Privacy Policy
Unlocking the Full Potential of AI
// Privacy Policy
1. Introduction and Purpose
1.1 Commitment to Data Responsibility and Trust
SO Development recognizes that data is a critical asset in the development and deployment of artificial intelligence–driven solutions. The Company is committed to processing data responsibly, ethically, and securely in a manner that supports innovation while respecting privacy, confidentiality, and applicable legal and contractual obligations.
1.2 Purpose of this Policy
This Policy establishes the principles, controls, and operational practices governing how SO Development collects, accesses, processes, annotates, stores, transfers, and protects data across all service offerings. Its purpose is to ensure consistency, transparency, and accountability in all data handling activities, particularly within AI data pipelines and human-in-the-loop workflows.
1.3 Scope
This Policy applies to all employees, contractors, partners, and authorized subprocessors of SO Development who access or process data on behalf of the Company, regardless of geographic location or technical role.
1.4 Regulatory Compliance Commitment
SO Development OÜ is established in the Republic of Estonia and operates in accordance with Estonian law and applicable European Union legislation.
Where personal data is processed, SO Development complies with:
The EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”)
The Estonian Personal Data Protection Act (Isikuandmete kaitse seadus)
Guidance issued by the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)
The U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA), where services involve Protected Health Information (PHI) and a Business Associate relationship exists
Where personal data is processed under GDPR, appropriate technical and organizational measures are implemented in accordance with Article 32 GDPR.
Where SO Development acts as a HIPAA Business Associate, it complies with applicable Administrative, Physical, and Technical Safeguards under the HIPAA Security Rule and relevant provisions of the Privacy Rule pursuant to executed Business Associate Agreements (BAAs).
2. Definitions
For the purposes of this Policy:
Data — Any information processed by SO Development, including raw data, annotated data, derived data, metadata, logs, and outputs.
Client Data — Data provided by clients for the purpose of delivering contracted services.
Annotation — Manual or automated enrichment processes such as labeling, classification, segmentation, transcription, translation, or validation.
Personal Data — Data relating to an identified or identifiable natural person.
Processing — Any operation performed on data, including collection, storage, modification, analysis, disclosure, or deletion.
3. Nature of Services and Processing Context
3.1 AI and Data-Centric Services
SO Development provides data preparation, annotation, validation, quality assurance, and related support services to assist in the development, training, evaluation, and improvement of artificial intelligence and machine learning systems.
Processing activities are performed strictly in accordance with documented client instructions and applicable contractual agreements. The Company does not expand processing beyond what is necessary to fulfill defined service requirements.
Activities may include reviewing, labeling, structuring, categorizing, or analyzing data solely to support client-directed AI workflows. Data is never processed for unrelated commercial exploitation, resale, or independent secondary use.
All services are delivered within defined operational parameters supported by safeguards appropriate to the nature and sensitivity of the data involved.
3.2 Role of SO Development
In most engagements, SO Development acts as a data processor or service provider on behalf of its clients.
In this capacity:
Client Data is processed only on documented instructions.
SO Development does not independently determine the original purpose or lawful basis for data collection.
Client Data is not used for independent business purposes.
Clients retain responsibility as data controllers for determining the purposes and means of processing and ensuring compliance with applicable data protection laws.
Where a different role applies, it will be explicitly defined in the relevant contractual documentation.
Personnel authorized to process Personal Data are bound by confidentiality obligations in accordance with Articles 28 and 29 GDPR.
4. Categories of Data Processed
Depending on project requirements, SO Development may process:
Textual, visual, audio, video, sensor, or multimodal datasets
Annotated and labeled datasets with associated metadata
Quality control outputs and validation artifacts
Operational and technical data such as logs and workflow metrics
Limited Personal Data incidentally contained within authorized datasets
Aggregated, anonymized, or pseudonymized data for internal analysis
SO Development does not intentionally process special categories of personal data under Article 9 GDPR unless explicitly required, contractually authorized, and supported by an appropriate lawful basis determined by the data controller.
5. Purpose Limitation and Lawful Processing
Data is processed solely for:
Annotation, labeling, enrichment, and validation
AI model training, testing, evaluation, and benchmarking
Quality assurance and performance measurement
Operational monitoring and compliance
Fulfillment of contractual and legal obligations
Data is not used for independent commercial purposes, advertising, resale, or processing beyond the agreed scope.
Ownership and intellectual property rights relating to outputs are governed by applicable contractual agreements. Personnel retain no ownership or reuse rights in such outputs.
6. Data Minimization and Proportionality
SO Development limits data access and processing to what is strictly necessary for service delivery.
Access is role-based and governed by the principle of least privilege. Processing scope is determined according to service requirements, data sensitivity, and assessed risk levels.
Where feasible, datasets are filtered, anonymized, or pseudonymized to reduce identifiability and mitigate re-identification risks.
