Shared Responsibility with SOVA

LAST UPDATED: May 7, 2026

SOVA Systems LLC (“SOVA”) takes responsibility for building products that are secure, reliable, and robust. While SOVA maintains the cloud infrastructure and the SOVA platform, Customer is responsible for securing its data, the settings it configures within the SOVA platform, and its compliance with applicable law.

When you use SOVA, data security and privacy is a shared responsibility. This document describes the allocation of responsibilities between SOVA and Customer at a high level. It is provided as informational guidance and supplements the Master Services Agreement. In the event of any conflict between this document and the MSA, the MSA controls.

Contents

• Responsibility Overview
• Customer Responsibilities
• Shared Responsibilities
• SOVA Responsibilities
• Feature-Specific Responsibilities
• How to Contact Us

Responsibility Overview

The table below provides a high-level summary. Detailed descriptions of each area follow in the sections below.

Customer Responsibilities

Data Accountability and Content

Customer is responsible for:

• The data Customer and its Authorized Users upload, share, and process through the SOVA platform. Customer decides what data is entered, who has access to it, and how long it is retained.
• Ensuring the privacy of data handled through the SOVA platform and preventing Authorized Users from uploading content that is unlawful, that infringes third-party rights, or that violates applicable law (see MSA §6, Customer Content Responsibility and Acceptable Use).
• Maintaining the accuracy of the data processed through the SOVA platform.
• Ensuring that the SOVA platform is used only for its intended operational and security management purposes and not for spamming, illegal activity, or purposes inconsistent with the MSA.

Passwords and Account Security

Customer is responsible for:

• Creating and maintaining strong passwords for all Authorized User accounts.
• Safeguarding account credentials and not sharing login information between users.
• Promptly notifying SOVA of any suspected unauthorized access to Customer accounts.

Client and Endpoint Security

Customer is responsible for:

• Securing the devices (laptops, desktops, smartphones, tablets) used to access the SOVA platform. A compromised endpoint can render other security controls ineffective.
• Keeping browsers, mobile operating systems, and the SOVA mobile application updated to the latest version and patched against known vulnerabilities.
• Enrolling SOVA-connected mobile devices in a Mobile Device Management (MDM) solution where the Customer’s security policies require it. SOVA does not require a specific MDM vendor but recommends MDM enrollment for devices used in security operations.

Legal and Regulatory Compliance

Customer is responsible for:

• Evaluating the laws and regulations applicable to Customer’s use of the SOVA platform, including privacy, employment, workplace safety, biometric, surveillance, and export control laws.
• Providing all legally required notices to, and obtaining all required consents from, individuals whose personal information is collected or processed through the SOVA platform.
• Conducting Data Protection Impact Assessments (DPIAs) where required by applicable data protection law.
• Assessing the lawful basis for processing personal data and obtaining consent where required.

User Training and Awareness

Customer is responsible for:

• Training Authorized Users on proper use of the SOVA platform, including security best practices, password management, and the risks of credential reuse and phishing.
• Ensuring Authorized Users understand the Customer’s obligations under the MSA as they relate to their use of the platform.

Shared Responsibilities

Identity and Access Management

SOVA provides:

• User registration and de-registration functionality.
• Role-based access controls for managing Authorized User permissions.
• Multi-factor authentication (MFA) capability.
• Session management and authentication mechanisms.
• Audit logging of login events and access to sensitive records.

Customer is responsible for:

• Configuring user roles according to the principle of least privilege.
• Enabling MFA for Authorized Users.
• Designating account administrators and maintaining a proper process for ownership transfers, ensuring Customer does not lose control of its administrator accounts.
• Periodically reviewing the list of Authorized Users and removing access for anyone who should no longer have it.
• Reviewing mobile devices linked to the organization’s accounts and removing unused or unauthorized devices.
• Monitoring accounts for suspicious access or usage and notifying SOVA of any unauthorized use.

