This Data Processing Addendum (“DPA”) forms part of the agreement between Customer and its Authorized Affiliates (“Customer”) and Coveo for the subscription to the Hosted Services (collectively, the “Agreement”). This DPA shall become effective concurrently with the Agreement.
This DPA applies to the extent, in the course of providing the Services, there is Processing of Personal Data by Coveo and a written contract is required between Customer and Coveo under Privacy Laws. The Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.
This DPA consists of (i) the main terms and conditions of the DPA (“Main Body”); (ii) the Standard Contractual Clauses (“SCCs”) as further defined below and; (iii) the Appendix to the DPA, including Annexes I and II (collectively, “ Appendix”).
1. Definitions. The following terms, when used herein, have the meaning set forth in this Section. Other terms are defined when they are used. All capitalized terms not defined herein shall have the meaning ascribed to them in the Agreement. If applicable, the definitions below include similar terms as defined in Privacy Laws.
1.1. "AI Services" means features of the Hosted Services leveraging machine learning and/or artificial intelligence.
1.2. “Application Usage Data” means usage and operation data in connection with Customer’s admin users’ use and configuration of the Hosted Services, including query logs and meta data about Customer’s instance of the Hosted Services.
1.2. “Authorized Affiliates” means any of Customer's Affiliate(s) which (a) is subject to Privacy Laws and (b) is permitted to use the Hosted Services pursuant to the Agreement.
1.3. “CCPA” means the California Consumer Privacy Act and its implementing regulations, including the California Privacy Rights Act ("CPRA").
1.4. “Coveo” means the applicable Coveo entity in accordance with the terms of the Agreement.
1.5. “Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
1.6. “Customer Data” means data that is submitted to the Hosted Services by or on behalf of Customer, including information which reflects the use of the Hosted Services by Customer’s end-users and specifically excludes Application Usage Data.
1.7. “Data Privacy Framework” means the EU-US Data Privacy Framework, the UK Extension to the EU-US Data Privacy Framework and the Swiss-US Data Privacy Framework of July 10, 2023, developed by the US Department of Commerce and the European Commission, the UK Government, and the Swiss Federal Administration
1.8. “Data Subject” means the identified or identifiable natural person to whom Personal Data relates.
1.9. “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data also known as the General Data Protection Regulations.
1.10. “Hosted Services” means the cloud-based solutions (including AI Services) made available to end-users by Coveo under the Agreement and each applicable Order.
1.11. “Parties” means Customer and Coveo.
1.12. “Personal Data” has the meaning ascribed to it in Privacy Laws where such data is Customer Data.
1.13. “Privacy Laws” means all applicable data protection and privacy laws and regulations, which may include the GDPR and the CCPA.
1.14. “Processing”, and its cognates, mean any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
1.15. “Processor” means the entity which Processes Personal Data on behalf of the Controller.
1.16. “Services” means the Hosted Services (including AI Services), support, maintenance, consulting, configuration and other professional services provided by Coveo to Customer.
1.17. “SCCs” means: (i) where the GDPR applies, the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as set out at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj or any successor URL (“EU SCCs”); and (ii) where the UK GDPR applies, International Data Transfer Addendum to the EU SCCs adopted pursuant to or permitted under section 199A(1) of the UK Data Protection Act 2018 currently as set out at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/ or any successor URL ("UK Addendum").
1.18. “Security Exhibit” means the applicable security exhibit made available to Customer upon request.
1.19. “Selling” or its cognates have the meaning ascribed to it in the CCPA or in similar Privacy Laws.
1.20. “Sharing” or its cognates have the meaning ascribed to it in the CCPA or in similar Privacy Laws.
1.21. “Sub-Processor” means any Processor engaged by Coveo or its Affiliates.
1.22. “UK GDPR” means the GDPR as amended and incorporated into the United Kingdom law pursuant to section 3 of the European Union (Withdrawal) Act of 2018.
2. Processing of Personal Data and Transparency.
2.1. Roles of the Parties. The Parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is a Controller or Processor and Coveo is a Processor.
