Data Processing Addendum

Last updated: September 23, 2021

This Data Processing Addendum (“DPA”) forms part of the agreement between Customer and its Authorized Affiliates (“Customer”) and Coveo for the subscription to the Hosted Services (collectively, the “Agreement”). This DPA shall become effective concurrently with the Agreement.

This DPA applies to the extent, in the course of providing the Hosted Services, there is Processing of Personal Data by Coveo and a written contract is required between Customer and Coveo under Privacy Laws. The Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.

This DPA consists of (i) the main terms and conditions of the DPA (“Main Body”); (ii) the Standard Contractual Clauses (“ SCCs”) as further defined below and; (iii) the Appendix to the DPA, including Annexes I and II (collectively, “ Appendix”).

1. Definitions. The following terms, when used herein, have the meaning set forth in this Section. Other terms are defined when they are used. All capitalized terms not defined herein shall have the meaning ascribed to them in the Agreement. If applicable, the definitions below include similar terms as defined in Privacy Laws.

1.1. “Authorized Affiliates” means any of Customer's Affiliate(s) which (a) is subject to Privacy Laws and (b) is permitted to use the Hosted Services pursuant to the Agreement between Customer and Coveo.

1.2. “CCPA” means the California Consumer Privacy Act and its implementing regulations.

1.3. “Coveo” means the applicable Coveo entity in accordance with the terms of the Agreement.

1.4. “Controller” means the entity which determines the purposes and means of the Processing of Personal Data.

1.5. “Privacy Laws” means all applicable data protection and privacy laws and regulations, which may include the GDPR and the CCPA.

1.6. “Data Subject” means the identified or identifiable natural person to whom Personal Data relates.

1.7. “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data also known as the General Data Protection Regulations.

1.8. “Parties” means Customer and Coveo.

1.9. “Personal Data” has the meaning ascribed to it in Privacy Laws where such data is Customer Data.

1.10. “Processing”, and its cognates, mean any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1.11. “Processor” means the entity which Processes Personal Data on behalf of the Controller.

1.12. “SCCs” means: (i) where the GDPR applies, the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as currently set out at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj or any successor URL (“EU SCCs”); and (ii) where the UK GDPR applies, the standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR ("UK SCCs").

1.13. “Selling” or its cognates have the meaning ascribed to it in the CCPA.

1.14. “Security Exhibit” means Coveo’s security exhibit.

1.15. “Sub-Processor” means any Processor engaged by Coveo or its Affiliates.

1.16. “UK GDPR” means the GDPR as amended and incorporated into the United Kingdom law pursuant to section 3 of the European Union (Withdrawal) Act of 2018.

2. Processing of Personal Data and Transparency.

2.1. Roles of the Parties. The Parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is a Controller or Processor and Coveo is a Processor or Sub-Processor.

2.2. Customer’s Processing of Personal Data. Customer shall, in its use of the Hosted Services, Process Personal Data in accordance with the requirements of Privacy Laws. For the avoidance of doubt, Customer’s written instructions for the Processing of Personal Data shall comply with Privacy Laws. Customer warrants that it has and will continue to have the right to transfer or provide access to Personal Data to Coveo for Processing in accordance with the terms of the Agreement and this DPA.

2.3. Coveo’s Processing of Personal Data. Coveo shall Process Personal Data only on behalf of and in accordance with the lawful documented instructions of Customer. For the purposes of this Section, Customer instructs Coveo to Process Personal Data in accordance with the Agreement and the applicable Order(s). Any additional lawful instruction from Customer shall be discussed in good faith between the parties. .

2.4. CCPA. Coveo is specifically prohibited from: (a) Selling Personal Data; (b) retaining, using, or disclosing Personal Data for any purpose other than for the specific purpose of performing the Hosted Services under the Agreement, including retaining, using, or disclosing the Personal Data for a commercial purpose other than providing the Hosted Services specified in the Agreement or as otherwise permitted by the CCPA and; (c) retaining, using, disclosing Personal Data outside of the direct business relationship between Customer and Coveo. Coveo understands the restrictions set forth in this Section and certifies that it will comply with it.

2.5. Transparency. If a Party is required by Privacy Laws to share a copy of this DPA to a supervisory authority or a Data Subject, the Party shall deploy reasonable efforts to redact any confidential information of the Parties prior to sharing a copy of this DPA.

3. Rights of Data Subjects. Coveo shall, to the extent legally permitted, promptly notify Customer if Coveo receives a request from a Data Subject (“Data Subject Request”). Coveo shall not respond to a Data Subject Request without Customer’s prior written consent, except to the extent required by Privacy Laws. Upon reception of Customer’s notice, Coveo shall, taking into account the nature of the processing and insofar as this is possible, provide assistance to Customer in the fulfilment of its obligation to respond to a Data Subject Request as set forth in Annex II.

