Ce contenu n’est disponible qu’en anglais.

Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of the agreement between Customer and its Authorized Affiliates (“Customer”) and Coveo for the subscription to the Hosted Services (collectively, the “Agreement”). This DPA shall become effective concurrently with the Agreement.

This DPA applies to the extent, in the course of providing the Services, there is Processing of Personal Data by Coveo and a written contract is required between Customer and Coveo under Privacy Laws. The Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.

This DPA consists of (i) the main terms and conditions of the DPA (“Main Body”); (ii) the Standard Contractual Clauses (“ SCCs”) as further defined below and; (iii) the Appendix to the DPA, including Annexes I and II (collectively, “ Appendix”).

1. Definitions. The following terms, when used herein, have the meaning set forth in this Section. Other terms are defined when they are used. All capitalized terms not defined herein shall have the meaning ascribed to them in the Agreement. If applicable, the definitions below include similar terms as defined in Privacy Laws.

1.1. “Application Usage Data” means usage and operation data in connection with Customer’s admin users’ use and configuration of the Hosted Services, including query logs and meta data about Customer’s instance of the Hosted Services.

1.2. “Authorized Affiliates” means any of Customer's Affiliate(s) which (a) is subject to Privacy Laws and (b) is permitted to use the Hosted Services pursuant to the Agreement.

1.3. “CCPA” means the California Consumer Privacy Act and its implementing regulations.

1.4. “Coveo” means the applicable Coveo entity in accordance with the terms of the Agreement.

1.5. “Controller” means the entity which determines the purposes and means of the Processing of Personal Data. 

1.6. “Customer Data” means data that is submitted to the Hosted Services by or on behalf of Customer, including information which reflects the use of the Hosted Services by Customer’s end-users and specifically excludes Application Usage Data.     

1.7. “Data Subject” means the identified or identifiable natural person to whom Personal Data relates.

1.8. “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data also known as the General Data Protection Regulations.

1.9. “Hosted Services” means the cloud-based solution made available to end-users by Coveo under the Agreement and each applicable Order.

1.10. “Parties” means Customer and Coveo.

1.11. “Personal Data” has the meaning ascribed to it in Privacy Laws where such data is Customer Data.

1.12. “Privacy Laws” means all applicable data protection and privacy laws and regulations, which may include the GDPR and the CCPA. 

1.13. “Processing”, and its cognates, mean any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1.14. “Processor” means the entity which Processes Personal Data on behalf of the Controller.

1.15. “Services” means the Hosted Services, support, maintenance, consulting, configuration and other professional services provided by Coveo to Customer.

1.16. “SCCs” means: (i) where the GDPR applies, the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as currently set out at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj  any successor URL (“EU SCCs”); and (ii) where the UK GDPR applies, the standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR ("UK SCCs").

1.17. “Security Exhibit” means the Coveo Security Exhibit for the applicable Hosted Services made available to Customer upon request. 

1.18. “Selling” or its cognates have the meaning ascribed to it in the CCPA. 

1.19. “Sub-Processor” means any Processor engaged by Coveo or its Affiliates.

1.20. “UK GDPR” means the GDPR as amended and incorporated into the United Kingdom law pursuant to section 3 of the European Union (Withdrawal) Act of 2018.

2. Processing of Personal Data and Transparency.

2.1. Roles of the Parties. The Parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is a Controller or Processor and Coveo is a Processor.

2.2. Customer’s Processing of Personal Data. Customer shall, in its use of the Services, Process Personal Data in accordance with the requirements of Privacy Laws, including any applicable requirement to obtain consents from Data Subjects and to provide notice to Data Subjects regarding Coveo’s Processing of Personal Data. For the avoidance of doubt, Customer’s written instructions for the Processing of Personal Data shall comply with Privacy Laws. Customer warrants that it has and will continue to have the right to transfer or provide access to Personal Data to Coveo for Processing in accordance with the terms of the Agreement and this DPA.

2.3. Coveo’s Processing of Personal Data. Coveo shall Process Personal Data only on behalf of and in accordance with the documented instructions of Customer as documented in the Agreement and this DPA. Where Customer determines the purposes  and means of the processing, Customer instructs Coveo to Process Personal Data for the following purposes: (i) the provision of the Services in accordance with the Agreement and the applicable Order(s); (ii) the processing initiated by Customer’s use and configuration of the Services; and (iii) the ongoing improvement of the Services. Any additional lawful instruction from Customer shall be discussed in good faith between the Parties and agreed to in writing. 

