LAST UPDATED: May 6, 2026
Welcome to the SOVA Privacy Center!
SOVA respects the privacy of everyone that engages with our platform, and we are committed to being transparent about our privacy processes and policies. In order to provide our services to our customers, we collect and process personal data.
The SOVA Privacy Center contains the answers to frequently asked questions about how we collect and use personal data, the rights that individuals have in relation to personal data held by SOVA, and how SOVA complies with applicable data protection laws.
Privacy FAQs
- What U.S. privacy laws apply to SOVA?
- How can I exercise my privacy rights as a U.S. resident?
- What is the GDPR and does it apply to SOVA?
- How can I exercise my data subject access rights under the GDPR?
- Does SOVA retain personal data?
- Does SOVA have a Data Protection Officer (DPO)?
- Who are SOVA’s sub-processors and how are they vetted?
- What is a Data Processing Agreement (DPA) and how can I get one with SOVA?
- Does SOVA process biometric data?
- How does SOVA handle international data transfers?
1. What U.S. privacy laws apply to SOVA?
SOVA operates in the United States and complies with applicable U.S. federal and state privacy laws, including the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act ("CCPA/CPRA"), the Virginia Consumer Data Protection Act ("VCDPA"), the Colorado Privacy Act ("CPA"), the Connecticut Data Privacy Act ("CTDPA"), the Utah Consumer Privacy Act ("UCPA"), the Texas Data Privacy and Security Act ("TDPSA"), the Oregon Consumer Privacy Act, the Montana Consumer Data Privacy Act, and successor or similar statutes as they take effect.
When SOVA processes personal data on behalf of a Customer, SOVA acts as a "service provider" under CCPA/CPRA and as a "processor" under the other state laws referenced above. The operative terms governing that processing are set out in our Data Processing Agreement.
2. How can I exercise my privacy rights as a U.S. resident?
If you are a resident of a U.S. state with applicable privacy legislation, you may have rights regarding personal data that SOVA holds about you, which may include the right to access, correct, delete, or obtain a copy of your personal data, and the right to opt out of certain processing activities.
If SOVA processes your personal data on behalf of one of our Customers (for example, an employer, property manager, or venue operator), please direct your request to that Customer in the first instance, as they are the controller of your data. SOVA will assist our Customers in responding to verified requests as required by law.
For requests relating to personal data that SOVA holds in its own right (for example, account holder information or website visitor data), please contact
privacy@sovasystems.com.
3. What is the GDPR and does it apply to SOVA?
The General Data Protection Regulation (EU) 2016/679 ("GDPR") is a regulation in EU law on data protection and privacy for individuals within the European Union (EU) and the European Economic Area (EEA). The UK General Data Protection Regulation ("UK GDPR") provides comparable protections in the United Kingdom following Brexit.
SOVA’s Customers are located in the United States, and SOVA does not currently target or offer services to customers in the EU, EEA, or UK. If a Customer based in or processing personal data of EU, EEA, UK, or Swiss data subjects engages with SOVA, SOVA will execute its EU/UK Transfer Addendum alongside the Data Processing Agreement before processing such data, incorporating the European Commission’s Standard Contractual Clauses (2021), the UK International Data Transfer Addendum, and equivalent protections under the revised Swiss Federal Act on Data Protection.
4. How can I exercise my data subject access rights under the GDPR?
If you are a resident of the EU, EEA, UK, or Switzerland and believe SOVA holds personal data relating to you, you may exercise your data subject rights by contacting privacy@sovasystems.com. As noted above, where SOVA processes personal data on behalf of one of our Customers, please direct your request to that Customer in the first instance.
5. Does SOVA retain personal data?
SOVA retains transaction records and Customer Data for periods set out in our agreements with Customers and as required by applicable law. Read more about our data retention process in our Website Privacy Policy. If you are a current Customer of SOVA, please read our Services Privacy Policy.
6. Does SOVA have a Data Protection Officer (DPO)?
No, SOVA does not have a designated Data Protection Officer. SOVA evaluates its business needs regularly and monitors changes in applicable privacy law to ensure ongoing compliance. Privacy-related inquiries may be directed to privacy@sovasystems.com.
7. Who are SOVA’s sub-processors and how are they vetted?
SOVA identifies, evaluates, and engages sub-processors through our vendor management program. SOVA enters into a contract with each sub-processor prior to sharing data with the sub-processor, and each contract contains terms providing for monitoring and audit. In addition, all potential vendors are vetted and approved through SOVA’s security review process before SOVA begins using their services.
8. What is a Data Processing Agreement (DPA) and how can I get one with SOVA?
A Data Processing Agreement is a contract between a data controller and a data processor that describes the roles and responsibilities of the parties when personal data is processed. CCPA/CPRA, the other U.S. state privacy laws, and the GDPR each set out requirements for the terms of such agreements.
SOVA has a current-form Data Processing Agreement available to its Customers. To request a copy for review, or to execute a DPA alongside or after your Master Services Agreement, please contact
privacy@sovasystems.com. Where applicable, the EU/UK Transfer Addendum and the Biometric Data Addendum are executed alongside the DPA.
9. Does SOVA process biometric data?
The SOVA platform supports optional features that may involve the processing of biometric identifiers or biometric information (as those terms are defined under applicable law, including the Illinois Biometric Information Privacy Act, the Texas Capture or Use of Biometric Identifier Act, the Washington biometric privacy statute (RCW 19.375), and CCPA/CPRA). Biometric features are disabled by default for all Customers.
Biometric features may be enabled at a Customer site only after (i) legal review of the applicable requirements in the jurisdiction in which the site is located, and (ii) execution of the SOVA Biometric Data Addendum, which is executed alongside the Master Services Agreement and Data Processing Agreement. Where biometric features are enabled, SOVA processes biometric data only on the Customer’s instructions and in accordance with the Biometric Data Addendum. The Customer is responsible for providing required notices to, and obtaining required consents from, individuals whose biometric data is processed. For more information, contact
privacy@sovasystems.com.
10. How does SOVA handle international data transfers?
SOVA is established in the United States, and its Customers are located in the United States. SOVA does not currently transfer personal data from the EU, EEA, UK, or Switzerland to the United States in the ordinary course of providing the SOVA Services.
If SOVA engages with a Customer that requires processing of personal data of EU, EEA, UK, or Swiss data subjects, SOVA will execute its EU/UK Transfer Addendum alongside the Data Processing Agreement. The Addendum incorporates the European Commission’s Standard Contractual Clauses (Decision 2021/914), the UK International Data Transfer Addendum issued by the UK Information Commissioner’s Office, and reflects equivalent protections under the revised Swiss Federal Act on Data Protection. SOVA does not currently rely on the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, or the Swiss-U.S. Data Privacy Framework as a transfer mechanism.
If you have additional questions about SOVA’s privacy practices, please
contact us.