Coupa’s Master Subscription Agreement

The terms of the Coupa Master Subscription Agreement incorporated by reference in an Order Form dated on or after February 13, 2017 are set forth below. For MSA terms prior to February 13, 2017, please see Archive.


This Master Subscription Agreement (“Agreement”) between Coupa Software Inc. (“Coupa”) and the company or other legal entity (“Customer”) that has executed an Order Form (as defined below) is made as of the last signature date (“Effective Date”) on the Order Form that references this Agreement.

This Agreement incorporates by reference the Subscription Schedule, attached as Exhibit A, which describes the following operational matters of the Hosted Applications (as defined below): (1) technical support & update process; (2) service level agreement; and (3) data security measures.

  1. DEFINITIONS

    1. “Affiliate” means any entity which directly or indirectly controls, is controlled by, or is under common control with the subject entity; and "control" for the purposes of this definition means direct or indirect ownership or control of more than 50% of the voting interest of the subject entity, provided that any such Affiliate shall be deemed an Affiliate only for so long as such control lasts.

    2. “Confidential Information” means all confidential and proprietary information of a disclosing party disclosed by or on behalf of such party to the receiving party, whether orally or in writing, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure, including the terms and conditions of this Agreement (including pricing and other terms reflected in all Order Forms hereunder), business and marketing plans, technology and technical information, product designs, and business processes. Notwithstanding anything to the contrary, the Hosted Applications and Coupa Platform are deemed to be Confidential Information of Coupa. Confidential Information shall not include any information that: (i) is or becomes generally known to the public without breach of any obligation owed to the disclosing party; (ii) was known to the receiving party without restriction prior to its disclosure by the disclosing party and without breach of any obligation owed to the disclosing party; (iii) was independently developed by the receiving party without either use of or reference to any Confidential Information or breach of any obligation owed to the disclosing party; or (iv) is received from a third party without restriction and without breach of any obligation owed to the disclosing party.

    3. Coupa Platform” means any software and hardware that enables Coupa to provide Customer with access to and use of the Hosted Applications as contemplated by this Agreement.

    4. Customer Data” means any data, information or material provided or submitted by Customer or on behalf of Customer to the Coupa Platform in the course of using the Hosted Applications.

    5. Documentation” means the Coupa product documentation relating to the operation and use of the Hosted Applications, including technical program or interface documentation, operating instructions, update notes, and support knowledge base, as made available and updated from time to time by Coupa.

    6. Hosted Application(s)” means applications and associated content (as identified on an Order Form) to be provided by Coupa to Customer as a subscription service and made accessible on a website designated by Coupa.

    7. Order Form” means an order form mutually executed by the parties evidencing the purchase of subscriptions to the Hosted Applications specifying, among other things, the Subscription Term, the number of Users, the applicable fees, and the billing period as agreed to between the parties. Each Order Form, once mutually executed, shall be governed by and become part of this Agreement, and is hereby incorporated by this reference.

    8. Protected Health Information” has the meaning given to it  in the Health Insurance Portability and Accountability Act (“HIPAA”).

    9. Protected Information” means Protected Health Information and Regulated Information.

    10. “Regulated Information” means an individual’s first name and last name (or first initial and last name) in combination with any one or more of the following data elements that relate to such individual: (i) Social Security number; (ii) driver’s license number or state-issued identification card number; or (iii) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to an individual’s financial account.

    11. Subscription Term” means the period(s) during which Customer is authorized to use the Hosted Applications pursuant to an Order Form.

    12. Support” means the Coupa technical support as specified on the Order Form in accordance with the terms in Exhibit A-1.

    13. Updates” means Coupa’s updates of the Hosted Applications for repairs, enhancements or new features applied by Coupa to Customer’s instances, including updates to the Documentation as a result of such updates, at no additional fee during the Subscription Term. Updates shall not include additional functionality or upgrades to the Hosted Applications that Coupa requires a separate charge from its other customers generally.