2.4. CCPA. Coveo is specifically prohibited from: (a) Selling Personal Data; (b) retaining, using, or disclosing Personal Data for any purpose other than for the specific purpose of performing the Services under the Agreement, including retaining, using, or disclosing the Personal Data for a commercial purpose other than providing the Services specified in the Agreement or as otherwise permitted by the CCPA and; (c) retaining, using, disclosing Personal Data outside of the direct business relationship between Customer and Coveo. Coveo understands the restrictions set forth in this Section and certifies that it will comply with it.

2.5. Transparency. If a Party is required by Privacy Laws to share a copy of this DPA to a supervisory authority or a Data Subject, the Party shall deploy reasonable efforts to redact any confidential information of the Parties prior to sharing a copy of this DPA.

3. Rights of Data Subjects. Coveo shall, to the extent legally permitted, promptly notify Customer if Coveo receives a request from a Data Subject (“Data Subject Request”). Customer shall be primarily responsible for the management of Data Subject Requests related to Personal Data. Coveo shall not respond to a Data Subject Request without Customer’s prior written consent, except to the extent required by Privacy Laws. Upon reception of Customer’s notice, Coveo shall, taking into account the nature of the processing and insofar as this is possible, provide assistance to Customer in the fulfilment of its obligation to respond to a Data Subject Request as set forth in Annex II.

4. Coveo Personnel.

4.1. Confidentiality. Coveo shall ensure that its personnel and agents (“Personnel”) engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received training regarding information security and privacy, and have executed written confidentiality agreements. Coveo shall ensure that such confidentiality obligations survive the termination of the personnel engagement.

4.2. Reliability. Coveo shall take commercially reasonable efforts to ensure that all Personnel who will have access to Personal Data are reliable, as described in Annex II.

4.3. Limitation of Access. Coveo shall ensure that Coveo’s access to Personal Data is limited to those Personnel performing Services in accordance with the Agreement and on a need-to-know basis.

5. Sub-Processors.

5.1. Appointment of Sub-Processors. Customer acknowledges and agrees that Coveo and its Affiliates may,in accordance with this DPA and the Agreement, engage Sub-Processors to Process Personal Data subject to the following requirements:

5.1.1. Coveo will ensure that each Sub-Processor is capable of providing an adequate level of protection for Personal Data required.

5.1.2. Customer consents to the Sub-processors identified on https://www.coveo.com/en/pages/sub-processors or a successor URL designated by Coveo  "Sub-Processor Page". Coveo shall inform Customer of additions or replacements of Sub-Processors by notifying Customer’s contacts who have subscribed to notifications through the Sub-Processor Page or who have been identified in the Order, thereby giving Customer the opportunity to object to such changes on data protection grounds by notifying Coveo in writing within ten (10) days of the receipt of Coveo’s notification. In the event Customer objects to a new Sub-Processor, Coveo shall use reasonable efforts to avoid Processing of Personal Data by the objected Sub-Processor and work with Customer in order to achieve resolution. If Customer can reasonably demonstrate that the new Sub-Processor is unable to Process Personal Data in compliance with the terms of this DPA and Coveo cannot provide an alternative Sub-Processor, or if the Parties are otherwise not able to achieve resolution, Customer may, as its sole and exclusive remedy, terminate without penalty only the portion of the Services which cannot be provided by Coveo without the use of the objected-to Sub-processor.

5.1.3. Coveo must ensure that the arrangement between Coveo and the relevant Sub-Processor is governed by a written contract including the data protection terms required under Privacy Laws.

5.2. Emergency Replacement. Coveo may replace a Sub-Processor if such replacement is urgent, necessary to continue providing the Services and beyond Coveo’s reasonable control. In the event of an emergency replacement, Coveo will notify Customer as soon as reasonably practicable and Customer shall retain the right to object to such replacement in accordance with Section 5.1.2.

5.3. Liability. Coveo shall be liable for the data protection obligations of its Sub-Processors to the same extent Coveo would be liable if performing the services of each Sub-Processor directly under the terms of this DPA.