4. Coveo Personnel.

4.1. Confidentiality. Coveo shall ensure that its personnel and agents (“Personnel”) engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received training regarding information security and privacy, and have executed written confidentiality agreements. Coveo shall ensure that such confidentiality obligations survive the termination of the personnel engagement.

4.2. Reliability. Coveo shall take commercially reasonable efforts to ensure that all Personnel who will have access to Personal Data are reliable, as described in Annex II.

4.3. Limitation of Access. Coveo shall ensure that Coveo’s access to Personal Data is limited to those Personnel performing Hosted Services in accordance with the Agreement and on a need-to-know basis.

5. Sub-Processors.

5.1. Appointment of Sub-Processors. Customer acknowledges and agrees that Coveo may engage Coveo’s current Sub-Processors listed at https://www.coveo.com/en/pages/sub-processors or such successor URL designated by Coveo in accordance with this DPA and the Agreement and subject to the following requirements:

5.1.1. Coveo must carry out a due diligence to ensure that each Sub-Processor is capable of providing the level of protection for Personal Data required by the Agreement and this DPA.

5.1.2. Coveo shall specifically inform Customer of additions or replacements of Sub-Processors by notifying the contact identified in the Order, thereby giving Customer the opportunity to object to such changes on data protection grounds by notifying Coveo in writing within ten (10) days of the receipt of Coveo’s notification. Coveo will also make available at https://www.coveo.com/en/pages/sub-processors, or such successor URL designated by Coveo, a mechanism for Customer to subscribe to notifications regarding the addition or replacement of any Sub-Processor. In the event Customer objects to a new Sub-Processor, Coveo shall use reasonable efforts to avoid Processing of Personal Data by the objected Sub-Processor and work with Customer in order to achieve resolution. If Customer can reasonably demonstrate that the new Sub-Processor is unable to Process Personal Data in compliance with the terms of this DPA and Coveo cannot provide an alternative Sub-Processor, or if the Parties are otherwise not able to achieve resolution, Customer may, as its sole and exclusive remedy, terminate without penalty the applicable Order(s) with respect only to those Hosted Services which cannot be provided by Coveo without the use of the objected-to new Sub-processor.

5.1.3. Coveo must ensure that the arrangement between Coveo and the relevant Sub-Processor is governed by a written contract including the data protection terms required under Privacy Laws.

5.2. Emergency Replacement. Coveo may replace a Sub-Processor if such replacement is urgent, necessary to continue providing the Hosted Services and beyond Coveo’s reasonable control. In the event of an emergency replacement, Coveo will notify Customer as soon as reasonably practicable and Customer shall retain the right to object to such replacement in accordance with Section 5.1.2.

5.3. Liability. Coveo shall be liable for the data protection obligations of its Sub-Processors to the same extent Coveo would be liable if performing the services of each Sub-Processor directly under the terms of this DPA.

6. Security.

6.1. Controls for the Protection of Personal Data. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the Processing, Coveo maintains appropriate technical and organizational measures for the protection of the security, confidentiality, availability and integrity of Personal Data, as set forth in Annex II. Coveo regularly monitors its compliance with the Security Exhibit to ensure the effective implementation of these technical and organizational measures. Coveo will not materially decrease the overall security of the Hosted Services during the term of the Agreement.

6.2. Review of the Documentation. Coveo reviews and updates its information security program at least annually or whenever there is a material change in Coveo’s practices that affects the security, confidentiality, availability, or integrity of Personal Data.

6.3. Risk Assessments. Coveo conducts routine risk assessments to identify and assess reasonably foreseeable internal and external risks to the security, confidentiality, availability, and integrity of electronic, paper, and other systems containing Personal Data and evaluate and improve, where necessary, the effectiveness of its technical and organizational measures for limiting those internal and external risks.

6.4. Access to Personal Data. Access rights to Personal Data by Personnel are approved by Coveo (including, but not limited to, least privileged or segregation of duties). Access rights are audited and reviewed on a regular basis. Coveo maintains an up-to-date record of security privileges of individuals having access to Personal Data.

6.5. Certifications and Security Audits.

6.5.1. Upon Customer’s written request, and subject to the confidentiality obligations set forth in the Agreement, Coveo shall make available to Customer a copy of Coveo’s then most recent audit report performed by an independent third-party auditor.

6.5.2. Customer may audit Coveo in accordance with Annex II to control Coveo’s compliance with this DPA and Privacy Laws.

6.6. Disaster Recovery and Business Continuity.

6.6.1. Coveo has up-to-date disaster recovery and business continuity plans (the “Plans”). Coveo will provide a copy of its Plans upon Customer’s request.