    14. Users” means employees of Customer and its representatives, consultants, contractors, subcontractors, or agents who are authorized to use the Hosted Applications and have been supplied unique user identifications and passwords by Customer.

  2. COUPA’S OBLIGATIONS

    1. Provision of the Hosted Applications. Coupa will make available to Customer, and Customer is authorized to use, the Hosted Applications during the Subscription Term as set forth in an applicable Order Form for its internal business purposes in accordance with the Documentation.

    2. Support, Uptime & Updates. Coupa shall: (i) provide the level of support specified in the Order Form in accordance with Exhibit A-1; (ii) provide Updates at no additional charge as part of Customer’s subscription during the Subscription Term in accordance with Exhibit A-1 and (iii) make the Hosted Applications available in accordance with Exhibit A-2.

    3. Security. Coupa shall maintain a written information security program of policies, procedures and controls (“Security Program”) governing the processing, storage, transmission and security of Customer Data. The Security Program as of the Effective Date is set forth in Exhibit A-3. The Security Program shall include industry standard practices designed to protect Customer Data from unauthorized access, acquisition, use, disclosure, or destruction. Coupa may periodically review and update the Security Program to address new and evolving security technologies, changes to industry standard practices, and changing security threats, provided that any such update does not materially reduce the overall level of security provided to Customer as described herein.

    4. Breach Notification. Unless notification is restricted by law, Coupa shall report to Customer’s support contacts designated in Coupa’s customer support portal (“Support Portal”) any unauthorized acquisition, access, use, disclosure or destruction of Customer Data (“Breach”) promptly without undue delay after Coupa determines that a Breach has occurred. Unless prohibited by law, Coupa shall share information about the nature of the Breach that is reasonably requested by Customer to enable Customer to notify affected individuals, government agencies and/or credit bureaus. Customer has sole control over the content of Customer Data that it enters into the Coupa Platform and is responsible for determining whether to notify impacted individuals and the applicable regulatory bodies or enforcement commissions and for providing such notice.

    5. Audit Report. During the Subscription Term, except as stated otherwise on the Order Form, Coupa shall engage at its expense, an independent accounting firm to conduct an audit of Coupa’s operations with respect to the Hosted Applications in accordance with the Statement on Standards for Attestation Engagements No. 16  (the “SSAE 16”), and have such accounting firm issue SSAE 16, SOC 1 Type 2 and SOC 2 Type 2 reports (or substantially similar report of a successor auditing standard in the event the SSAE 16 auditing standard is no longer an industry standard) (the “Auditor’s Report”), which shall cover Coupa’s security policies, procedures, and controls. Upon Customer’s request, Coupa shall provide Customer and its external auditors with a current copy of such Auditor’s Report, provided that such report shall be deemed Confidential Information of Coupa.

    6. Insurance. Coupa shall maintain during the term of this Agreement:  (a) Commercial General Liability Insurance with minimum limits of US$1,000,000 combined single limit and combined bodily injury and property damage per occurrence and US$3,000,000 dollars in the aggregate; (b) Commercial Automobile Liability Insurance providing coverage for owned, hired, and non-owned motor vehicles used in connection with this Agreement in an amount of not less than US$1,000,000 per accident combined single limit for bodily injury and property damage; (c) Umbrella Liability providing excess liability coverage in the minimum amount of US$5,000,000.00 per occurrence, to supplement the primary coverage provided in the policies listed above; (d) Professional Liability Insurance (Errors and Omissions Insurance) with minimum limits of US$5,000,000.00; (e) Workers Compensation Insurance covering Coupa employees pursuant to applicable state laws, and at the maximum limits statutorily required for each such state; and (f) Commercial Crime Insurance including coverage for loss or damage resulting from theft committed by the Coupa’s employees, acting alone or in collusion with others, and coverage for computer crime, with a minimum per event and annual aggregate limit of US$2,000,000. Upon request, Coupa shall promptly furnish Customer with a certificate evidencing the coverages set forth above.

