Coupa participates in multiple compliance programs and is regularly audited by third-party assessors to ensure Coupa's compliance to the standards established by these programs. Coupa operates in multiple jurisdictions and complies with jurisdictional laws and regulations.
Coupa operates independently from IaaS providers, maintaining its own information security policy, operating its own technology stack with its own cloud operations team. Coupa enforces security and controls daily through its own processes and procedures.
The Coupa Governance Risk and Compliance (GRC) department maintains several policies, processes, and documents that are often requested by customers and prospects. Click the report links below to learn more about these certification programs and how to obtain copies of certifications and reports.
Certifications and Attestations
Described below are basic descriptions of the compliance programs that Coupa currently supports and those that we do not support. Information is also provided on reporting dates and bridge (gap) letters.
SOC 1 Type 2 - Prepared in accordance with AICPA SSAE No. 18 and IAASB ISAE 3402 Standards. We complete a bi-annual Type 2 SOC 1 audit. The audit periods are October 1- March 31 and April 1- September 31 each year. Audits are conducted in the last two weeks of March and September. Third party audit reports are available approximately one month after the audit, in April and October. Gap or Bridge letters are issued on the first of every month. These are letters signed by Coupa leadership to cover the gap between the report date and the current date. Gap letters address any material changes to the internal control environment until the next report is issued.
SOC 2 Type 2 - Independent Service Auditor's Report on Controls Relevant to Security, Availability, and Confidentiality. Coupa completes a third party audit annually for our annual SOC 2. The audit period is October 1 - September 30 each year. SOC 2 reports are typically available in November. Gap or Bridge letters are issued on the first of every month. These are letters signed by Coupa leadership to cover the gap between the report date and the current date. Gap letters address any material changes to the internal control environment until the next report is issued.
HIPAA & HITECH - Companies that deal with protected health information (PHI) must ensure that all the required physical, network, and process security measures are in place and followed. Coupa completes a HIPAA audit in the first week of October and the attestation report is typically available by mid November annually.
Health Information Portability & Accountability Act Security Rule (HIPAA) & Health Information Technology for Economic and Clinical Health Act (HITECH) Attestation
- Review of information security program and controls to ensure all standards are met.
- Healthcare and medical customers deployed in specific HIPAA environment.
ISO 27001 Certification - Coupa completed our first ISO 27001 audit in April 2017 and received our official ISO/IEC 27001:2013 certification on May 10, 2017.
ITAR/GovCloud - Coupa has established an environment in AWS GovCloud to meet customer ITAR requirements. ITAR requires that all access is limited to US Persons only. Audits will be conducted annually in April and 3rd party auditor reports are available in late May/early June annually.
PCI DSS - Coupa maintains this global data security standard adopted by the payment card brands for all entities that process, store or transmit cardholder data. It consists of common sense steps that mirror security best practices. Annual Onsite Audit and Reviews occur in April/May by external third-party auditors. Customers requiring the use of credit cards will be deployed in specific PCI compliant environment.
TÜV Rheinland Certified Cloud Service (TUV CCS) - Coupa maintains the TÜV Rheinland Certified Cloud Service (TUV CCS) Certification. Coupa first received this designation in the Fall of 2017. TUV CCS is a German certification and supports EMEA.
EU General Data Protection Regulation (GDPR) - Coupa is compliant with the EU General Data Protection Regulation (GDPR). Additional information on GDPR can be found on the GDPR Legal Page.
Frequently Requested Certification and Reports
Privacy Shield - We do not adhere to Privacy Shield. We have selected to use EU Model Clauses as part of our Data Processing Agreement. It accomplishes the same purpose and is a better mechanism to facilitate agreement on security and privacy controls that will be in place. We are also under the impression that Privacy Shield is likely to go the way of Safe Harbor (and ruled invalid).
FedRAMP/NIST RMF 800-53 - Coupa has obtained FedRAMP Moderate Ready status. We are currently working on identifying any FedRAMP/NIST gaps and documenting our current compliance with these requirements. Coupa is starting the process to ensure compliance with both of these federal programs. Coupa plans to achieve FedRAMP Moderate authorization by Fall, 2021.
TISAX - Coupa is currently working to obtain TISAX certification to meet German automakers requirements. This will be a one time certification and we will no pursue a renewal after the initial audit.
Self-Serve Audit Reports and Certifications
Coupa customers can download compliance reports, certifications, and security and compliance related documentation, including whitepapers and datasheets on-demand from the Security and Compliance page on the Coupa Support Portal.
Other interested parties in Coupa compliance reports and certifications can access these reports through the Coupa Compliance Reports Self-Serve Portal.
- Compliance Certifications
- No image available
- Coupa participates in various compliance programs and maintains multiple compliance certifications.
Security and Compliance Documentation
Current Coupa customers can download the following Security and Compliance related documentation from the Security and Compliance page on the Coupa Support portal.
- Coupa Technical Whitepaper
- Business Continuity Management Summary and Attestation
- Contingency Plan Test Results
- Coupa Cloud Spend Management Encryption
- Coupa ISO 27001 Surveillance Report
- Coupa Statement of Applicability
- Coupa Healthcare Cloud
- HIPAA Deployment Security