Skip to main content

 

 

Coupa Success Portal

Data Sanitization

Overview

If a customer requests Coupa to copy their production data to their sandbox or development environment, we will take certain steps to sanitize their data for security reasons. We would like to share in this document the steps we take in data sanitization.

Sanitization Policies

Coupa sanitizes by replacing the following data fields with random values.

General Information Coupa Sanitizes

  1. Names
  2. All geographical identifiers smaller than a state. According to the current publicly available data from the Bureau of the Census,
    • If the geographic unit formed by combining all zip codes with the same initial three digits contains more than 20,000 people, the initial three digits of the zip code are not changed.
    • If the geographic unit formed by combining all zip codes with the same initial three digits contains 20,000 or fewer people, the initial three digits of a zip code are changed to 000.
  3. Dates (other than year) directly related to an individual
  4. Phone numbers
  5. Fax numbers
  6. Email addresses
  7. Social Security numbers
  8. Medical record numbers
  9. Health insurance beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Advance Shipping Notice information
  13. User-related field attributes
  14. Expense-related field attributes
  15. Invoice-related field attributes
  16. Supplier-related field attributes
  17. Item-related field attributes
  18. Vehicle identifiers and serial numbers, including license plate numbers
  19. Device identifiers and serial numbers
  20. Web Uniform Resource Locators (URLs)
  21. Internet Protocol (IP) address numbers
  22. Biometric identifiers, including finger, retinal and voice prints
  23. Full face photographic images and any comparable images
  24. Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data

The following data types in all environments are sanitized

  • Personally identifiable information – including but not limited to names, addresses, and email addresses
  • Payment information – including but not limited to bank account numbers and credit card details
  • Protected health information – including but not limited to health details
  • Credentials or authentication keys
  • Cardholder data - including the primary account number (PAN) and cardholder name along with expiration date or service code. A service code is a three- or four-digit number on cards that use a magnetic-stripe. The service code specifies acceptance requirements and limitations for a magnetic-stripe-read transaction.

The following data types in the GovCloud environment are sanitized

  • User's mention name
  • Item Number
  • Item Description
  • Item Name
  • Supplier Part Number
  • Revision Record's data

More Info

For more detailed information see Coupa Security and Compliance, or contact support@coupa.com.

  • Was this article helpful?