Sova
← LEGAL HUB
LEGAL

Security & Data Practices

Effective date: May 1, 2025

Sova Technologies Inc. takes the security of your data seriously. This document describes the technical and organizational measures we implement to protect Customer Data processed through the Sova platform. It is intended to help customers and prospects make informed decisions about entrusting their data to our platform.

Our security program is designed to align with widely recognized frameworks, including SOC 2 Trust Services Criteria. We are continuously maturing our controls and working toward formal third-party attestation.

1. Data Residency & Hosting

Sova’s primary production infrastructure is hosted in Canada. We use Canadian data centres to ensure that your data remains subject to Canadian privacy law, including PIPEDA, and is not routinely transferred outside Canadian jurisdiction as part of normal platform operations.

Our hosting provider operates redundant facilities with high availability architecture, including geographic failover within Canada. Backups are stored in Canadian regions and are subject to the same security controls as production data.

Where certain ancillary services (such as transactional email or analytics tools) are provided by third parties with infrastructure outside Canada, we ensure appropriate data processing agreements are in place and that data minimization principles are applied — meaning only the data strictly necessary for the service is transferred.

2. Encryption

All data transmitted between your browser or client and the Sova platform is encrypted using TLS 1.2 or higher. We do not support deprecated protocols (TLS 1.0 or 1.1) or weak cipher suites.

Data at rest — including database records, backups, and file storage — is encrypted using AES-256 or equivalent industry-standard encryption. Encryption keys are managed using dedicated key management services with strict access controls and rotation policies.

3. Access Controls

Access to Customer Data within Sova is governed by the principle of least privilege:

  • Employee access: Sova employees are granted access to Customer Data only on a need-to-know basis, consistent with their job function. Access is provisioned through our identity management system and requires approval.
  • Multi-factor authentication (MFA): MFA is required for all employee access to production systems and administrative tools.
  • Role-based access control (RBAC): The platform enforces RBAC at the application layer, ensuring that platform users can only access data and features authorized for their role within their organization.
  • Access reviews: We conduct periodic reviews of employee access privileges and promptly revoke access upon offboarding.
  • Audit logging: Administrative access to production systems is logged. Logs are retained for a minimum of 12 months and are protected against tampering.

4. Network & Infrastructure Security

  • Firewalls and network segmentation: Production systems are isolated from development and corporate networks. Inbound access to internal services is restricted by firewall rules with explicit allow-lists.
  • DDoS protection: We use network-level DDoS mitigation to protect platform availability.
  • Vulnerability scanning: We run automated vulnerability scans against our infrastructure on a regular schedule and prioritize remediation of identified findings based on severity.
  • Dependency management: We monitor third-party software dependencies for known vulnerabilities using automated tooling and apply security patches promptly.

5. Application Security

  • Secure development lifecycle: Security requirements are incorporated into our design and development process. Engineers receive training on secure coding practices relevant to our technology stack.
  • Code review: All code changes undergo peer review before deployment to production. Security-sensitive changes receive additional scrutiny.
  • Penetration testing: We engage qualified third-party security professionals to conduct penetration tests of the platform periodically and following significant architectural changes.
  • Input validation and output encoding: The platform applies server-side input validation and output encoding to mitigate common vulnerabilities including injection attacks and cross-site scripting (XSS).

6. Incident Response

Sova maintains a documented incident response plan that governs how we detect, contain, investigate, and recover from security incidents. Key elements include:

  • Detection: We use centralized logging, anomaly detection, and alerting to identify potential security events in a timely manner.
  • Escalation: Security incidents are escalated to designated response leads with defined roles and responsibilities.
  • Customer notification:In the event of a data breach that may affect your personal information, we will notify affected customers in accordance with our obligations under PIPEDA’s breach reporting provisions, including notification to the Office of the Privacy Commissioner of Canada where required. We target notification to affected customers within 72 hours of confirming a qualifying breach.
  • Post-incident review: Following any significant incident, we conduct a post-incident review to identify root causes and implement preventive measures.

7. Business Continuity & Disaster Recovery

We maintain business continuity and disaster recovery plans to minimize service disruption in the event of a major failure. Our infrastructure is designed for high availability with redundant components. We take regular automated backups of Customer Data and test restore procedures periodically.

8. Vendor & Supply Chain Security

We evaluate the security practices of third-party service providers before onboarding them and require data processing agreements that bind them to appropriate security and confidentiality obligations. We maintain an inventory of subprocessors and review material changes to their security posture.

9. SOC 2 Alignment

Our security program is designed to align with the Trust Services Criteria published by the AICPA as the basis for SOC 2 reporting — covering Security, Availability, and Confidentiality. We are working toward obtaining a formal SOC 2 Type II report from an independent auditor. We will communicate the outcome of this process to customers when available.

We do not currently hold SOC 2 certification and make no representation of certified compliance at this time.

10. Responsible Disclosure

If you discover a potential security vulnerability in the Sova platform or website, we ask that you report it to us responsibly before making any public disclosure. Please send details to [email protected]. We will acknowledge your report within 3 business days and work with you to understand and address the issue.

We do not take legal action against researchers who report vulnerabilities in good faith and in accordance with this policy.

11. Contact

For questions about our security practices, please contact: [email protected]