos will retain your personal data for no longer than is necessary for the processing purpose, or unless otherwise required to extend this period under the permitted retention period by law, contract or equivalent requirement.


Dispute Resolution

In compliance with the EU-U.S. and the Swiss-U.S. Privacy Shield Frameworks, Sovos is committed to resolving complaints about your privacy and our collection or use of your personal data. Individuals with inquiries or complaints regarding this privacy policy should first contact Sovos at:

Sovos Compliance, LLC Attn: Office of Information Security 200 Ballardvale Street Building 1, 4th Floor Wilmington, MA 01887

or by email to: [email protected]

We will investigate and attempt to respond to any complaints or disputes regarding the use or disclosure of personal data within 30 days of receiving your complaint.

Sovos has further committed to refer unresolved privacy complaints under the EU-U.S. Privacy Shield Principles BBB EU PRIVACY SHIELD, a non-profit alternative dispute resolution provider located in the United States and operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/EU-privacy-shield/for-eu-consumers/ for more information and to file a complaint.

If your complaint involves human resources data transferred to the United States from the EU, UK and/or Switzerland in the context of the employment relationship, and Sovos does not address it satisfactorily, Sovos commits to cooperate with the panel established by the EU data protection authorities (DPA Panel) and/or the Swiss Federal Data Protection and UK Information Commissioner, as applicable and to comply with the advice given by the relevant Data Protection Authority panel and/or Commissioner, as applicable with regard to such human resources data. To pursue an unresolved human resources complaint, you should contact the state or national data protection or labour authority in the appropriate jurisdiction. Contact details for the EU data protection authorities can be found at http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm. Complaints related to human resources data should not be addressed to the BBB EU PRIVACY SHIELD.

Under certain limited circumstances, individuals in the EEA may invoke binding Privacy Shield arbitration as a last resort if all other forms of dispute resolution (discussed above) have been unsuccessful. To learn more about this method of resolution and its availability to you, please visit https://www.privacyshield.gov/.


Complaints from The UK and European Individuals

If you are unhappy about our use of your personal data, you can contact us using the details in the contact details below. In addition, you are also entitled to lodge a complaint with the UK Information Commissioner’s Office using any of the below contact methods:

Telephone: 0303 123 1111 Web site: https://ico.org.uk/concerns/ Post: Information Commissioner’s Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF

Within Europe you may prefer to, lodge a complaint with a different supervisory authority in a country of your choice. A list of European Supervisory Authorities is available here: http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm


Changes to this Privacy Policy

If elements of our privacy practices change; we will inform you by updating the Privacy Policy in this web site.


Further Information on Data Protection and Personal Data Privacy

If you have any enquiries or if you would like to contact us about our use of your personal data including how to exercise your rights as outlined above, please contact us by one of the methods listed below. Please note that when you contact us, it will be necessary for us to ask you to verify your identity.


For US and Latin - Sovos Compliance, LLC Attn: Office of Information Security 200 Ballardvale Street Building 1, 4th Floor Wilmington, MA 01887 [email protected]