We designed out privacy program with the following objectives in mind:
- To support our customers’ compliance efforts and to reflect the international footprint of our customers’ operations
- To align with trusted and tested data privacy and governance frameworks to ensure robustness of our privacy efforts
- To go beyond the legal obligations and to meet the expectations of broader groups of stakeholders
On this page you can find out more about our privacy program.
The Global Scope of Our Privacy Program
Coupa’s privacy program is mapped to the GDPR, CCPA, CPRA, VCDPA, FedRAMP, HIPAA, PIPEDA, and the privacy laws of Mexico, Brazil, South Africa, Australia, Singapore, Japan, China, India, and the United Kingdom. We analyzed from which countries our customers’ users access our platform, and these jurisdictions account for more than 90% of our users. We monitor regulatory developments globally and evaluate their impact on our own and our customers’ operations. Our privacy program is reviewed and updated on a regular basis to maintain its relevance. All changes to our products go through a rigorous review process to ensure privacy requirements are embedded.
Trusted and Tested Data Privacy and Governance Frameworks
Coupa’s privacy program is aligned with the ISO27701 standard and the APEC PRP system. Additionally, we followed a holistic approach to have a risk-based privacy program which addresses more than just regulatory risks. To achieve this, we adopted practices of mature governance frameworks such as the Sarbanes-Oxley Act to create a comprehensive risk and control matrix for our privacy activities which ensures accountability and design and operating effectiveness of our privacy program on a continuous basis. Furthermore, we regularly benchmark our privacy program using various maturity models and best practices to keep it up-to-date.
Meeting Stakeholders' Expectations Beyond Legal Obligations
Coupa’s privacy program is aligned with the GRI and SASB sustainability standards as we believe data privacy is more than just regulatory compliance. We view privacy as a fundamental human right which impacts both data subjects and the entire society. We anticipate ESG standards becoming part of mandatory external reporting practices, and we designed our privacy program accordingly to meet such requirements.
We prepared a number of documents on specific privacy-related topics which you may find helpful for your compliance efforts.
- GDPR Transfer Risk Assessment
- FISA Statement
- Data Subject Requests and Enquiries Policy
- China Privacy and Security Whitepaper
These documents are available upon request. Please reach out to your Coupa contact to obtain them.