  3. CUSTOMER’S USE OF THE HOSTED APPLICATIONS

    1. User Accounts. Customer is responsible for activity occurring under its User accounts and shall ensure that it and its Users abide by all local, state, national and foreign laws, treaties and regulations applicable to Customer’s use of the Hosted Applications. Customer shall: (i) notify Coupa promptly of any unauthorized use of any password or account or any other known or suspected breach of security; (ii) notify Coupa promptly and use reasonable efforts to promptly stop any unauthorized use, copying, or distribution of the Hosted Applications that is known or suspected by Customer or its Users; (iii) not impersonate another Coupa user or provide false identity information to gain access to or use the Hosted Applications or Coupa Platform; and (iv) restrict each User account to only one authorized User at a time.

    2. Restrictions. Customer shall not (i) license, sublicense, sell, resell, transfer, rent, lease, assign (except as provided in Section 11.3 (Assignment)), distribute, disclose, or otherwise commercially exploit or make available to any third party the Hosted Applications; (ii) copy, modify or make derivative works based upon the Hosted Applications; (iii) “frame” or “mirror” the Hosted Applications on any other server or device; (iv) access the Hosted Applications  for any benchmarking or competitive purposes or use the Hosted Applications for application service provider, timesharing or service bureau purposes, or any purpose other than its own internal use, (v) decompile, disassemble, reverse engineer or attempt to discover any source code or underlying ideas or algorithms of the Hosted Applications (except to the extent reverse engineering restrictions are prohibited by applicable law), (vi) remove, obscure or modify a copyright or other proprietary rights notice in the Hosted Applications; (vii) use the Hosted Applications to send or store infringing, obscene, threatening, libelous, or otherwise unlawful material, including material that violates third party privacy rights; (viii) use the Hosted Applications to create, use, send, store, or run material containing software viruses, worms, Trojan horses or otherwise engage in any malicious act or disrupt the security, integrity or operation of the Hosted Applications or the Coupa Platform; (ix) attempt to gain or permit unauthorized access to the Hosted Applications or its related systems or networks; (x) use the Hosted Applications other than in compliance with all applicable laws and regulations or (xi) permit or assist any other party (including any User) to do any of the foregoing.

    3. User Reassignment. User subscriptions are for designated Users and cannot be shared or used by more than one User but may be reassigned to new Users replacing former Users who no longer require use of the Hosted Applications. Unless otherwise specified in the relevant Order Form, the replacement User shall be under the same Subscription Term of the original User.

    4. Additional Users. Additional Users may be purchased pursuant to the parties signing an Order Form  and unless otherwise specified in the relevant Order Form, the Subscription Term of additional Users shall be coterminous with the Subscription Term in effect at the time the additional Users are added.

    5. Protected Information. The intended purpose of the Hosted Applications is to optimize Customer’s corporate spend management processes and Customer acknowledges and agrees that use of the Hosted Applications does not require Customer to provide any Protected Information to or through the Hosted Applications or Coupa Platform. Protected Information should not be stored by any Hosted Applications or Coupa Platform, and Coupa shall have no liability to Customer or its suppliers, Users or any other party related to any Protected Information. Customer shall not (and shall ensure that its suppliers and Users do not) upload, provide or submit any Protected Information to the Hosted Applications or Coupa Platform. Coupa may upon notice suspend all or portion of Customer’s or its supplier’s access to the Hosted Applications if Coupa has a good faith belief that Customer or its supplier has breached the restrictions in this Section. Coupa shall provide Customer with reasonable prior notice to cure before exercising any suspension under this Section.

    6. Third Party Interactions.
      (a) No Supplier Fees. Each party agrees that it shall not charge Customer’s suppliers for the right to interact with Customer through the Coupa Platform.
      (b) Supplier Interactions. During the Subscription Term, Customer may enter into correspondence with and purchase goods and/or services from suppliers on or through the Hosted Applications. Any such activities and associated terms are solely between Customer and the applicable third party supplier. Customer agrees that Coupa shall have no liability, obligation or responsibility for any such correspondence or purchase between Customer and any such third party supplier.