6. Controls for the Protection of Personal Data.  Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the Processing, Coveo maintains appropriate technical and organizational measures for the protection of the security, confidentiality, availability and integrity of Personal Data, as set forth in Annex II. Coveo regularly monitors its compliance with the Security Exhibit to ensure the effective implementation of these technical and organizational measures. Coveo will not materially decrease the overall security safeguards for Personal Data during the term of the Agreement.

7. Personal Data Incident Management and Notification. Coveo maintains a written security incident response plan and shall notify Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data (“Personal Data Breach”). Coveo shall deploy appropriate measures to address the Personal Data Breach.

8. Storage, Return and Deletion of Personal Data.

8.1. Customer may specify in the Order the selected hosting region(s) for the Hosted Services (“Region”). Once Customer has selected a Region, Coveo will not Process Personal Data from outside the Region except to provide the Services or as necessary to comply with applicable laws.

8.2. Coveo shall delete Personal Data in accordance with the procedures specified in the Security Exhibit. 

9. Data Transfers

9.1. Coveo shall ensure that any transfer of Personal Data by Coveo or Coveo’s Sub-Processors to countries outside the European Economic Area and the United Kingdom shall be performed under the conditions outlined in the GDPR or UK GDPR (as applicable), specifically their Chapter V.

9.2. Transfers from the European Economic Area (“EEA”). To the extent required under Privacy Laws, the EU SCCs will apply to the transfer of Personal Data from the EEA, and each Party will be deemed to have entered into the EU SCCs by entering into this DPA.

9.2.1. Applicable Modules. Module Two will apply where Customer is acting as a Controller and Coveo is acting as a Processor, while Module Three will apply where Customer and Coveo are both acting as Processors.

9.2.2. Docking Clause. Clause 7 of the EU SCCs will apply.

9.2.3. Sub-Processing. Clause 9(a), option 2 of the EU SCCs applies, as per the time period set out in Section 5.1.2 of this DPA;

9.2.4. Redress. Regarding Clause 11, the optional language will not apply.

9.2.5. Liability. Regarding Clause 12 of the EU SCCs, the Parties hereby acknowledge that any direct claims brought under the SCCs shall be subject to any applicable aggregate limitations on liability set out in the Agreement. Nothing in this DPA shall be construed as a limitation or exclusion of a Party’s liability toward a data subject for a breach of the SCCs.

9.2.6. Governing Law. Regarding Clause 17 of the EU SCCs, option 2 is chosen (with the laws of the Netherlands to apply if the data exporter’s Member State does not allow for third-party beneficiary rights).

9.2.7. Choice of Forum and Jurisdiction. Regarding Clause 18(b) of the SCCs, disputes will be resolved before the courts of the jurisdiction governing the Agreement between the Parties or, if that jurisdiction is not an EU Member State, then the courts of the Netherlands.

9.2.8. Appendix. Annexes I and II of the EU SCCs will be deemed completed with the information set out in the Appendix to this DPA.

9.3. Transfers from the United-Kingdom (“UK”). To the extent required under Privacy Laws, the UK SCCs will apply to the transfer of Personal Data from the UK to a third-country and each Party will be deemed to have entered into the UK SCCs by entering into this DPA.

9.3.1. When and if lawfully permitted, the Parties will rely on the EU SCCs for transfers of Personal Data from the UK subject to completion of a “UK Addendum to the EU Standard Contractual Clauses” or any other valid personal data transfer mechanism issued pursuant to Privacy Laws (“UK Addendum”). The UK Addendum will be deemed executed between the Parties and the EU SCCs will be deemed amended as specified by the UK Addendum in respect of the transfer of such Personal Data. Upon either Party’s reasonable request, the Parties will negotiate in good faith to amend the UK Addendum in accordance with Privacy Laws.

9.3.2. If neither clause 9.2.1 or 9.2.2 applies, the Parties will cooperate in good faith to implement appropriate safeguards for transfers of such Personal Data as required or permitted by Privacy Laws.

9.4. The Main Body sets out the Parties’ interpretation of their respective rights and obligations under the SCCs. If the SCCs are not applicable, the Main Body and the Appendix shall survive.

10. Compliance with Privacy Laws.

10.1. General Compliance. Coveo shall Process Personal Data in accordance with Privacy Laws directly applicable to Coveo's provision of the Services.

10.2. Assessments. To the extent required by Privacy Laws and upon Customer’s written request, Coveo shall reasonably assist Customer to carry out a Data Protection Impact Assessment and provide Customer with a Transfer Impact Assessment where required under the SCCs.