6.6.2. The Plans are tested periodically, or when changes make it necessary. Tests are documented and any findings and lessons learned during tests will be used for continuous improvement of the Plans.

7. Personal Data Incident Management and Notification. Coveo maintains a written security incident response plan and shall notify Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data (“Personal Data Breach”). Coveo shall deploy appropriate measures to address the Personal Data Breach.

8. Storage, Return and Deletion of Personal Data.

8.1. Customer may specify in the Order the Coveo region(s) where Personal Data will be hosted (“Region”). Once Customer has selected a Region, Coveo will not Process Personal Data from outside the Region except to provide the Hosted Services, or as necessary to comply with applicable laws.

8.2. Coveo shall delete Personal Data and, upon Customer’s request, return Analytics Data in accordance with the procedures and timeframes specified in the “Data Retention” Section of the Agreement.

9. Data Transfers

9.1. Transfers from the European Economic Area (“EEA”). To the extent required under Privacy Laws, the EU SCCs will apply to the transfer of Personal Data from the EEA, and each Party will be deemed to have entered into the EU SCCs by entering into this DPA.

9.1.1. Applicable Modules. Modules Two and Four will apply where Customer is acting as a Controller and Coveo is acting as a Processor, Module Three will apply where Customer and Coveo are both acting as Processors.

9.1.2. Docking clause. Clause 7 of the EU SCCs will apply.

9.1.3. Sub-Processing. Clause 9(a), option 2 of the EU SCCs apply, as per the time period set out in Section 5.1.2 of this DPA;

9.1.4. Liability. Regarding Clause 12 of the EU SCCs, the Parties hereby acknowledge that any direct claims brought under the SCCs shall be subject to any applicable aggregate limitations on liability set out in the Agreement. Nothing in this DPA shall be construed as a limitation or exclusion of a Party’s liability toward a data subject for a breach of the SCCs.

9.1.5. Governing Law. Regarding Clause 17 of the EU SCCs, when Modules Two or Three apply, option 2 is chosen (with the laws of the Netherlands to apply if the data exporter’s Member State does not allow for third-party beneficiary rights) and when Module Four applies, the law of the Netherlands will apply.

9.1.6. Choice of Forum and Jurisdiction. Regarding Clause 18(b) of the SCCs, when Modules Two and Three apply, disputes will be resolved before the courts of the jurisdiction governing the Agreement between the Parties or, if that jurisdiction is not an EU Member State, then the courts of the Netherlands and for Module Four, disputes will be resolved before the courts of the Netherlands.

9.1.7. Appendix. Annexes I and II of the EU SCCs will be deemed completed with the information set out in the Appendix to this DPA.

9.2. Transfers from the United-Kingdom (“UK”). To the extent required under Privacy Laws, the UK SCCs will apply to the transfer of Personal Data from the UK to a third-country and each Party will be deemed to have entered into the UK SCCs by entering into this DPA.

9.2.1. When and if lawfully permitted, the Parties will rely on the EU SCCs for transfers of Personal Data from the UK subject to completion of a “UK Addendum to the EU Standard Contractual Clauses” or any other valid personal data transfer mechanism issued pursuant to Privacy Laws (“ UK Addendum”). The UK Addendum will be deemed executed between the Parties and the EU SCCs will be deemed amended as specified by the UK Addendum in respect of the transfer of such Personal Data. Upon either Party’s reasonable request, the Parties will negotiate in good faith to amend the UK Addendum in accordance with Privacy Laws.

9.2.2. If section 9.2.1 does not apply, the Parties will cooperate in good faith to implement appropriate safeguards for transfers of such Personal Data as required or permitted by Privacy Laws.

9.3. The Main Body sets out the Parties’ interpretation of their respective rights and obligations under the SCCs. If the SCCs are not applicable, the Main Body and the Appendix shall survive.

10. Compliance with Privacy Laws.

10.1. General Compliance. Coveo shall Process Personal Data in accordance with Privacy Laws directly applicable to Coveo's provision of the Hosted Services.

10.2. Assessments. To the extent required by Privacy Laws and upon Customer’s written request, Coveo shall reasonably assist Customer to carry out a Data Protection Impact Assessment and provide Customer with a Transfer Impact Assessment (“TIA”) where required under the SCCs.

10.3. Data Protection Officer. Coveo has appointed a data protection officer that can be reached at coveoprivacy@coveo.com.

11. Miscellaneous Terms.

11.1. Parties. By entering into the Agreement, Customer enters into this DPA on behalf of itself and, to the extent required under Privacy Laws, in the name and on behalf of its Authorized Affiliates, if and to the extent Coveo Processes Personal Data for which such Authorized Affiliates qualify as the Controller.