  4. ORDERING

    1. Billing and Payment of Fees. Customer shall pay subscription fees annually in advance for use of the Hosted Applications. All payment obligations are non-cancellable and all amounts paid are nonrefundable except as otherwise specified in this Agreement. Coupa shall issue invoices to Customer as specified in the Order Form and Customer agrees to pay such amounts not subject to a good faith dispute as specified in the Order Form and if any such invoice is more than 30 days overdue, Coupa may, without limiting its other rights and remedies, suspend the Hosted Applications until such invoice is paid in full. Coupa shall provide prior written notice to Customer of the payment delinquency before exercising any suspension right. Customer agrees to pay Coupa in the currency specified on the Order Form. Customer agrees to provide Coupa with complete and accurate billing and contact information and to update this information promptly upon any change to it. If Customer believes its bill is incorrect, Customer must contact Coupa in writing within 60 days of the date of the invoice containing the amount in question to be eligible to receive an adjustment or credit.

    2. Taxes. Coupa’s fees are exclusive of all taxes, levies, or duties imposed by taxing authorities, including for example, value-added, sales, use or withholding taxes, assessable by any jurisdiction whatsoever (collectively, “Taxes”) and Customer shall be responsible for payment of all Taxes associated with this Agreement and all Order Forms, except that Coupa is solely responsible for taxes assessable against Coupa based on Coupa’s net income, property and employees. If Customer is legally entitled to an exemption from any sales, use, or similar transaction tax, upon signing an Order Form, Customer shall provide to Coupa with a legally sufficient tax exemption certificate for each taxing jurisdiction, and Coupa shall not charge Customer any taxes from which it is exempt. If any deduction or withholding is required by law, Customer shall notify Coupa and shall pay Coupa any additional amounts necessary to ensure that the net amount that Coupa receives, after any deduction and withholding, equals the amount Coupa would have received if no deduction or withholding had been required. Customer shall also provide to Coupa documentation showing that the withheld and deducted amounts have been paid to the relevant taxing authority.

  5. PROPRIETARY RIGHTS

    1. Coupa’s Intellectual Property Rights. As between Coupa and Customer, all rights, title, and interest in and to all intellectual property rights in the Hosted Applications and Coupa Platform (including all derivatives, modifications and enhancements thereof) are and shall be owned exclusively by Coupa notwithstanding any other provision in this Agreement or Order Form. This Agreement is not a sale and does not convey to Customer any rights of ownership in or related to the Hosted Applications or Coupa Platform. The Coupa name, logo and product names associated with the Hosted Applications or Coupa Platform are trademarks of Coupa, and no right or license is granted to use them. All rights not expressly granted to Customer are reserved by Coupa. Coupa alone shall own all rights, title and interest in and to any suggestions, enhancement requests, feedback, recommendations or other information provided by Customer or any third party relating thereto.

    2. Customer Data. As between Customer and Coupa, Customer exclusively owns all rights, title and interest in and to all Customer Data. Customer shall have sole responsibility for the accuracy, quality, integrity, legality, reliability, appropriateness, and intellectual property ownership of and right to use all Customer Data, and hereby warrants that that it has and will have all rights and consents necessary to allow Coupa to use all such data as contemplated by this Agreement. Customer hereby grants to Coupa a royalty-free, fully-paid, non-exclusive, non-transferable (except as set forth in Section 11.3 (Assignment)), sub-licensable, worldwide right to use and process Customer Data solely for the purpose of providing to Customer the Hosted Applications and any other activities expressly agreed to by Customer.

  6. CONFIDENTIAL INFORMATION

    1. Obligations. The receiving party shall not disclose or use any Confidential Information of the disclosing party for any purpose outside the scope of this Agreement, except with the disclosing party's prior written permission. Each party agrees to protect the confidentiality of the Confidential Information of the other party in the same manner that it protects the confidentiality of its own proprietary and confidential information of like kind (but in no event using less than reasonable care). If the receiving party is compelled by law to disclose Confidential Information of the disclosing party, it shall provide the disclosing party with prior written notice of such compelled disclosure (to the extent legally permitted) and reasonable assistance, at disclosing party's cost, if the disclosing party wishes to contest the disclosure, and any information so disclosed shall continue to be treated as Confidential Information for all other purposes.

