Coupa Encrypted Fields
Overview
Protecting customer data and preventing system attacks is a top priority for Coupa. Coupa only uses encrypted connections to protect data contents in transition, while also encrypting sensitive files prior to storing them. Coupa adheres to the following fundamentals of encryption and key management:
- The use of well known and publicly vetted cryptography. The use of homegrown cryptographic algorithms are not permitted.
- Proper key management and protection are critical to ensure encryption provides the desired protection.
Encrypted Fields
Database Column Encryption
Coupa utilizes AES-256-GCM for database column encryption. All keys are unique to each customer instance. The following fields are encrypted in the Coupa application:
| Model | Attribute Name | Key Type | Mode |
|---|---|---|---|
| Attachment | text | unique | HIPAA |
| Comment | comments | unique | HIPAA |
| Transactional Models | custom_field_# | unique | HIPAA |
| EasyFormWidget | answer | shared | Standard |
| EndpointInstance | password | unique | Standard |
| EndpointInstance | ssh_key | unique | Standard |
| ExpenseAccountNumberLookup | account | unique | Standard |
| ExpenseLine | description | unique | HIPAA |
| Identity | access_token | unique | Standard |
| IntegrationWarning | value | unique | Standard |
| InvoiceCharge | description | unique | HIPAA |
| InvoiceLine | description | unique | HIPAA |
| OnlineStore | password | unique | Standard |
| OIDC Client | secret | unique | Standard |
| Pcard | number | unique | Standard |
| PGP Key | key_data | unique | Standard |
| RevisionRecord | data | unique | HIPAA |
| RevisionSnapshoCache | data | unique | HIPAA |
| SupplerInformation | federatl_tax_num | unique | Standard |
| SupplerInformation | cxml_http_password | unique | Standard |
| SupplerInformation | cxml_secret | unique | Standard |
| SupplerInformationAddress | bank_routing_number | unique | Standard |
| SupplerInformationAddress | international_bank_account_number | unique | Standard |
| SupplerInformationAddress | iban_number | unique | Standard |
| SupplerInformationAddress | swift_code | unique | Standard |
| SupplerInformationAddress | sort_code | unique | Standard |
| SupplerInformationAddress | bsb_number | unique | Standard |
| SupplerInformationAddress | bic | unique | Standard |
| SupplerInformationAddress | bic_routing_code | unique | Standard |
| SupplerInformationAddress | bank_account_number | unique | Standard |
| Supplier | cxml_http_password | unique | Standard |
| Supplier | cxml_secret | unique | Standard |
| SupplierSite | cxml_http_password | unique | Standard |
| SupplierSite | cxml_secret | unique | Standard |
| SupplierRemitTo | bank_account_number | unique | Standard |
| SupplierRemitTo | bank_routing_number | unique | Standard |
| SupplierRemitTo | iban_number | unique | Standard |
| SupplierRemitTo | swift_code | unique | Standard |
| SupplierRemitTo | sort_code | unique | Standard |
| User | yodlee_auth_token | unique | Standard |
Attachment Encryption
Attachment encryption for data at rest utilizes AES-256-GCM.