Coveo processes two distinct forms of customer data: index data and analytics data. This article describes those two forms of data, and outlines how customers can meet data privacy and compliance requirements.
Any item that you send to Coveo for unified indexing is part of index data. The Coveo Hosted Services use this data to provide relevant search results and recommendations to your end-users.
Index data is a binary deconstruction of your indexed content, compressed using proprietary algorithms, and encrypted at rest using AES-256. Index data can contain an HTML representation of the original content and can contain personal data.
Analytics Data is the information reflecting the use of the Hosted Services by the end users of a Coveo-powered solution. It may include, for example, end-user profile, visit, session, impression, click-through and click stream data, as well as the statistical analysis made available to you through your account with Coveo. See Usage Analytics Events.
Coveo has appointed a Chief Information Security Officer and a Data Protection Officer to oversee compliance with regulations, such as HIPAA, GDPR, CCPA, and PIPEDA. Coveo is committed to providing services that ease compliance with relevant privacy laws. In this regard, Coveo is designed to allow you to comply with your legal obligations with respect to personal data contained in index data and analytics data.
Customers have full control over the information that resides in their Coveo index. See Manage Sources.
Customers can disable, obfuscate, or encrypt any usage analytics. In other words, it’s possible to anonymize and de-identify personal data contained in analytics data. See Coveo Usage Analytics Disabling in a Search Interface?
Coveo doesn’t keep IP addresses and instead uses a generated unique identifier based on a non-reversible operation (hash) performed on the IP address.
Coveo provides mechanisms to help customers comply with their obligations regarding the personal information collected as analytics data. Furthermore, Coveo makes services such as API endpoints available to help customers respond to requests from data subjects.
See the Compliance section for more information on GDPR and HIPAA.