Data Management and Retention

SOVA provides:

• Data sharing controls at the administrator and user level.
• Audit features on Customer Data to provide transparency on important activities and track changes.
• Data export in standard SQL format upon termination, as described in MSA §26 (Data Export). Customer Data exports are provided as structured database tables and require a SQL-compatible database management system to view and use. SOVA does not provide any application, user interface, or visualization tool for exported data.
• Data disposal using cryptographically secure deletion methods, with written certification, ninety (90) days after termination of the Agreement, as described in MSA §27 (Data Disposal). SOVA provides at least thirty (30) days’ written notice before deletion and affords Customer the opportunity to request a data export before disposal.
• Access controls that limit SOVA personnel access to Customer Data. The Operational Support Team’s access is limited by role-based access control to operational functions and Customer organizational and contact records, and does not include access to visitor records, incident reports, biometric data, lost and found claimant data, persons-of-interest records, or tour data (see MSA §30).

Customer is responsible for:

• Exercising due diligence when processing personal or sensitive data and applying appropriate controls to comply with applicable law.
• Regularly reviewing audit reports to identify any suspicious activity.
• Maintaining up-to-date contact information with SOVA.
• Requesting a data export within sixty (60) days of termination if Customer wishes to retain its data. Data not exported within the retention window will be permanently deleted without recovery.

Sub-processor Oversight

SOVA is responsible for:

• Evaluating the security and privacy practices of sub-processors before engagement and ensuring they meet SOVA’s information security and privacy standards.
• Executing appropriate data protection agreements with sub-processors.
• Providing Customer with at least thirty (30) days’ advance notice of any new sub-processor that will process Customer Data, and affording Customer the right to object (see MSA §7(B) and §30).

Customer is responsible for:

• Reviewing the sub-processor list and raising any objections within the notice period.

Data Subject Rights

SOVA is responsible for:

• Providing platform features that enable Customer to respond to data subject access, correction, and deletion requests.
• Notifying Customer of requests from data subjects who contact SOVA directly.
• Assisting Customer in responding to verified requests as required by law.

Customer is responsible for:

• Receiving and responding to data subject requests for access, correction, deletion, and restriction of processing of personal information.
• Directing data subjects to Contact Customer in the first instance, as Customer is the controller of data processed through the SOVA platform.

Encryption

SOVA provides:

• Encryption in transit: All connections to SOVA servers use Transport Layer Security (TLS 1.2 or higher) with strong ciphers, including web access, API access, and the SOVA mobile application.
• Encryption at rest: Customer Data is encrypted at rest using AES-256 or equivalent. Encryption keys are managed through a dedicated key management infrastructure.

Customer is responsible for:

• Applying appropriate encryption controls when Customer Data is downloaded, exported, or synced to Customer’s own environment or to third-party systems. This includes enabling disk encryption on devices and using password-protected exports where supported.

Backups

SOVA provides:

• Daily automated backups of Customer Data, encrypted with AES-256 or equivalent, securely replicated to an alternate location within the United States (see Exhibit A §10).
• Daily backups retained for thirty (30) days and then purged using cryptographically secure methods.
• Data restoration within the retention period upon Customer request. To request a restoration, contact support@sovasystems.com or open a support ticket.

Customer is responsible for:

• Scheduling and managing any additional local backups of exported data, and storing such backups securely in Customer’s own infrastructure.

Incident Management

SOVA is responsible for:

• Notifying Customer without undue delay (and within seventy-two (72) hours) of any breach of security or unauthorized access to Personal Information, as described in MSA §7(C).
• Providing Customer with a description of the nature of the breach, likely consequences, measures taken, and contact details for further information.
• Investigating the cause of the breach, taking steps to prevent recurrence, and cooperating with Customer in the preparation of any legally required notifications.

Customer is responsible for:

• Taking actions recommended by SOVA in response to a breach.
• Meeting Customer’s own breach notification and disclosure obligations, including notifying affected individuals and data protection authorities where required by law.
• Reporting security and privacy incidents that Customer becomes aware of to support@sovasystems.com (or for legal matters, legal@sovasystems.com).

