SOV AI

Dpa

Upload SOV

This document is a starting draft for discussion purposes only and has not yet been reviewed by a licensed attorney; it is not legal advice.

Data Processing Agreement (DRAFT)

This Data Processing Agreement ("DPA") is entered into as of [Effective Date] by and between [Customer Name] ("Customer" or "Controller"), a commercial property & casualty insurance broker or brokerage, and SOVAI Technology LLC ("SOVAI" or "Processor"), provider of the SOV AI service (the "Service") at sovaitech.com. This DPA supplements and is incorporated into the SOV AI Terms of Service (the "Agreement"). In the event of a conflict between this DPA and the Agreement regarding the processing of personal data, this DPA controls.

1. Definitions

  • "Controller" means the entity that determines the purposes and means of processing personal data — here, the Customer.
  • "Processor" means the entity that processes personal data on behalf of the Controller — here, SOVAI.
  • "Customer Data" means all data the Customer or its authorized users upload to or generate within the Service, including Schedules of Values ("SOVs") and related property data. "Customer Personal Data" means any personal data contained within Customer Data or otherwise processed by SOVAI on the Customer's behalf, including account information of the Customer's authorized users.
  • "Processing" means any operation performed on personal data, such as collection, storage, enrichment, verification, disclosure, or deletion.
  • "Data Subject" means an identified or identifiable natural person to whom personal data relates.
  • "Subprocessor" means a third party engaged by SOVAI to process Customer Personal Data in support of the Service.
  • "Applicable Data Protection Laws" means all privacy and data protection laws applicable to the processing of Customer Personal Data under this DPA, which may include U.S. state privacy laws and, where applicable, the EU/UK GDPR.

2. Roles & Scope

The Customer acts as Controller and SOVAI acts as Processor with respect to Customer Personal Data. This DPA applies to SOVAI's processing of Customer Personal Data in connection with the Service, through which the Customer uploads SOVs and related property data, and SOVAI enriches, AI-verifies against public records, and exports carrier-ready submissions. The details of processing are set out in Annex A.

3. Processing on Documented Instructions

SOVAI shall process Customer Personal Data only on the Customer's documented instructions, including as set out in the Agreement, this DPA, and the Customer's use of the Service, unless required otherwise by applicable law (in which case SOVAI will inform the Customer unless legally prohibited). SOVAI shall promptly inform the Customer if, in its opinion, an instruction infringes Applicable Data Protection Laws. All processing is further subject to the ownership and use commitments in Section 4.

4. Ownership & Use of Customer Data

Customer Data belongs to the Customer. SOVAI will never sell Customer Data, and will never use Customer Data to train artificial-intelligence or machine-learning models. SOVAI processes Customer Data only to provide the Service on the Customer's documented instructions. SOVAI's AI subprocessors operate under commercial API terms and do not train their models on Customer Data. This Section 4 applies to all processing under this DPA and survives its termination with respect to any Customer Data retained under Section 10.

5. Confidentiality

SOVAI shall ensure that persons authorized to process Customer Personal Data are bound by confidentiality obligations (contractual or statutory) and shall limit access to those who need it to provide the Service.

6. Security Measures

Taking into account the nature of the processing, SOVAI implements and maintains appropriate technical and organizational measures to protect Customer Personal Data, including:

  • Encryption of data in transit via TLS/HTTPS;
  • Encryption of data at rest;
  • Tenant isolation enforced at the application layer through per-organization access controls;
  • Private file storage served only via short-lived signed URLs subject to ownership checks;
  • Access controls limiting staff access to Customer Personal Data.

7. Subprocessors

The Customer provides general authorization for SOVAI to engage the Subprocessors listed in Annex B, each engaged under written terms imposing data protection obligations materially consistent with this DPA. SOVAI's current Subprocessors are:

  • Anthropic — AI document extraction
  • Google — AI verification, geocoding, and analytics
  • Supabase — Database and file storage
  • Stripe — Payment processing
  • Render — Hosting
  • Resend — Transactional email

SOVAI remains responsible for the performance of its Subprocessors. SOVAI will provide the Customer notice of any intended addition or replacement of Subprocessors, and the Customer may object on reasonable data protection grounds; the parties will work in good faith to resolve any objection.

8. Data Subject Requests

Taking into account the nature of the processing, SOVAI shall assist the Customer, by appropriate technical and organizational measures and insofar as reasonably possible, in responding to requests from Data Subjects exercising rights under Applicable Data Protection Laws (e.g., access, correction, deletion). If SOVAI receives such a request directly, it will promptly forward it to the Customer and will not respond except as directed by the Customer or required by law.

9. Personal Data Breach

SOVAI shall notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and shall provide information reasonably available to SOVAI to assist the Customer in meeting its own notification obligations, followed by reasonable cooperation and remediation efforts.

10. Return & Deletion

Upon termination of the Agreement, or upon the Customer's written request, SOVAI shall return or delete Customer Personal Data within thirty (30) days, except for records SOVAI is legally required to retain, which remain subject to this DPA (including Section 4) for as long as they are retained.

11. International Transfers

Where the processing of Customer Personal Data involves a transfer subject to cross-border transfer restrictions under Applicable Data Protection Laws, the parties shall ensure a lawful transfer mechanism is in place, including, where applicable, the Standard Contractual Clauses or equivalent safeguards, which are incorporated by reference as needed.

12. Audits & Information

SOVAI shall make available to the Customer information reasonably necessary to demonstrate compliance with this DPA and shall respond to the Customer's reasonable written requests and security questionnaires within a reasonable time.

13. Liability

Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set forth in the Agreement.

14. Term

This DPA takes effect on the Effective Date and remains in force for as long as SOVAI processes Customer Personal Data under the Agreement.

15. Governing Law

This DPA is governed by the laws of the State of [State], without regard to conflict-of-laws principles, except where Applicable Data Protection Laws require otherwise.

16. Contact

Questions or notices regarding this DPA may be directed to SOVAI at admin@sovaitech.com.


Annex A — Details of Processing

  • Subject matter: Processing of Customer Personal Data in connection with the SOV AI Service.
  • Duration: The term of the Agreement, plus the return/deletion period in Section 10.
  • Nature and purpose: Ingestion of SOVs and related property data uploaded by the Customer; enrichment and AI verification against public records; generation and export of carrier-ready submissions; account administration, support, billing, and transactional communications.
  • Types of personal data: (a) Authorized users' account information (names, work email addresses); (b) limited personal data contained in uploaded SOVs and property data, such as names, addresses, and property values relating to property owners or insureds.
  • Categories of data subjects: The Customer's personnel and authorized users; individuals referenced in uploaded SOVs (e.g., property owners or insureds).

Annex B — Subprocessors

  • Anthropic — AI document extraction
  • Google — AI verification, geocoding, and analytics
  • Supabase — Database and file storage
  • Stripe — Payment processing
  • Render — Hosting
  • Resend — Transactional email

[Customer Name] — Signed: ________ Date: ________

SOVAI Technology LLC — Signed: ________ Date: ________

© 2026 SOVAI Technology LLCHome