Skip to main content



Coupa Success Portal

Legal and Compliance

Coupa participates in multiple compliance programs and is regularly audited by third-party assessors to ensure Coupa's compliance to the standards established by these programs. Coupa operates in multiple jurisdictions and complies with jurisdictional laws and regulations.

Coupa operates independently from IaaS providers, maintaining its own information security policy, operating its own technology stack with its own cloud operations team. Coupa enforces security and controls daily through its own processes and procedures.

The Coupa Governance Risk and Compliance (GRC) department maintains several policies, processes, and documents that are often requested by customers and prospects. Click the report links below to learn more about these certification programs and how to obtain copies of certifications and reports.

Certifications and Attestations

Described below are basic descriptions of the compliance programs that Coupa currently supports and those that we do not support. Information is also provided on reporting dates and bridge (gap) letters.


SOC 1 Type 2 - Prepared in accordance with AICPA SSAE No. 18 and IAASB ISAE 3402 Standards. We complete a bi-annual Type 2 SOC 1 audit. The audit periods are October 1- March 31 and April 1- September 30 each year. Audits are conducted in the last two weeks of March and September. Third party audit reports are available approximately one month after the audit, in April and October. Gap or Bridge letters are issued on the first of every month. These are letters signed by Coupa leadership to cover the gap between the report date and the current date. Gap letters address any material changes to the internal control environment until the next report is issued.

SOC 2 Type 2Independent Service Auditor's Report on Controls Relevant to Security, Availability, and Confidentiality. Coupa completes a third party audit annually for our annual SOC 2. The audit period is October 1 - September 30 each year. SOC 2 reports are typically available in November. Gap or Bridge letters are issued on the first of every month. These are letters signed by Coupa leadership to cover the gap between the report date and the current date. Gap letters address any material changes to the internal control environment until the next report is issued.


HIPAA & HITECH - Companies that deal with protected health information (PHI) must ensure that all the required physical, network, and process security measures are in place and followed. Coupa completes a HIPAA audit in the first week of October and the attestation report is typically available by mid November annually. 

Health Information Portability & Accountability Act Security Rule (HIPAA) & Health Information Technology for Economic and Clinical Health Act (HITECH) Attestation

- Review of information security program and controls to ensure all standards are met.

- Healthcare and medical customers deployed in specific HIPAA environment.


ISO 27001 Certification - Coupa completed our first ISO 27001 audit in April 2017 and received our official ISO/IEC 27001:2013 certification on May 10, 2017.


ITAR/GovCloud - Coupa has established an environment in AWS GovCloud to meet customer ITAR requirements. ITAR requires that all access is limited to US Persons only. Audits will be conducted annually in April and 3rd party auditor reports are available in late May/early June annually.


PCI DSS - Coupa maintains this global data security standard adopted by the payment card brands for all entities that process, store or transmit cardholder data. It consists of common sense steps that mirror security best practices. Annual Onsite Audit and Reviews occur in April/May by external third-party auditors. Customers requiring the use of credit cards will be deployed in specific PCI compliant environment.


TÜV Rheinland Certified Cloud Service (TUV CCS) - Coupa maintains the TÜV Rheinland Certified Cloud Service (TUV CCS) Certification. Coupa first received this designation in the Fall of 2017. TUV CCS is a German certification and supports EMEA.


EU General Data Protection Regulation (GDPR) - Coupa has closely monitored the requirements and ensures that our services meet the standards set forth by the GDPR.



Coupa announced the achievement of FedRAMP Moderate Authorization from the Federal Risk Authorization Management Program (FedRAMP) on March 14, 2022. This authorization underscores Coupa's commitment to stringent security and compliance standards – including rigorous cybersecurity standards established by the U.S. federal government and Department of Defense for cloud solution providers. With this designation, Coupa is available on the FedRAMP Marketplace, enabling every federal agency to begin using Coupa's all-in-one, cloud-based platform with this trusted layer of security and compliance.

FedRAMP provides a standardized approach for U.S. agencies and departments to deploy cloud services. It enables public-private partnerships to promote innovation and the advancement of more secure information technologies.

Frequently Requested Certification and Reports 

Privacy Shield - We do not adhere to Privacy Shield. We have selected to use EU Model Clauses as part of our Data Processing Agreement. It accomplishes the same purpose and is a better mechanism to facilitate agreement on security and privacy controls that will be in place. We are also under the impression that Privacy Shield is likely to go the way of Safe Harbor (and ruled invalid).

TISAX - Coupa is currently working to obtain TISAX certification to meet German automakers requirements. This will be a one time certification and we will no pursue a renewal after the initial audit.

Self-Serve Audit Reports and Certifications

Coupa customers can download compliance reports, certifications, and security and compliance related documentation, including whitepapers and datasheets on-demand from the Security and Compliance page on the Coupa Support Portal.

Other interested parties in Coupa compliance reports and certifications can access these reports through the Coupa Compliance Reports Self-Serve Portal.

Security and Compliance Documentation

Current Coupa customers can download the following Security and Compliance related documentation from the Security and Compliance page on the Coupa Support portal.

  • Coupa Technical Whitepaper
  • Business Continuity Management Summary and Attestation
  • Contingency Plan Test Results
  • Coupa Cloud Spend Management Encryption
  • Coupa ISO 27001 Surveillance Report
  • Coupa Statement of Applicability
  • Coupa Healthcare Cloud
  • HIPAA Deployment Security