AI Processing Safeguards

SOVA is responsible for:

• Implementing PII Scrubbing before transmitting Customer Data to third-party AI providers (see MSA §10 and Exhibit F §4).
• Ensuring that third-party AI providers do not use Customer Data to train or improve their models.
• Maintaining logs of data categories submitted to AI processing and making them available to Customer on request.

Customer is responsible for:

• Reviewing AI-generated outputs before operational, legal, or evidentiary use. AI outputs must be verified by qualified human personnel (see MSA §10(C)).
• Understanding that PII Scrubbing may not be 100% effective and that Customer Data submitted to AI features may contain residual personal information despite preprocessing.

SOVA Responsibilities

Platform Security

• SOVA is responsible for the logical isolation of Customer Data. Each Customer’s data is logically separated from other Customers’ data using secure protocols.
• SOVA is responsible for the confidentiality, integrity, and availability of Customer Data at rest, in transit, and during processing.
• SOVA is responsible for traceability and control of Customer Data such that the location and processing of data can be determined at any time.

Availability and SLA

• SOVA commits to 99.5% target availability per calendar quarter for the SOVA Core Web application and Add-On Components, with a Service Availability Default threshold of 99.0% (see Exhibit A §6).
• SOVA is responsible for handling hardware and software failures and protecting against threats such as denial-of-service attacks.

Business Continuity and Disaster Recovery

• SOVA maintains a disaster recovery plan with a Recovery Time Objective (RTO) of 24 hours and a Recovery Point Objective (RPO) of 24 hours (see Exhibit A §11).
• Customer Data is replicated to an alternate location within the United States. In the event of a primary-site disaster, SOVA can fail over to the secondary location.

Network Controls

• SOVA operates a secure production network using firewalls, intrusion detection and prevention systems, and network monitoring to prevent unauthorized access.
• Access to the production network is strictly controlled and limited to authorized personnel.

Host Infrastructure

• All servers in the production environment are hardened according to SOVA’s security standards. Operating system patch management, baseline configuration, and host intrusion detection are maintained.
• Annual penetration testing is performed by a qualified third party on an isolated, equivalent platform that does not expose Customer Data (see Exhibit A §5).

Physical Infrastructure Security

• SOVA’s cloud infrastructure is hosted on AWS, which maintains physical security controls including facility access controls, environmental protections, and 24/7 monitoring at its data centers.

Operational Support Team Access Controls

• SOVA’s Operational Support Team handles routine technical support, service restarts, and Tier 1 customer support. Access is limited by role-based access control to operational functions and Customer organizational and contact records. The Operational Support Team does not have access to visitor records, incident reports, biometric data, lost and found claimant data, persons-of-interest records, tour data, or other end-user personal information (see MSA §30).
• All Operational Support Team access requires multi-factor authentication and is logged in audit records retained for at least twelve (12) months.

Development Environment Data Masking

• SOVA’s software development personnel do not have direct access to production systems or production databases. Development is performed in local environments using data extracts that have been processed through a masking procedure to replace personal information with synthetic substitutes (see MSA §30).
• Where occasional production access is required for debugging or incident response, access is granted by an authorized SOVA principal on a time-limited, audit-logged basis with reference to a specific issue.

Feature-Specific Responsibilities

Certain SOVA platform features carry additional shared-responsibility obligations. The table below summarizes the key responsibilities for each feature. Full terms are in the MSA and the applicable addendum.

How to Contact Us

For questions about this Shared Responsibility Policy or about the allocation of security and privacy responsibilities between SOVA and Customer, please contact:

SOVA Systems LLC
Attn: Legal
PO Box 600063
San Diego, CA 92160
Email: legal@sovasystems.com
Phone: +1 844-961-3690

To report a security incident: support@sovasystems.com (or for legal matters, legal@sovasystems.com).

To request information about SOVA’s security posture, certifications, or compliance attestations: legal@sovasystems.com.