Skip to main content



Coupa Success Portal

Infrastructure Security


At Coupa, we're committed to providing our customers with a reliable, secure application that lets you manage your spend from anywhere at anytime. We've partnered with Amazon Web Services (AWS) which provides the hardware and infrastructure to support Coupa’s e-Procurement platform.

AWS was launched in July 2002 and is the most popular on demand infrastructure for commodity computing and virtual secure storage on the planet.

Physical Security

With providing the physical hosting infrastructure through their EC2 service, Amazon enforces physical security through a variety of methods as covered in their Security Whitepaper. The buildings, servers, and infrastructure of Amazon’s EC2 service is the same as their multi-billion dollar retail business, so you can be assured that your application and data are secure.

Transport Security

We encrypt all communication between customers and our data center using high-grade encryption (AES-256 256 bit). Access to Coupa’s on-demand applications and services is only available through secure sessions (https) and only available with an authenticated login and password. Passwords are never transmitted or stored in their original form, so they are never compromised by third parties.

Perimeter and Server Security

We protect our application infrastructure by using state-of-the-art firewalls at the hypervisor, kernel, and application levels, as well as intrusion detection systems across all servers. Our anomaly detection system instantly notifies operations staff, 24/7, if anything unusual is detected. In addition, we work with third party security firms and consultants to conduct vulnerability threat assessments including penetration tests.

All our front-end servers are behind firewalls and only accessible via https protocol. Database servers inside the perimeter firewalls are protected using proprietary non-routable IP addressing schemes, network address translation and more. The details of these features are proprietary.

We enforce tight operating system-level security by maintaining a minimal number of access points to all production servers. Operating system accounts are protected using secure public key authentication and only operations personnel have access to the servers. All operating systems are maintained at each vendors recommended patch levels for security and are hardened by disabling or removing any unnecessary users, open ports, and processes. Access to the databases is controlled through limited and separately access-controlled passwords.

Our employees do not have direct access to production equipment, databases or customer data, except where necessary for system management, maintenance, and backups. Access to customer data is further restricted to technical and customer support staff on a need-to-know basis. No parties outside Coupa have access to customer data unless required by law. For more information, please refer to Coupa’s Privacy Policy.

Application Security

No customer can see another customer’s data. This is enforced on several layers of the architecture, including authenticated sessions, which are required for any page access. Sessions are stored in cookies that do not encode any customer identifiable information. Nor is any customer ID ever transmitted or stored during page access, thus preventing ID spoofing.

Reliability and Backup

In addition to the physical redundancy (network, power) that provides, we have redundant configurations for each component of its infrastructure. All customer data is stored on redundant database servers with live failover. All customer data is placed on RAID class hardware, replicated in real time to a secondary environment in a different data center, then backed up every sixty minutes onto the S3 service. The S3 service is then replicated throughout the data centers globally.

Disaster Recovery Program

We're able to leverage the Amazon AWS cloud to provide a best in class disaster recovery program. Using Amazon AWS services for data storage as described above we eliminate the risk of customer data loss. If the primary hardware for a customer fails, we can immediately switch over to the secondary hardware, which is running concurrently with the primary. If there is a disaster that fails both the primary and secondary servers, we have the ability to failover to any number of data centers in the United States and in Europe, in a matter of minutes.

Database Security

Databases are partitioned for each customer so that the data for different customers does not co-mingle. Database infrastructure is completely segregated from the Application servers and the Internet via firewalls. Only application servers can query the database using strong authentication. Sensitive data, like passwords, is encrypted with cryptographically strong ciphers before storing into the database. Database servers have the same host-based security that protects all Coupa servers.

  • Was this article helpful?