11.2. Changes to the DPA. If any variation to this DPA is required as a result of a change in Privacy Laws, then either party may provide written notice to the other party of that change in law. The Parties will discuss and negotiate in good faith any necessary variations to this DPA to address such changes.

11.3. Updates to the DPA. Coveo may modify the terms herein from time to time by posting a revised version on the Coveo website. The modified terms will become effective upon posting.

11.4. Conflict. In the event of any conflict or discrepancy between this DPA and the Agreement, this DPA shall prevail.

11.5. Survival. Coveo’s obligations under this DPA will survive expiration or termination of the Agreement and completion of the Hosted Services as long as Coveo Processes Personal Data.

11.6. Notices. To be deemed duly received, any notice or request from Customer to Coveo pursuant to this DPA shall be sent by e-mail to coveoprivacy@coveo.com.


Appendix to the DPA

ANNEX I – DESCRIPTION OF THE TRANSFER

A. LIST OF PARTIES

Name:

As set out in the Order.

Address:

As set out in the Order.

Contact person’s name, position and contact details:

As set out in the Order.

Activities relevant to the data transferred under this DPA and SCCs:

Use of the Hosted Services pursuant to the Agreement.

Signature and date:

This Annex 1 will be deemed executed upon execution of the DPA.

Role (controller/processor):

As determined by Privacy Laws.

Role (exporter/ importer):

Customer acts as a data exporter when submitting Personal Data to the Hosted Services.

Customer acts as a data importer when receiving Personal Data.

Name:

Coveo

Address:

As set out in the Order.

Contact person’s name, position and contact details:

Pierre-Alexis Tremblay, Data Protection Officer
coveoprivacy@coveo.com

Activities relevant to the data transferred under this DPA and SCCs:

Processing necessary to provide and improve the Hosted Services, pursuant to the Agreement.

Signature and date:

This Annex 1 will be deemed executed upon execution of the DPA.

Role (controller/processor):

Processor (or Sub-Processor).

Role (exporter/importer):

Coveo acts as a data exporter when transferring Personal Data to Customer.

Coveo acts as a data importer when Customer submits Personal Data to the Hosted Services

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

Personal Data may be transferred for the following purposes:

  • Customer may submit Personal Data to the Hosted Services the extent of which is determined and controlled by Customer in its sole discretion, or
  • Transfer of Personal Data from Coveo to Customer.

The Personal Data transferred may include, but is not limited to Personal Data relating to the following categories of data subjects:

  • Customer’s Users. Users may include, for example, Customer’s Affiliates, employees, consultants, contractors, agents and website users, as applicable.
  • Employees, agents, advisors, freelancers of Customer (who are natural persons).
  • Prospects, customers, business partners and vendors of Customer (who are natural persons).
  • Employees or contact persons of Customer’s prospects, Customer’s customers, Customer’s business partners and Customer’s vendors.
  • Any individual whose Personal Data is processed.

Categories of personal data transferred

Personal Data may be transferred for the following purposes:

  • Customer may submit Personal Data to the Hosted Services the extent of which is determined and controlled by Customer in its sole discretion, or
  • Transfer of Personal Data from Coveo to Customer.

The Personal Data transferred may include, but is not limited to the following categories of Personal Data:

  • Identification data (first and last name, title, date of birth, etc.)
  • Contact information (email, phone, physical address, etc.)
  • Professional life data (company, position, employer, employee number, etc.)
  • Personal life data
  • Metadata (IP address, usage data, cookie ID, geolocation data, etc.)

Sensitive data transferred (if applicable)

The Personal Data transferred concern the following special categories of data: Subject to any applicable restrictions and/or conditions in the Agreement, Customer may include “special categories of personal data” (as defined in the GDPR) in Personal Data, the extent of which is determined and controlled by the Customer in its sole discretion.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

The Personal Data will be transferred on a continuous basis.

Nature of the processing

Collection, recording, organization, structuring, storage, adaptation, consultation, use, disclosure, use, transfer, storage of Personal Data.

Purpose(s) of the data transfer and further processing

Coveo will only process Personal Data in the course of providing or improving the Hosted Services, as specified in the Agreement.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

Personal Data will be retained within the period set forth in the DPA.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

Sub-Processors will process Personal Data in accordance with the Controller’s instructions. In particular:

- The processing involves Collection, recording, organization, structuring, storage, adaptation, consultation, use, disclosure, use, transfer, storage of Personal Data.

- Personal Data will be retained within the period set forth in the DPA.

C. COMPETENT SUPERVISORY AUTHORITY

Competent supervisory authority/ies to be identified by Customer in accordance with Clause 13 .


ANNEX II TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Coveo maintains administrative, physical and technical safeguards for protection of the security, confidentiality and integrity of Personal Data. Those security measures are described in the Security Exhibit made available by Coveo upon request from Customer.