2.2. Customer’s Processing of Personal Data. Customer shall, in its use of the Services, Process Personal Data in accordance with the requirements of Privacy Laws, and shall be responsible for any applicable requirement to obtain consents from Data Subjects and to provide notice to Data Subjects regarding Coveo’s Processing of Personal Data. For the avoidance of doubt, Customer’s written instructions for the Processing of Personal Data shall comply with Privacy Laws. Customer warrants that it has and will continue to have the right to transfer or provide access to Personal Data to Coveo for Processing in accordance with the terms of the Agreement and this DPA.
2.3. Coveo’s Processing of Personal Data. Coveo shall Process Personal Data only on behalf of and in accordance with the documented instructions of Customer as documented in the Agreement and this DPA. Where Customer determines the purposes and means of the processing, Customer instructs Coveo to Process Personal Data for the following purposes: (i) the provision of the Services in accordance with the Agreement and the applicable Order(s); (ii) the processing initiated by Customer’s use and configuration of the Services; and (iii) the ongoing maintenance, testing, validation and development of the Services, to the extent Personal Data is not used to train models that are used by other customers or other third-parties. Any additional lawful instruction from Customer shall be discussed in good faith between the Parties and agreed to in writing.
2.4. CCPA and similar Privacy Laws. Coveo is specifically prohibited from: (a) Selling or Sharing Personal Data; (b) retaining, using, or disclosing Personal Data for any purpose other than for the specific purpose of performing the Services under the Agreement, including retaining, using, or disclosing the Personal Data for a commercial purpose other than providing the Services specified in the Agreement or as otherwise permitted by the CCPA or similar Privacy Laws; (c) retaining, using, or disclosing Personal Data outside of the direct business relationship between Customer and Coveo and; (d) combining Personal Data that Coveo receives from, or on behalf of, Customer with Personal Data that it receives from, or on behalf of, another person or persons, or collects from its own interaction with the Data Subject, provided that Coveo may combine Personal Data to perform any business purpose as permitted under the CCPA or similar Privacy Laws. Coveo understands the restrictions set forth in this Section and certifies that it will comply with it.
2.5. Transparency. If a Party is required by Privacy Laws to share a copy of this DPA to a supervisory authority or a Data Subject, the Party shall deploy reasonable efforts to redact any confidential information of the Parties prior to sharing a copy of this DPA.
3. Rights of Data Subjects. Coveo shall, to the extent legally permitted, promptly notify Customer if Coveo receives a request from a Data Subject (“Data Subject Request”). Coveo shall not respond to a Data Subject Request without Customer’s prior written consent, except to the extent required by Privacy Laws. Customer shall be primarily responsible for the management of Data Subject Requests related to Personal Data by using the functionalities of the Hosted Services. If Customer is unable to respond to Data Subject Requests by using such functionalities, Coveo shall, upon reception of Customer’s written notice, taking into account the nature of the processing and insofar as this is possible, provide reasonable assistance to Customer in the fulfilment of its obligation to respond to a Data Subject Request. To the extent legally permitted, Customer shall be responsible for any costs arising from Coveo’s provision of such assistance if the time spent on such assistance exceeds four (4) hours.
4. Coveo Personnel.
4.1. Confidentiality. Coveo shall ensure that its personnel and agents (“Personnel”) engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received training regarding information security and privacy, and have executed written confidentiality agreements. Coveo shall ensure that such confidentiality obligations survive the termination of the personnel engagement.
4.2. Reliability. Coveo shall take commercially reasonable efforts to ensure that all Personnel who will have access to Personal Data are reliable, as described in Annex II.
4.3. Limitation of Access. Coveo shall ensure that Coveo’s access to Personal Data is limited to those Personnel performing Services in accordance with the Agreement and on a need-to-know basis.