These practices reflect the principles of data minimization and purpose limitation under Article 5(1)(b) and (c) GDPR.
7. Access Control and Workforce Obligations
Access to data is restricted to authorized personnel with a legitimate business need and enforced through role-based access controls and segregation of duties.
All personnel must sign confidentiality and data protection agreements prior to accessing systems or data.
Personnel handling Personal Data or PHI receive role-appropriate training, including GDPR and HIPAA requirements where applicable.
Non-compliance may result in disciplinary action, termination of access, contractual penalties, or legal action.
All information accessed through SO Development systems is presumed confidential unless explicitly designated otherwise.
8. Human-in-the-Loop Oversight
SO Development maintains structured human review processes to ensure accuracy, consistency, and quality of outputs.
Oversight mechanisms may include:
Multi-layer quality checks and review hierarchies
Peer review processes
Escalation protocols for sensitive or ambiguous cases
Periodic sampling and performance monitoring
Deliverables may undergo validation prior to submission to ensure alignment with project specifications and contractual requirements.
9. Subprocessors and Third Parties
SO Development does not engage subprocessors for core data processing activities unless contractually agreed.
Processing is conducted internally by authorized personnel operating under direct supervision and control.
Personal data is not sold, rented, or disclosed to third parties for unrelated purposes.
Where disclosure is legally required, it will be limited to what is necessary and, where permitted, the client will be informed without undue delay.
10. Data Storage, Retention, and Deletion
Data is stored in controlled environments appropriate to its classification and sensitivity.
Retention periods are determined by:
Contractual obligations
Legal or regulatory requirements
Legitimate operational necessity
Upon completion of services or valid instruction, data is securely deleted, returned, or irreversibly anonymized unless retention is legally required.
Access rights are revoked immediately upon termination of employment or engagement, and all company or client data must be permanently deleted from local systems.
Retention practices align with Article 5(1)(e) GDPR.
11. Information Security Measures
SO Development implements technical and organizational safeguards including:
Authentication and access controls
Secure transmission and storage
Environment segregation and logging
Incident detection and response procedures
Periodic internal security reviews
11.1 Additional Technical Safeguards
Where appropriate:
Encryption in transit (TLS)
Encryption at rest where supported
Multi-factor authentication for privileged access
Periodic access reviews
Secure credential management
Segregation of production and testing environments
Security controls are continuously evaluated and improved.
11.2 Incident Response and Notification
Documented incident response procedures are maintained to detect, contain, investigate, and remediate security incidents.
Confirmed personal data breaches affecting Client Data are reported without undue delay in accordance with Article 33 GDPR and contractual obligations. HIPAA breaches are handled under applicable HIPAA notification requirements.
11.3 Prohibited Conduct
Unauthorized downloading, copying, screen capturing, external storage, or reuse of datasets is strictly prohibited and may result in legal action.
12. Cross-Border Data Processing
Where data is transferred internationally, SO Development implements safeguards consistent with applicable data protection laws, including:
Standard Contractual Clauses (SCCs)
Adequacy decisions
Contractual transfer protections
Technical and organizational safeguards
Transfers outside the European Economic Area comply with Chapter V GDPR.
13. Client Responsibilities
Clients are responsible for ensuring that data shared with SO Development has been lawfully collected and may be legally processed.
This includes:
Establishing a lawful basis for processing
Providing required privacy notices
Ensuring data accuracy and relevance
Confirming lawful international transfers
Clients remain accountable as data controllers.
14. Data Subject Rights
Under applicable law, data subjects may have rights including:
Access
Rectification
Erasure
Restriction of processing
Objection
Data portability
Requests should be directed to the relevant data controller. SO Development provides reasonable assistance to clients in fulfilling these obligations under Articles 12–22 GDPR.
Where PHI is processed, SO Development supports covered entities in responding to HIPAA Privacy Rule rights requests.
15. Governance, Accountability, and Compliance
SO Development maintains governance structures overseeing data protection, security, and regulatory compliance.
Responsibilities are assigned to designated personnel, and processing practices are periodically reviewed to align with evolving legal and industry standards.
Governance Framework Includes
Defined reporting lines and accountability structures
Periodic management reviews
Risk assessments and corrective actions
Documented authorization and access controls
Controlled technical processing environments
Failure to comply with this Policy may result in disciplinary action, contract termination, financial liability, or legal proceedings.
SO Development is committed to continuous improvement through ongoing monitoring, policy updates, and workforce training.
16. Policy Review and Updates
This Policy is reviewed periodically and updated as necessary. Continued engagement with SO Development constitutes acknowledgment of the current version.
Where required, Data Processing Agreements (DPAs) and Non-Disclosure Agreements (NDAs) are executed with clients.
Contact Information
If you have questions about this Privacy Policy, please contact:
Email: info@so-development.org
Website: https://so-development.org/request-a-quote/
Go Beyond Expectations With
SO Development AI Data Solutions