    2. Remedies. Except as expressly provided in this Agreement, if the receiving party discloses or uses (or threatens to disclose or use) any Confidential Information of the disclosing party in breach of confidentiality protections hereunder, the disclosing party shall have the right, in addition to any other remedies available to it, to seek injunctive relief to enjoin such acts, it being specifically acknowledged by the parties that any other available remedies may be inadequate.

    3. Use of Aggregate Data.. Customer agrees that Coupa may collect, use and disclose quantitative data derived from the use of the Hosted Applications for industry analysis, benchmarking, analytics, marketing, and other business purposes.  All data collected, used, and disclosed will be in aggregate form only and will not identify Customer or its Users.

  7. WARRANTIES

    1. Coupa’s Obligations. Coupa warrants that during the Subscription Term (i) Customer’s production instances of the Hosted Applications shall materially conform to the Documentation and (ii) that the functionality of the Hosted Applications at the time of the Order Form shall not materially decrease during the Subscription Term.

    2. Procedure. To submit a warranty claim under this Section, Customer shall (1) reference this Section; and (2) submit a support request to resolve the non-conformity as provided in the Subscription Schedule. If the non-conformity persists without relief more than thirty (30) days after written notice of a warranty claim provided to Coupa under this Section, then Customer may terminate the affected Hosted Applications and Coupa, as its sole liability in connection with a breach of this warranty, shall refund to Customer any prepaid subscription fees covering the remainder of the Subscription Term of the affected subscription after the effective date of termination. Notwithstanding the foregoing, this warranty shall not apply to any non-conformity due to any modification of or defect in the Hosted Applications that is made or caused by someone other than Coupa (or someone acting at Coupa’s direction).

  8. INDEMNIFICATION

    1. Coupa’s Obligations. Subject to this Agreement, Coupa shall: (i) defend Customer, its officers, directors and employees against any third party suit, claim, or demand (each a “Claim”) that alleges the Hosted Applications used in accordance with this Agreement and the applicable Order Form infringe any issued patent, copyright, trademark or misappropriation of any trade secret of, such third party; and (ii) pay any court-ordered award of damages or settlement amount to the extent arising from such Claims. Notwithstanding the foregoing, if Coupa reasonably believes that Customer’s use of any portion of the Hosted Applications is likely to be enjoined by reason of any Claims then Coupa may, at its expense and in its sole discretion: (i) procure for Customer the right to continue using the Hosted Applications; (ii) replace the same with other products of substantially equivalent functions and efficiency that are not subject to any Claims of infringement; or (iii) modify the applicable Hosted Applications so that there is no longer any infringement, provided that such modification does not materially and adversely affect the functional capabilities of the Hosted Applications as set out herein or in the applicable Order Form. If (i), (ii), and (iii) above are not available on commercially reasonable terms in Coupa’s judgment, Coupa may terminate the affected Hosted Applications and refund to Customer the fees paid by Customer covering the remaining portion of the applicable Subscription Term for the affected Hosted Applications after the date of termination. The foregoing indemnification obligation of Coupa shall not apply: (1) if the Hosted Application is modified by any party other than Coupa, but solely to the extent the alleged infringement is related to such modification; (2) the Hosted Application is combined with other non-Coupa products, applications, or processes not authorized by Coupa, but solely to the extent the alleged infringement is related to such combination; (3) to the extent the Claim arises in connection with any unauthorized use of the Hosted Application, or use that is not in compliance with all applicable laws and related Documentation; (4) to any third party products, processes or materials that are not provided by Coupa; or (5) to any Claims arising as a result of the content of the Customer Data. THIS SECTION SETS FORTH COUPA’S SOLE LIABILITY AND CUSTOMER’S SOLE AND EXCLUSIVE REMEDY WITH RESPECT TO ANY CLAIM OF INTELLECTUAL PROPERTY INFRINGEMENT.