5. Sub-Processors.
5.1. Appointment of Sub-Processors. Customer acknowledges and agrees that Coveo and its Affiliates may, in accordance with this DPA and the Agreement, engage Sub-Processors to Process Personal Data subject to the following requirements:
5.1.1. Coveo will ensure that each Sub-Processor can provide an adequate level of protection for Personal Data required.
5.1.2. Customer consents to the use of the Sub-processors identified on https://www.coveo.com/en/pages/sub-processors or a successor URL designated by Coveo "Sub-Processor Page". Coveo shall inform Customer of additions or replacements of Sub-Processors by notifying Customer’s contacts who have subscribed to notifications through the Sub-Processor Page or who have been identified in the Order, thereby giving Customer the opportunity to object to such changes on data protection grounds by notifying Coveo in writing within ten (10) days of the receipt of Coveo’s notification. In the event Customer objects to a new Sub-Processor, Coveo shall use reasonable efforts to avoid Processing of Personal Data by the objected Sub-Processor and work with Customer in order to achieve resolution. If Customer can reasonably demonstrate that the new Sub-Processor is unable to Process Personal Data in compliance with the terms of this DPA and Coveo cannot provide an alternative Sub-Processor, or if the Parties are otherwise not able to achieve resolution, Customer may, as its sole and exclusive remedy, terminate without penalty only the portion of the Services which cannot be provided by Coveo without the use of the objected-to Sub-processor.
5.1.3. Coveo must ensure that the arrangement between Coveo and the relevant Sub-Processor is governed by a written contract including the data protection terms required under Privacy Laws. Upon request, and where feasible, Coveo will provide its customers with relevant information regarding its applicable Sub-Processors agreements to the extent required to comply with Privacy Laws.
5.2. Emergency Replacement. Notwithstanding the foregoing provisions, Coveo reserves the right to replace a Sub-Processor in accordance with this Section 5.2 if such replacement is urgent necessary to continue providing the Services, due to circumstances beyond Coveo’s reasonable control. In the event of an emergency replacement, Coveo will notify Customer as soon as reasonably practicable and Customer will retain the right to object to such replacement in accordance with Section 5.1.2.
5.3. Liability. Coveo shall be liable for the data protection obligations of its Sub-Processors to the same extent Coveo would be liable if performing the services of each Sub-Processor directly under the terms of this DPA.
6. Controls for the Protection of Personal Data. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of Processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the Processing, Coveo maintains appropriate technical and organizational measures for the protection of the security, confidentiality, availability and integrity of Personal Data, as set forth in Annex II. Coveo regularly monitors its compliance with the Security Exhibit to ensure the effective implementation of the technical and organizational measures. Coveo will not materially decrease the overall security safeguards for Personal Data during the term of the Agreement.
7. Personal Data Incident Management and Notification. Coveo maintains a written security incident response plan and shall notify Customer without undue delay, after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data (“Personal Data Breach”). To the extent known, Coveo shall provide information to Customers about the Personal Data Breach including the nature and likely consequences of the Personal Data Breach, proposed measures to mitigate the Personal Data Breach, the categories of Personal Data and a point of contact for additional information. Customer will be solely responsible for fulfilling any third-party notification obligations related to the Personal Data Breach. Coveo will deploy appropriate measures to address the Personal Data Breach. Coveo’s notification will be made at the email address mentioned in the Order for such purpose.
8. Storage, Return and Deletion of Personal Data.
8.1. Customer may specify in the Order the selected hosting region(s) for the Hosted Services (“Region”). Once Customer has selected a Region, Coveo will not Process Personal Data from outside the Region except to provide the Services or as necessary to comply with applicable laws.
8.2. Coveo shall delete Personal Data in accordance with the procedures specified in the Security Exhibit.
9. Audits. Coveo shall make available to Customer all information necessary to demonstrate compliance with the obligations laid down in this DPA as set forth in the Security Exhibit.
10. Data Transfers
10.1. Coveo shall ensure that any transfer of Personal Data by Coveo or Coveo’s Sub-Processors to countries outside the European Economic Area and the United Kingdom shall be performed under the conditions outlined in the GDPR or UK GDPR (as applicable), specifically their Chapter V.
