LAST UPDATED: May 7, 2026
This guide is for the people who use the SOVA platform every day — security supervisors, front-desk staff, lost-and-found coordinators, and property administrators. It covers practical steps you can take to protect your data, your guests’ data, and your organization. It is not a legal document; the contractual obligations between your organization and SOVA are set forth in the Master Services Agreement and the Shared Responsibility Policy.
Every person who uses SOVA should have their own account. Sharing accounts creates serious problems: you lose the ability to tell who did what during an audit, you cannot detect unauthorized access, and you cannot revoke a single person’s access when they leave without disrupting everyone else. Many actions in SOVA are logged with the user who performed them — shared accounts break that audit trail entirely.
Current best practice (per NIST 800-63B) favors longer passwords over complex ones. A good password is at least 15 characters long and is not a word or phrase that could be easily guessed (your name, your property name, “password123”). Passphrases — several unrelated words strung together — are both strong and easy to remember. Your password should be unique to SOVA and not reused from another service. If you have trouble managing passwords, use a password manager.
Two-factor authentication (2FA) adds a second layer of protection beyond your password. With 2FA enabled, even if someone steals your password, they cannot log in without a code from your personal device. SOVA supports software-based 2FA through authenticator apps such as Google Authenticator, Microsoft Authenticator, and Authy. Your SOVA administrator can enable 2FA for your organization.
At a minimum, all administrator accounts should have 2FA enabled. SOVA strongly recommends enabling it for all users.
When a new employee starts, create their SOVA account with the appropriate role and permissions. When an employee leaves, deactivate or delete their account immediately — do not wait for a periodic review. For employees on leave, deactivate the account and reactivate it when they return. Review your active user list at least quarterly and remove accounts that are no longer needed.
Cleaning crews, maintenance teams, and other non-security staff may have access to your workspace. Locking your computer when you step away — even briefly — prevents unauthorized access to the SOVA portal and any data displayed on screen.
Keep the SOVA mobile app, your device’s operating system, and your web browser updated to the latest version. Updates frequently include patches for security vulnerabilities that attackers actively exploit. Enable automatic updates where possible.
Encryption protects the data on your device if it is lost or stolen. Most modern Android devices ship with encryption enabled by default. If your device does not have encryption enabled, turn it on in your device’s security settings. An encrypted device requires a PIN, password, or biometric to access — without it, the data on the device is unreadable.
Consider what is on a SOVA device: incident photos, location history during a shift, checkpoint data, and potentially cached login credentials. A stolen, unencrypted device exposes all of this.
Keep a list of all active SOVA devices at your property. When a device is lost, stolen, broken, or retired, open a support ticket at support.sovasystems.com so the device can be decommissioned promptly. Devices that are no longer in use but remain active in the system are a security risk.
A Mobile Device Management (MDM) solution allows you to remotely manage, lock, and wipe SOVA devices; restrict which apps can be installed; enforce encryption and PIN requirements; and track device location in case of loss. If your organization already uses an MDM for other company-owned devices (laptops, tablets), consider enrolling SOVA devices in the same solution. If you do not have an MDM, discuss options with your IT department — several vendors offer affordable per-device plans suitable for small deployments.
SOVA does not monitor or review the content you upload. You and your organization are responsible for what goes into the platform. The guidance below will help you avoid common mistakes that create legal exposure or put individuals’ privacy at risk.
Driver licenses. The SOVA platform includes a driver license scanning feature that reads the PDF417 barcode on the back of the license for visitor check-in and identity verification workflows. Where this feature is enabled by your organization, the scanned data is processed through the platform’s structured workflow and is subject to the Driver’s Privacy Protection Act (DPPA). However, photographing the front of a driver license and uploading the image to an incident report is a different matter entirely. A full-face image of a license exposes the holder’s name, address, date of birth, license number, and photo — all the ingredients for identity theft. If you need to document that you verified someone’s identity, record the name and last four digits of the license number in the narrative. Do not upload a photograph of the full license unless your organization’s policy specifically requires it and your legal team has approved the practice.
Prescription medication. If a guest leaves behind prescription medication and you need to photograph it for lost-and-found records, mask the patient name and the medication name on the label before photographing. The size, color, and shape of the bottle are sufficient for the guest to recognize the item. A photograph showing a person’s name alongside their medication reveals a medical condition — this is sensitive personal information under California law (CCPA/CPRA) and Washington’s My Health My Data Act, and may implicate HIPAA if your organization is a covered entity. When shipping prescription medication back to a guest through SOVA, non-controlled medications must be in their original pharmacy packaging with the original label intact (see the Shipping Services Addendum §13).
Business documents. Guests sometimes leave behind documents containing proprietary business information. If you photograph the item for a lost-and-found record, cover any visible text with a blank sheet of paper before taking the photo. The goal is to show you have the item, not to capture its contents. Do not copy, fold, or alter business documents. Store them flat in a plain envelope in a secure location.
Personal photographs and artwork. Do not photograph a photograph or a piece of artwork — the original was not created for public consumption and the creator may have copyright or privacy interests. A written description in the lost-and-found record is sufficient.
