Privacy Policy

This policy was last modified on August 17, 2017.

Sovren highly regards privacy and data protection. Sovren has created a Privacy Policy (“Policy”) in order to preserve data confidentiality and integrity and control data availability. This Policy applies to all Personally Identifiable Information (“PII”) received by Sovren in any format, whether through its hosted services, installed software, or troubleshooting and feedback channels, and whether provided for “live” production purposes or for research and development activities. This Policy applies to PII that is supplied to Sovren directly by Sovren customers (“Customers”) or by candidates or other external users of Sovren Customers (“Candidates”), anywhere in the world, including transfers from the European Economic Area (EEA) to the United States, and transfers from Switzerland to the United States.

Sovren complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union to the United States. Sovren has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit

Sovren also complies with the Swiss–U.S. Privacy Shield as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of data from Switzerland. Sovren has certified that it adheres to the Privacy Shield Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement. To learn more about the Swiss-U.S. Privacy Shield program, and to view Sovren’s certification, please visit

Sovren is also in compliance with the California Online Privacy Protection Act. This Policy does not reflect the privacy practices of Sovren’s Customers, and Sovren is not responsible for its Customers’ privacy policies or practices. Sovren does not review, comment upon or monitor its Customers’ compliance with their respective privacy policies, nor does Sovren review instructions or requests received from its Customers to determine whether they are in compliance with or conflict with the terms of a Customer’s published privacy policy.

Notice/Use of Information

Sovren does not sell or publish PII provided by its Customers. Sovren maintains Customer PII only for the purposes of contracting and communicating with Customers.

Sovren may collect and aggregate demographic data that is not associated with an individual’s PII for use in statistical analysis, algorithmic learning, software performance metrics, or for other training purposes.

Sovren operates as a data processor for its Customers. Customers fill the role of data controller, retaining the PII of Candidates. Candidates interact with Customers rather than directly with Sovren. Generally, as data processor, Sovren does not maintain any Candidate PII collected by Customers. For each failed transaction processed at, where the Code is something other than “Success,” Sovren may, unless prohibited to do so by the Customer, log the Candidate PII for a period of up to 14 days, after which the document is automatically purged from Sovren’s AWS server. Sovren may retain Candidate PII that it obtains in the course of providing troubleshooting, performance feedback, or to assist in software improvements for Customers. This retained Candidate PII is maintained locally, securely and used only for the purposes of internal testing, research and development. At the Customer’s request, Sovren will not retain Candidate PII that Customers share with it during the course of providing troubleshooting, performance feedback, or to assist in software improvements. It is the Customer’s responsibility to ensure that the data the Customer collects can be legally collected in the country of origin. The Customer is responsible for properly notifying its employees and Candidates if, when and how PII is being collected and maintained, and for providing them a choice as to whether or not we use PII in the manner described herein.

Regarding transactions processed through, Sovren may log the Customer account and transaction metadata including source IP address, processing codes, sizes and timings. Sovren offers service endpoints in multiple regions, currently the United States and European Union. Documents are processed at designated service endpoint, but may be maintained and accessed by Sovren employees, outside of the region endpoint, as set forth in this Policy.

If Sovren goes through a business transition, such as a merger, acquisition by another company, or sale of all or a portion of its assets, information collected through our website(s) may be among the assets transferred. A prominent notice will appear on our website(s) for 30 days after any such change in ownership or control of your personal information.

Sovren does not use cookies in conjunction with or

Notification of Changes/Choice

We will maintain information in accordance with this Policy. If we decide to change the Policy, we will post those changes to this Policy on Sovren’s website, and other places we deem appropriate so our Customers are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. Customers, in turn, are responsible for notifying Candidates and providing them a choice as to whether or not we use their information in this different manner.

Third-Parties and Platform Security

If we transmit information of our Customers or users to a third party that is acting as our agent or on our behalf, we will ensure that the third party has agreed to abide by the Privacy Shield principles, or can otherwise assure adequate protection of such information. We may seek to assure adequate protection, for example, by entering into written agreements with third parties requiring such parties to provide at least the same level of privacy protection as is required by the Privacy Shield.

Sovren’s accountability for personal data that it receives under the Privacy Shield and subsequently transfers to a third party is described in the Privacy Shield Principles. In particular, Sovren remains responsible and liable under the Privacy Shield Principles if third-party agents that it engages to process the personal data on its behalf do so in a manner inconsistent with the Principles, unless Sovren proves that it is not responsible for the event giving rise to the damage.

Sovren’s hosted services, provided at, are built on Amazon Web Services (AWS) to deliver a highly scalable cloud computing platform with high availability and reliability. In order to provide end-to-end security and end-to-end privacy, AWS builds services in accordance with security best-practices and provides appropriate security in those services, and documents how to use those features. Sovren uses these features and best-practices to architect an appropriately secure application environment. Together, Sovren and AWS enable our customers to ensure the confidentiality, integrity, and availability of their data, maintaining trust and confidence.