10.2. Transfers from the European Economic Area (“EEA”). To the extent required under Privacy Laws, the EU SCCs will apply to the transfer of Personal Data from the EEA or Switzerland, and each Party will be deemed to have entered into the EU SCCs by entering into this DPA. Where a transfer is performed from Switzerland, each reference to “GDPR”, “EU” or “Member States” shall have the same meaning as its equivalent in Swiss Privacy Laws.
10.2.1. Applicable Modules. Module Two will apply where Customer is acting as a Controller and Coveo is acting as a Processor, while Module Three will apply where Customer and Coveo are both acting as Processors.
10.2.2. Docking Clause. Clause 7 of the EU SCCs will apply.
10.2.3. Sub-Processing. Clause 9(a), option 2 of the EU SCCs will apply, as per the time period set out in Section 5.1.2 of this DPA.
10.2.4. Data Subject Rights. Regarding Clause 10 of the EU SCCs, Module II and Module Three (b) of the EU SCCs, the parties hereby acknowledge that the measures by which the assistance will be provided are described in Section 3 of this DPA (“Rights of Data Subjects”).
10.2.5, Redress. Regarding Clause 11 of the EU SCCs, the optional language will not apply.
10.2.6. Liability. Regarding Clause 12 of the EU SCCs, the Parties hereby acknowledge that any direct claims brought under the SCCs shall be subject to any applicable aggregate limitations on liability set out in the Agreement. Nothing in this DPA shall be construed as a limitation or exclusion of a Party’s liability toward a data subject for a breach of the SCCs.
10.2.7. Governing Law. Regarding Clause 17 of the EU SCCs, option 2 is chosen (with the laws of the Netherlands to apply if the data exporter’s Member State does not allow for third-party beneficiary rights).
10.2.8. Choice of Forum and Jurisdiction. Regarding Clause 18(b) of the EU SCCs, disputes will be resolved before the courts of the jurisdiction governing the Agreement between the Parties or, if that jurisdiction is not an EU Member State, then the courts of the Netherlands.
10.2.9. Appendix. Annexes I and II of the EU SCCs will be deemed completed with the information set out in the Appendix to this DPA.
10.3. Transfers from the United Kingdom (“UK”). To the extent required under Privacy Laws, the UK Addendum will apply to the transfer of Personal Data from the UK to a third country and each Party will be deemed to have entered into the UK Addendum by entering into this DPA. Information required in Table 1 to Table 3 of the UK Addendum is set out in the Appendix to the DPA. For the purpose of Table 4 of the UK Addendum, either party may end the UK Addendum when it changes as set out in Section 19 of the UK Addendum.
10.4. The Main Body sets out the Parties’ interpretation of their respective rights and obligations under the SCCs. If the SCCs are not applicable, the Main Body and the Appendix shall survive.
10.5 Coveo has certified to the Data Privacy Framework which will specifically apply to the transfer of Personal Data from the EEA, Switzerland or the UK to the U.S.
11. Compliance with Privacy Laws and Cooperation.
11.1. General Compliance. Coveo shall Process Personal Data in accordance with Privacy Laws directly applicable to Coveo's provision of the Services.
11.2. Cooperation.
11.2.1. Assessments. To the extent required by Privacy Laws and upon Customer’s written request, Coveo shall reasonably assist Customer to carry out a Data Protection Impact Assessment and provide Customer with a Transfer Impact Assessment where required under the SCCs.
11.2.2. Legally Required Disclosure. Coveo will not provide access to nor disclose Personal Data to law enforcement or other public authorities unless required to do so by law. Coveo will notify Customer promptly of any legally binding request for disclosure of Personal Data by a law enforcement authority or any other public authority (“Personal Data Disclosure”), unless such notification is otherwise prohibited. Coveo will reasonably challenge any requests for Personal Data Disclosure that are not, in its opinion, legally binding or lawful.