    2. Customer’s Obligations. Customer shall defend Coupa, its officers, directors, and employees against any expense, liability, loss, damage or costs (including reasonable attorneys' fees), each to the extent payable to a third party, incurred in connection with Claims made or brought against Coupa by a third party arising from or relating to the Customer Data or a dispute between Customer and its suppliers arising from Customer’s use of the Hosted Applications to exchange information with or conduct business with such supplier. To the extent affected by the following, Customer’s indemnification obligation shall not apply: (1) if the Customer Data is modified by Coupa or by any party under Coupa’s control, without Customer’s authorization but solely to the extent the Claim is caused by such modification or (2) to any use or disclosure of the Customer Data by Coupa not contemplated by this Agreement.

    3. Process. Each party's indemnity obligations are subject to the following: (i) the indemnified party shall promptly notify the indemnifier in writing of any Claims; (ii) the indemnifier shall have sole control of the defense and all related settlement negotiations with respect to any Claims (provided that the indemnifier may not settle any Claims that require the indemnified party to admit any civil or criminal liability or incur any financial obligation without the indemnified party’s consent, which consent shall not be unreasonably withheld); and (iii) the indemnified party shall cooperate fully to the extent necessary at the indemnifier’s cost in such defense and settlement.

  9. DISCLAIMER AND LIMITATIONS OF LIABILITY

    1. ISCLAIMER OF WARRANTIES. EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, COUPA DOES NOT MAKE ANY OTHER REPRESENTATION, WARRANTY, OR GUARANTY, AS TO THE RELIABILITY, TIMELINESS, QUALITY, SUITABILITY, AVAILABILITY, ACCURACY OR COMPLETENESS OF THE SERVICES PROVIDED OR OFFERED HEREUNDER. EXCEPT AS EXPRESSLY SET FORTH HEREIN, THE SERVICES PROVIDED TO CUSTOMER HEREUNDER ARE PROVIDED STRICTLY ON AN “AS IS” BASIS AND ALL CONDITIONS, REPRESENTATIONS AND WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, NON-INFRINGEMENT OF THIRD PARTY RIGHTS OR ANY WARRANTIES ARISING FROM USAGE OF TRADE, COURSE OF DEALING OR COURSE OF PERFORMANCE ARE HEREBY DISCLAIMED TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW.

    2. LIMITATIONS OF LIABILITY. TO THE EXTENT PERMITTED BY LAW, NEITHER PARTY’S TOTAL AND AGGREGATED LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT OR THE SERVICES PROVIDED HEREUNDER WHETHER BASED ON CONTRACT, TORT (INCLUDING NEGLIGENCE) OR ANY OTHER LEGAL OR EQUITABLE THEORY, SHALL EXCEED THE AMOUNTS ACTUALLY PAID BY AND/OR DUE FROM CUSTOMER IN THE TWELVE (12) MONTH PERIOD IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO SUCH LIABILITY UNDER THIS AGREEMENT. THE EXISTENCE OF MORE THAN ONE CLAIM SHALL NOT ENLARGE THIS LIMIT. THE LIMITATIONS IN THIS SECTION SHALL NOT APPLY TO  CUSTOMER’S OBLIGATION TO PAY FEES LEGALLY OWED UNDER THIS AGREEMENT, each party’s indemnification obligations under section 8, or INFRINGEMENT BY A PARTY OF THE OTHER PARTY’S INTELLECTUAL PROPERTY RIGHTS.

