Skip to main content



Coupa Success Portal

Coupa Cloud Spend Management Encryption


Data Encryption

Coupa only uses encrypted connections to protect data contents in transition, while also encrypting sensitive files prior to storing them. Storage drives are encrypted at both the datacenter and when data is cached by the mobile application. Coupa maintains key management policies to block attacks and vulnerabilities by utilizing IaaS Key Management services, commonly known as Vaults to manage, rotate, and protect encryption keys.

Coupa maintains an Encryption and Key Management policy that provides guidance for protecting data and using encryption which includes the following fundamental principles of utilizing only well known and publicly vetted cryptography algorithms.

Approved Algorithms and Ciphers

The following cryptographic algorithms and ciphers are approved for use in protecting Coupa data:

Cryptographic Algorithm Function
AES Algorithm
Blowfish Algorithm
SHA-2 Hashing algorithm
SHA-3 Hashing algorithm
RSA Algorithm
ECDH, ECDHE, ECDSA Key exchange
GCM, GMAC Symmetric encryption mode of operation
CBC, CBC3 Symmetric encryption mode of operation
DHE Key exchange
HMAC Message Authentication

Key Management

Amazon EBS and S3 encryption use AWS Key Management Server (KMS) master keys when creating encrypted volumes and snapshots created from encrypted volumes. The use of AWS KMS provides centralized control of encryption keys. Coupa is able to create keys, implement key rotation, create usage policies, and enable logging from the AWS Management Console. AWS KMS is designed so that no one has access to the Coupa master keys. The AWS KMS service is built on systems that are designed to protect the masters’ keys with extensive hardening techniques, which include, never storing plaintext master keys to disk, not persisting keys in memory, and limiting which systems can connect to the device.


Key Management Requirements

Coupa requires the following key management specifications to be implemented:

Attribute  Description
Key Length
  • Symmetric Keys: 256 bit or greater
  • Asymmetric: 2048 minimum
Key Rotation
  • Publicly managed TLS keys - Every 2 years
  • Private TLS keys - Every 2 years
  • Private SSH keys - As needed
Key Revocation Keys are revoked if a compromise is suspected.

Encrypted Fields

Database Column Encryption

Coupa utilizes AES-256-GCM for database column encryption. All keys are unique to each customer instance. The following fields are encrypted in the Coupa application:

Model Attribute Name Key Type Mode
Attachment text unique HIPAA
Comment comments unique HIPAA
Transactional Models custom_field_# unique HIPAA
EasyFormWidget answer shared Standard
EndpointInstance password unique Standard
EndpointInstance ssh_key unique  Standard
ExpenseAccountNumberLookup account unique Standard
ExpenseLine description unique HIPAA
Identity access_token unique Standard
IntegrationWarning value unique Standard
InvoiceCharge description unique HIPAA
InvoiceLine description unique HIPAA
OnlineStore password unique Standard
OIDC Client secret unique Standard
Pcard number unique  Standard
PGP Key key_data unique Standard
RevisionRecord data unique HIPAA
RevisionSnapshoCache data unique HIPAA
SupplerInformation federatl_tax_num unique Standard
SupplerInformation cxml_http_password unique Standard
SupplerInformation cxml_secret unique Standard
SupplerInformationAddress bank_routing_number unique Standard
SupplerInformationAddress international_bank_account_number unique Standard
SupplerInformationAddress iban_number unique Standard
SupplerInformationAddress swift_code unique Standard
SupplerInformationAddress sort_code unique Standard
SupplerInformationAddress bsb_number unique Standard
SupplerInformationAddress bic unique Standard
SupplerInformationAddress bic_routing_code unique Standard
SupplerInformationAddress bank_account_number unique Standard
Supplier cxml_http_password unique Standard
Supplier cxml_secret unique Standard
SupplierSite cxml_http_password unique Standard
SupplierSite cxml_secret unique Standard
SupplierRemitTo bank_account_number unique Standard
SupplierRemitTo bank_routing_number unique Standard
SupplierRemitTo iban_number unique Standard
SupplierRemitTo swift_code unique Standard
SupplierRemitTo sort_code unique Standard
User yodlee_auth_token unique Standard

Attachment Encryption

Attachment encryption for data at rest utilizes AES-256-GCM.

  • Was this article helpful?