Coveo processes two distinct forms of customer data: index data and analytics data. This article describes those two forms of data, and outlines how customers can meet data privacy and compliance requirements.
Any item that you send to Coveo Cloud for unified indexing is part of index data. Coveo Cloud uses this data to provide relevant search results and recommendations to your end-users.
Index data is a binary deconstruction of your indexed content, compressed using proprietary algorithms, and encrypted at rest using AES-256. Index data can contain an HTML representation of the original content and can contain personal data.
Analytics Data is the information reflecting the use of the Cloud Services by the end users of a Coveo-powered solution. It includes end-user profile, visit, session, impression, click-through and click stream data, as well as the statistical analysis made available to you through your account with Coveo. See Understanding Usage Analytics Events.
Performance data is information related to use of the products in an aggregated and anonymized form based upon analytics data. Performance data doesn’t reveal the identity or traits of any particular individual person. Coveo uses performance data for its internal business purposes to measure and enhance the functionality and operation of the Coveo Cloud.
Coveo has appointed a Chief Information Security Officer and a Data Protection Officer to oversee compliance with regulations, such as HIPAA, GDPR, CCPA, and PIPEDA. Coveo is committed to providing services that ease compliance with relevant privacy laws. In this regard, the Coveo Cloud Platform is desined to allow you to comply with your legal obligations with respect to personal data contained in index data and analytics data.
Customers have full control over the information that resides in their Coveo index. See Adding and Managing Sources.
Customers can disable, obfuscate, or encrypt any usage analytics. In other words, it’s possible to anonymize and de-identify personal data contained in analytics data. See Can I Disable Coveo Usage Analytics in a Search Interface?
Coveo doesn’t keep IP addresses and instead uses a generated unique identifier based on a non-reversible operation (hash) performed on the IP address.
Coveo provides mechanisms to help customers comply with their obligations with regard to the personal information collected as analytics data. Furthermore, Coveo makes services such as API endpoints available to help customers respond to requests from data subjects.
See the Compliance section for more information on GDPR and HIPAA.