Insurance cards. Do not photograph insurance cards (health, auto, or otherwise) for persons involved in incidents. An insurance card image contains enough information to facilitate identity theft. Record the insurer name and policy number in the narrative if needed.
Health-related information in incident reports. When documenting an injury or medical event in an incident report, describe what you observed factually. Avoid uploading images of bodily injuries where the person’s face is visible in the same frame. Do not include diagnoses, treatment details, or information from medical documents unless your organization’s legal or risk team has directed you to do so. For incidents involving sexual assault, raise the incident classification level to restrict distribution and viewing to authorized personnel only.
Lost-and-found records often contain personal information about guests — names, phone numbers, email addresses, mailing addresses, and item descriptions. This information is collected for a specific purpose (returning the item) and should not be retained longer than necessary.
When a guest submits a lost-item inquiry through the public form, they provide their name, contact information, and a description of the item. This data is processed by SOVA on your organization’s behalf. Once the inquiry is resolved (item returned, claim closed, or retention period expired), the personal information should be cleaned up. See the Privacy Cleanup section below.
If your property uses SOVA’s shipping features to return lost items to guests, the following applies to the personnel who package and ship items. Full terms are in the Shipping Services Addendum.
Most consumer electronics contain lithium batteries — phones, laptops, tablets, headphones, smartwatches, e-cigarettes, vapes, electric toothbrushes, and rechargeable devices. When you check the lithium battery box during shipment creation, SOVA limits the shipment to ground transport and flags the hazmat status with the carrier. However, you are also required by federal law (49 CFR §173.185) to:
SOVA cannot verify that these physical steps are done. If you ship a package containing a lithium battery without the required label and document, it is a federal violation and a breach of the Shipping Services Addendum. If you are unsure whether an item contains a lithium battery, assume it does and declare it.
The following items cannot be shipped through the SOVA shipping workflow. The full list is in the Shipping Services Addendum §11, but the most common ones encountered in lost-and-found operations are:
If a guest asks you to ship an item on this list, explain that the item cannot be shipped through the platform and offer alternatives (guest pickup, or the guest arranging their own carrier).
Once you print a shipping label, your organization is responsible for the physical security of the package until the carrier picks it up. Do not leave labeled packages in unsecured areas such as open hallways, loading docks, or unmonitored back-of-house areas. A package that goes missing before carrier pickup is your organization’s responsibility, not the carrier’s and not SOVA’s.
SOVA’s AI features can help with incident report drafting, lost-and-found item descriptions, and image analysis. A few things to keep in mind:
This is important. Do not copy and paste content from the SOVA platform — including incident report narratives, guest names, witness statements, contact information, or any other data that may contain personal information — into external AI tools such as ChatGPT, Google Gemini, Claude, Copilot, or any other large language model or AI service outside of the SOVA platform.
When you paste data into an external AI tool, that data leaves your organization’s control and SOVA’s control entirely. It is transmitted to servers operated by a third party whose data handling practices are governed by their own terms, not by your organization’s agreement with SOVA. Many consumer-tier AI services use the data you submit to train and improve their models, which means your guests’ personal information, incident details, and witness statements could become part of a training dataset accessible to the AI provider and potentially surfaced in responses to other users.
If your organization needs to use an external AI service to analyze or process data that originated in SOVA, ensure that:
SOVA’s built-in AI features are specifically designed to avoid these risks: data is processed transiently, third-party AI providers are contractually prohibited from training on your data, and PII Scrubbing is applied before transmission. Using SOVA’s built-in features is always safer than pasting the same data into an external tool.
Personal information collected through the SOVA platform should be retained only as long as it is needed for the purpose it was collected. Your organization is responsible for setting and following appropriate retention periods.
SOVA provides a privacy cleanup tool for lost-and-found records. To access it, navigate to GDPR Lost & Found Records (found at /lostfound/shipments_reports in your SOVA portal). This page presents lost-and-found records containing personal information — such as guest names, contact details, and shipping addresses — that may be eligible for cleanup after the underlying inquiry or shipment has been resolved.
If your organization uses the lost-and-found module, an administrator should review this page regularly and remove personal data that is no longer needed. This applies to all customers, not only those serving guests from the European Union. Privacy regulations in California (CCPA/CPRA), other U.S. states, Canada (PIPEDA, Quebec Law 25), and the European Union (GDPR) all require that personal information not be retained longer than necessary for the purpose for which it was collected.
If you discover or suspect a security incident involving the SOVA platform — such as unauthorized access to an account, a lost or stolen SOVA device, or data that appears to have been accessed by someone who should not have access — report it immediately:
Do not attempt to investigate a suspected breach on your own. Notify the appropriate people and preserve any evidence (screenshots, error messages, access logs) for the investigation.
For questions about security best practices or the guidance in this article:
SOVA Systems LLC
Email: support@sovasystems.com
Support portal: support.sovasystems.com
Phone: +1 844-961-3690
For privacy-related questions: privacy@sovasystems.com
For legal matters: legal@sovasystems.com