This page provides a basic description of the compliance programs that Coupa currently supports and those that we do not support. The page also provides information on reporting dates and gap letters. Customers and prospects can download the reports correlating with the below compliance programs from the Coupa Compliance Reports Request portal.
Supported Compliance Programs
SOC 1 Type 2 - Prepared in accordance with AICPA SSAE No. 18 and IAASB ISAE 3402 Standards. We complete a bi-annual Type 2 SOC 1 audit. The audit periods are Nov 1- April 30 and May 1- Oct 31 each year. Audits are conducted in the last two weeks of April and October. 3rd party audit reports are available approximately a month after the audit, in May and December. Gap or Bridge letters are issued on the first of every month. These are letters signed by Coupa leadership to cover the gap between the report date and the current date. Gap letters address any material changes to the internal control environment until the next report is issued.
SOC 2 Type 2 - Independent Service Auditor's Report on Controls Relevant to Security, Availability, and Confidentiality. We complete a 3rd party audit annually for our annual SOC2. The audit period is Nov 1 - Oct 31 each year. Audit reports are typically available in December. Gap or Bridge letters are issued on the first of every month. These are letters signed by Coupa leadership to cover the gap between the report date and the current date. Gap letters address any material changes to the internal control environment until the next report is issued.
Annual Type 2 SOC 2 - Trust Service Principles (TSP) Section 100 Criteria
HIPAA & HITECH - Attestation Report from Independent Auditor. Audit is completed the first week in November and the attestation report is typically available by Mid December annually.
Health Information Portability & Accountability Act Security Rule (HIPAA) & Health Information Technology for Economic and Clinical Health Act (HITECH) Attestation
- Review of information security program and controls to ensure all standards are met.
- Healthcare and medical customers deployed in specific HIPAA environment.
ISO 27001 Certification - Coupa completed our first ISO 27001 audit in April 2017 and received our official ISO/IEC 27001:2013 certification on May 10, 2017.
ITAR/GovCloud - Coupa has established an environment in AWS GovCloud to meet customer ITAR requirements. ITAR requires that all access is limited to US Persons only. Coupa just completed the first 3rd Party attestation of our ITAR environment in GovCloud. Audits will be conducted annually in April and 3rd party auditor reports are available in late May/early June annually.
PCI DSS is the global data security standard adopted by the payment card brands for all entities that process, store or transmit cardholder data. It consists of common sense steps that mirror security best practices. Coupa received the final PCI report and attestation of compliance and is available via the Compliance Report page and the self-help link. Annual Onsite Audit and Reviews in April/May. External third-party auditor. Customers requiring the use of credit cards will be deployed in specific PCI compliant environment.
TÜV Rheinland Certified Cloud Service (TUV CCS) - Coupa recently obtained the TÜV Rheinland Certified Cloud Service (TUV CCS) Certification. Coupa received this designation in the Fall of 2017.
- German certification and supports EMEA.
EU General Data Protection Regulation (GDPR) - Coupa is compliant with the EU General Data Protection Regulation (GDPR). Additional information on GDPR can be found on the GDPR Legal Page.
Frequently Requested Certification and Reports
Privacy Shield - We do not adhere to Privacy Shield. We have selected to use EU Model Clauses as part of our Data Processing Agreement. It accomplishes the same purpose and is a better mechanism to facilitate agreement on security and privacy controls that will be in place. We are also under the impression that Privacy Shield is likely to go the way of Safe Harbor (and ruled invalid).
FedRAMP/NIST RMF 800-53 - We are currently working on identifying any FedRAMP/NIST gaps and documenting our current compliance with these requirements. Coupa is starting the process to ensure compliance with both of these federal programs. By Summer 2019, Coupa will have a self-attestation on FedRAMP/NIST moderate compliance.
TISAX - Coupa is currently working to obtain TISAX certification to meet German automakers requirements. This will be a one time certification and we will no pursue a renewal after the initial audit.