10.3. Data Protection Officer. Coveo has appointed a data protection officer that can be reached at privacy[at]coveo.com

11. Miscellaneous Terms.

11.1. Parties. By signing the Agreement, Customer enters into this DPA on behalf of itself and, to the extent required under Privacy Laws, in the name and on behalf of its Authorized Affiliates, if and to the extent Coveo Processes Personal Data for which such Authorized Affiliates qualify as the Controller.

11.2. Updates to the DPA. Coveo may modify the terms herein from time to time by posting a revised version on the Coveo website. The modified terms will become effective upon posting.

11.3. Conflict. In the event of any conflict or discrepancy between this DPA and the Agreement with respect to the subject matter herein, this DPA shall prevail.

11.4. Survival. Coveo’s obligations under this DPA will survive expiration or termination of the Agreement and completion of the Services as long as Coveo Processes Personal Data.

11.5. Notices. To be deemed duly received, any notice or request from Customer to Coveo pursuant to this DPA shall be sent by e-mail to privacy[at]coveo.com.


Appendix to the DPA

ANNEX I – DESCRIPTION OF THE TRANSFER

A. LIST OF PARTIES

 


Data exporter(s):

Name:

Customer, as set out in the Agreement.             

Address:

As set out in the Agreement. 

Contact person’s name, position and contact details:

As set out in the Agreement. 

Activities relevant to the data transferred under this DPA and SCCs:

Use of the Services pursuant to the Agreement.

 

Signature and date:

This Annex 1 will be deemed executed upon execution of the DPA.

Role (controller/processor):

Controller or Processor as determined by Privacy Laws.


Data importer(s):

Name:

Coveo

Address:

As set out in the Agreement.    

Contact person’s name, position and contact details:

Anne Thériault, Data Protection Officer
privacy[at]coveo.com

Activities relevant to the data transferred under this DPA and SCCs:

Processing necessary to provide and improve the Services, pursuant to the Agreement.

Signature and date:

This Annex 1 will be deemed executed upon execution of the DPA.

Role (controller/processor):

Processor (or Sub-Processor) as determined by Privacy Laws.

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

Customer may submit Personal Data to the Hosted Services, the extent of which is determined and controlled by Customer in its sole discretion and which may include, but is not limited to, Personal Data relating to the following categories of data subjects:

  • Customer’s Users. Users may include, for example, Customer’s Affiliates, employees, consultants, contractors, agents and website users, as applicable.
  • Employees, agents, advisors, freelancers of Customer (who are natural persons).
  • Prospects, customers, business partners and vendors of Customer (who are natural persons).
  • Employees or contact persons of Customer’s prospects, Customer’s customers, Customer’s business partners and Customer’s vendors.
  • Any individual whose Personal Data is processed.

Categories of personal data transferred

Customer may submit Personal Data to the Hosted Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to, the following categories of Personal Data:

  • Identification data (first and last name, title, date of birth, etc.)
  • Contact information (email, phone, physical address, etc.)
  • Professional life data (company, position, employer, employee number, etc.)
  • Personal life data
  • Metadata (IP address, usage data, cookie ID, geolocation data, etc.)

Sensitive data transferred (if applicable)

N/A

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

The Personal Data will be transferred on a continuous basis.

Nature of the processing

Collection, recording, organization, structuring, storage, adaptation, consultation, use, disclosure, transfer of Personal Data.

Purpose(s) of the data transfer and further processing

Coveo will only process Personal Data in the course of providing or improving the Services, as specified in the Agreement.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

Personal Data will be retained within the period set forth in the DPA.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

Sub-Processors will process Personal Data in accordance with the Controller’s instructions. In particular:

  • The processing involves Collection, recording, organization, structuring, storage, adaptation, consultation, use, disclosure, transfer of Personal Data.
  • Personal Data will be retained within the period set forth in the DPA.

C. COMPETENT SUPERVISORY AUTHORITY

Competent supervisory authority/ies to be identified by Customer in accordance with Clause 13 .


ANNEX II TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Coveo maintains administrative, physical and technical safeguards for protection of the security, confidentiality and integrity of Personal Data. Those security measures are described in the Security Exhibit made available by Coveo upon request from Customer.

 

 

drift close

Hey 👋! Any questions? I can have a teammate jump in on chat right now!

drift bot
1