11.2.3. Government Requests.
a. If Coveo receives a request from a non-EEA government to disclose Personal Data or to assist the non-EEA government in its collection (collectively, "Government Request"), Coveo shall promptly notify Customer in writing thereof, unless such notification is unlawful according to applicable law.
b. If Coveo is prohibited from notifying Customer about the Government Request, Coveo agrees to use its reasonable best efforts to obtain a waiver of the prohibition, to be permitted to communicate as much information about the request and as soon as possible.
c. Coveo agrees to review the legality of the Government Request and to exhaust commercially available remedies to challenge the request if it concludes that there are reasonable grounds under the laws of the country of destination to do so. In such event, Coveo will seek interim measures with a view to suspend the effects of the request until the court has decided on the merits.
d. Coveo agrees to provide the minimum amount of information permissible when responding to a Government Request, based on a reasonable interpretation of the request.
11.3. Data Protection Officer. Coveo has appointed a data protection officer that can be reached at privacy[at]coveo.com.
12. Miscellaneous Terms.
12.1. Parties. By signing the Agreement, Customer enters into this DPA on behalf of itself and, to the extent required under Privacy Laws, in the name and on behalf of its Authorized Affiliates, if and to the extent Coveo Processes Personal Data for which such Authorized Affiliates qualify as the Controller.
12.2. Updates to the DPA. Coveo may modify the terms herein from time to time by posting a revised version on the Coveo website. The modified terms will become effective upon posting.
12.3. Conflict. In the event of any conflict or discrepancy between this DPA and the Agreement with respect to the subject matter herein, this DPA shall prevail.
12.4. Survival. Coveo’s obligations under this DPA will survive expiration or termination of the Agreement and completion of the Services as long as Coveo Processes Personal Data.
12.5. Notices. To be deemed duly received, any notice or request from Customer to Coveo pursuant to this DPA shall be sent by e-mail to privacy[at]coveo.com.
Appendix to the DPA
ANNEX I – DESCRIPTION OF THE TRANSFER
A. LIST OF PARTIES
Data exporter(s):
|
Name: |
Customer, as set out in the Agreement. |
|
Address: |
As set out in the Agreement. |
|
Contact person’s name, position and contact details: |
As set out in the Agreement. |
|
Activities relevant to the data transferred under this DPA and SCCs: |
Use of the Services pursuant to the Agreement. |
|
Signature and date:
|
This Annex 1 will be deemed executed upon execution of the DPA. |
|
Role (controller/processor):
|
Controller or Processor as determined by Privacy Laws. |
Data importer(s):
|
Name: |
Coveo |
|
Address:
|
As set out in the Agreement. |
|
Contact person’s name, position and contact details:
|
Anne Thériault, Data Protection Officer
|
|
Activities relevant to the data transferred under this DPA and SCCs: |
Processing necessary to provide and improve the Services, pursuant to the Agreement. |
|
Signature and date:
|
This Annex 1 will be deemed executed upon execution of the DPA. |
|
Role (controller/processor):
|
Processor (or Sub-Processor) as determined by Privacy Laws. |
B. DESCRIPTION OF TRANSFER
|
Categories of data subjects whose personal data is transferred
|
Customer may submit Personal Data to the Hosted Services, the extent of which is determined and controlled by Customer in its sole discretion and which may include, but is not limited to, Personal Data relating to the following categories of data subjects:
|
|
Categories of personal data transferred |
Customer may submit Personal Data to the Hosted Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to, the following categories of Personal Data: Usage data
Content data
Sensitive data
|
|
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis). |
The Personal Data will be transferred on a continuous basis. |
|
Nature of the processing
|
Collection, recording, organization, structuring, storage, adaptation, consultation, use, disclosure, transfer of Personal Data.
|
|
Purpose(s) of the data transfer and further processing
|
Coveo will only process Personal Data in the course of providing or improving the Services, as specified in the Agreement.
|
|
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period |
Personal Data will be retained within the period set forth in the DPA. |
|
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
|
Sub-Processors will process Personal Data in accordance with the Controller’s instructions. In particular:
|
C. COMPETENT SUPERVISORY AUTHORITY
Competent supervisory authority/ies to be identified by Customer in accordance with Clause 13 .
ANNEX II TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Coveo maintains administrative, physical and technical safeguards for protection of the security, confidentiality and integrity of Personal Data. Those security measures are described in the Security Exhibit made available by Coveo upon request from Customer.