AWS has in the past successfully completed multiple SAS70 Type II audits, and now publishes a Service Organization Controls 1 (SOC 1), Type 2 report, published under both the SSAE 16 and the ISAE 3402 professional standards as well as a Service Organization Controls 2 (SOC 2) report. In addition, AWS has achieved ISO 27001 certification, and has been successfully validated as a Level 1 service provider under the Payment Card Industry (PCI) Data Security Standard (DSS). In the realm of public sector certifications, AWS has received authorization from the U.S. General Services Administration to operate at the FISMA Moderate level, and is also the platform for applications with Authorities to Operate (ATOs) under the Defense Information Assurance Certification and Accreditation Program (DIACAP). AWS will continue to obtain the appropriate security certifications and conduct audits to demonstrate the security of its infrastructure and services. For more information on risk and compliance activities in the AWS cloud, consult the following: AWS Risk and Compliance White Paper

At our discretion, we link to third party sites on our website. These third party sites have separate and independent privacy policies. We, therefore, have no responsibility or liability for the content and activities of these linked sites. Nonetheless, we seek to protect the integrity of our site and welcome any feedback about these sites.

Data Integrity

Sovren will use PII only in ways compatible with the purpose for which it was collected or subsequently authorized by our Customers. Sovren will take reasonable steps to ensure that PII is relevant for its intended use, accurate and complete.


Sovren is committed to ensuring the security of the information it processes and maintains. To prevent unauthorized access or disclosure, maintain data accuracy, and ensure the appropriate use of PII, Sovren, in conjunction with AWS, has put in place appropriate physical, electronic, and managerial procedures, as described in more detail above, to safeguard and secure the PII we process. In addition, Candidate PII that we maintain is only accessible by designated Sovren development employees and is encrypted at rest. Sovren strives to protect the privacy of the PII we process, and inadvertent disclosure is extremely unlikely. In the event of such an inadvertent disclosure, Sovren will take all commercially reasonable steps to limit and remedy the disclosure. However, we cannot guarantee that unauthorized third parties will never be able to defeat those procedures or use PII for improper purposes.


Customers may contact Sovren to access or correct Customer PII, at any time. In its role as a data processor, Sovren normally processes and returns Candidate PII to Customers without it being retained by Sovren. When Sovren collects and maintains Candidate PII, we do so with the permission of our Customer and only for the purposes described herein. If you are a Candidate, and you wish to request access to or correction of the information you provided to a Sovren Customer, please contact the company to which you provided it. Sovren will either delete or correct this information, at the request of its Customers.


Sovren has a Privacy Officer who is responsible for Sovren’s compliance with and enforcement of this Policy. Sovren’s Privacy Officer is available to any of its employees, customers, vendors, business partners, or others who may have questions concerning this Policy or data security practices. Sovren’s Privacy Officer may be contacted by email at or by mail at Sovren Group, Inc., 1107 FM 1431, Suite 205, Marble Falls, TX 78654. If Customers or their users have questions or concerns regarding this statement, the first point of contact is the Privacy Officer.

As part of our participation in the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework, we have agreed to jurisdiction by the Federal Trade Commission regarding any claims concerning alleged deceptive practices with regard to our privacy policies or our compliance with the relevant policy. If you have any complaints regarding our compliance with the Frameworks you should first contact us at the addresses provided above. In the event that contacting us does not resolve your complaint, you may file a complaint at and the dispute will be handled pursuant to the following JAMS ADR Rules. As further explained in the Privacy Shield Principles, a binding arbitration option will also be made available to you in order to address residual complaints not resolved by any other means.

Any questions, comments or complaints about the data practices (including without limitation, compliance with data privacy principles of notice, choice, onward transfer, access, security, data integrity, or enforcement) of a Sovren Customer who processes data or who provides data to Sovren for training, troubleshooting and/or testing purposes should be directed to that Sovren Customer.

Legal Disclaimer

We may disclose PII when required by law or in the good faith belief that such action is necessary in order to conform to the edicts of the law, comply with legal mandates, enforce the TOS of our websites, or to protect the rights, property, or personal safety of Sovren, its users and the public.

Sovren will give Customers prompt notice of any legal or governmental demand for PII and will reasonably cooperate with Customers in any effort to seek a protective order or otherwise to contest such required disclosure, at Customer’s expense.

Children’s Privacy

Sovren is committed to protecting the privacy needs of children and we encourage parents and guardians to take an active role in their children’s online activities and interests. Sovren does not knowingly collect information from children under the age of 17 and Sovren does not target its website or its products to children under 17. Sovren operates in compliance with COPPA (Children’s Online Privacy Protection Act).