Coupa operates independently from IaaS providers, maintaining its own information security policy, operating its own technology stack with its own cloud operations team. Coupa enforces security and controls daily through its own processes and procedures.
The Coupa Governance Risk and Compliance (GRC) department maintains several policies, processes, and documents that are often requested by customers and prospects. Click the report links below to learn more about these certification programs and how to obtain copies of certifications and reports.
Described below is a basic descritpion of the compliance programs that Coupa currently supports and those that we do not support. Information is also provided on reporting dates and bridge (gap) letters.
Supported Compliance Programs
SOC 1 Type 2 - Prepared in accordance with AICPA SSAE No. 18 and IAASB ISAE 3402 Standards. We complete a bi-annual Type 2 SOC 1 audit. The audit periods are October 1- March 31 and April 1- September 31 each year. Audits are conducted in the last two weeks of March and September. Third party audit reports are available approximately one month after the audit, in April and October. Gap or Bridge letters are issued on the first of every month. These are letters signed by Coupa leadership to cover the gap between the report date and the current date. Gap letters address any material changes to the internal control environment until the next report is issued.
SOC 2 Type 2 - Independent Service Auditor's Report on Controls Relevant to Security, Availability, and Confidentiality. Coupa completes a third party audit annually for our annual SOC 2. The audit period is October 1 - September 30 each year. SOC 2 reports are typically available in November. Gap or Bridge letters are issued on the first of every month. These are letters signed by Coupa leadership to cover the gap between the report date and the current date. Gap letters address any material changes to the internal control environment until the next report is issued.
Annual Type 2 SOC 2 - Trust Service Principles (TSP) Section 100 Criteria
HIPAA & HITECH - Attestation Report from Independent Auditor. The audit is completed in the first week of October and the attestation report is typically available by mid November annually.
Health Information Portability & Accountability Act Security Rule (HIPAA) & Health Information Technology for Economic and Clinical Health Act (HITECH) Attestation
- Review of information security program and controls to ensure all standards are met.
- Healthcare and medical customers deployed in specific HIPAA environment.
ISO 27001 Certification - Coupa completed our first ISO 27001 audit in April 2017 and received our official ISO/IEC 27001:2013 certification on May 10, 2017.
ITAR/GovCloud - Coupa has established an environment in AWS GovCloud to meet customer ITAR requirements. ITAR requires that all access is limited to US Persons only. Coupa just completed the first 3rd Party attestation of our ITAR environment in GovCloud. Audits will be conducted annually in April and 3rd party auditor reports are available in late May/early June annually.
PCI DSS is the global data security standard adopted by the payment card brands for all entities that process, store or transmit cardholder data. It consists of common sense steps that mirror security best practices. Coupa received the final PCI report and attestation of compliance and is available via the Compliance Report page and the self-help link. Annual Onsite Audit and Reviews in April/May. External third-party auditor. Customers requiring the use of credit cards will be deployed in specific PCI compliant environment.
TÜV Rheinland Certified Cloud Service (TUV CCS) - Coupa recently obtained the TÜV Rheinland Certified Cloud Service (TUV CCS) Certification. Coupa received this designation in the Fall of 2017.
- German certification and supports EMEA.
EU General Data Protection Regulation (GDPR) - Coupa is compliant with the EU General Data Protection Regulation (GDPR). Additional information on GDPR can be found on the GDPR Legal Page.
Frequently Requested Certification and Reports
Privacy Shield - We do not adhere to Privacy Shield. We have selected to use EU Model Clauses as part of our Data Processing Agreement. It accomplishes the same purpose and is a better mechanism to facilitate agreement on security and privacy controls that will be in place. We are also under the impression that Privacy Shield is likely to go the way of Safe Harbor (and ruled invalid).
FedRAMP/NIST RMF 800-53 - We are currently working on identifying any FedRAMP/NIST gaps and documenting our current compliance with these requirements. Coupa is starting the process to ensure compliance with both of these federal programs. By Summer 2019, Coupa will have a self-attestation on FedRAMP/NIST moderate compliance.
TISAX - Coupa is currently working to obtain TISAX certification to meet German automakers requirements. This will be a one time certification and we will no pursue a renewal after the initial audit.
Self-Serve Audit Reports and Certifications
Coupa customers can download compliance reports, certifications, and security and compliance related documentation, including whitepapers and datasheets on-demand from the Security and Compliance page on the Coupa Support Portal.
Other interested parties in Coupa compliance reports and certifications can access these reports through the Coupa Compliance Reports Self-Serve Portal.
Security and Compliance Documentation
Current Coupa customers can download the following Security and Compliance related documentation from the Security and Compliance page on the Coupa Support portal.
- Coupa Technical Whitepaper
- Business Continuity Management Summary and Attestation
- Contingency Plan Test Results
- Coupa Cloud Spend Management Encryption
- Coupa ISO 27001 Surveillance Report
- Coupa Statement of Applicability
- Coupa Healthcare Cloud
- HIPAA Deployment Security