    3. EXCLUSION OF DAMAGES. IN NO EVENT SHALL EITHER PARTY BE LIABLE UNDER THE AGREEMENT FOR ANY INDIRECT, PUNITIVE, SPECIAL, EXEMPLARY, INCIDENTAL, CONSEQUENTIAL OR OTHER DAMAGES OF ANY TYPE OR KIND (INCLUDING LOSS OF DATA, REVENUE, PROFITS, USE OR OTHER ECONOMIC ADVANTAGE), REGARDLESS OF THE CAUSE, ARISING OUT OF OR IN CONNECTION WITH THE AGREEMENT OR THE SERVICES provided hereunder, EVEN IF THE PARTY FROM WHICH DAMAGES ARE BEING SOUGHT HAS BEEN PREVIOUSLY ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

    4. GROSS NEGLIGENCE; WILLFUL MISCONDUCT. NOTHING HEREIN SHALL LIMIT A PARTY’S LIABILITY IN AN ACTION IN TORT (SEPARATE AND DISTINCT FROM A CAUSE OF ACTION FOR BREACH OF THIS AGREEMENT) FOR THE PARTY’S GROSS NEGLIGENCE OR WILLFUL MISCONDUCT.

  10. TERM; TERMINATION

    1. Term. The Agreement commences on the Effective Date and continues until all Order Forms subject to this Agreement have expired or terminated, unless this Agreement is earlier terminated in accordance with this Section 10. User subscriptions commence on the subscription start date specified in the relevant Order Form and continue for the Subscription Term specified therein. Unless otherwise provided in the Order Form, user subscriptions shall automatically renew for additional periods of one year on the same terms unless either party gives the other notice of non-renewal or a new price quote at least 30 days prior to the end of the relevant Subscription Term.

    2. Termination. A party may immediately terminate this Agreement for cause: (i) upon 30 days written notice of a material breach to the other party if such breach remains uncured at the expiration of such period or (ii) if the other party becomes the subject of a petition in bankruptcy or any other proceeding relating to insolvency, receivership, liquidation or assignment for the benefit of creditors that is not dismissed within sixty (60) days of its commencement or an assignment for the benefit of creditors. Upon any termination for cause by Customer, Coupa shall refund any prepaid fees covering the remainder of the Subscription Term after the effective date of termination. Termination shall not relieve Customer of the obligation to pay any fees accrued or payable to Coupa prior to the effective date of termination.

    3. Return of Customer Data. Upon Customer’s written request within 30 days after the effective date of termination, Coupa shall make available for download a file of Customer Data in comma separated value (.csv) format along with attachments in their native format. After such 30-day period, Coupa shall have no obligation to maintain or provide any Customer Data and may thereafter, unless legally prohibited, delete all Customer Data in its systems or otherwise in its possession or under its control.

    4. Transition Services.  Upon termination of the Agreement, at Customer’s election, Coupa shall provide transition services to facilitate the orderly and complete transfer of the Customer Data to Customer or to any replacement provider designated by Customer (“Transition Services”), provided that the scope and fees of the Transition Services shall be mutually agreed to by the parties in a statement of work prior to commencing Transition Services.  Notwithstanding the provisions of this subsection, in no event shall Coupa be required to disclose any of its Confidential Information or provide a license under any of its intellectual property to Customer or any third party as part of the Transition Services. For the avoidance of doubt, Customer shall continue to pay the subscription fees for the use of the Hosted Applications during the transition period.

    5. Survival. Upon expiration or termination of the Agreement, Sections 1 (Definitions),  3.2 (Restrictions), 4.1 (Billing and Payment of Fees), 5 (Proprietary Rights), 6 (Confidential Information), 8 (Indemnification), 9 (Disclaimer and Limitations of Liability), 10 (Term; Termination), and 11 (General Provisions) of this Agreement shall survive.

  11. GENERAL PROVISIONS

    1. Compliance with Laws and Export Control. Each party shall comply with all applicable laws and government regulations, including the export laws and regulations of the United States and other applicable jurisdictions, in connection with providing and using the Hosted Applications and/or Coupa Platform. Without limiting the foregoing, (i) each party represents that it is not named on any government list of persons or entities prohibited from receiving exports, and (ii) Customer shall not, and shall ensure that Users do not violate any export embargo, prohibition, restriction or other similar law in connection with this Agreement.

    2. Notice. Except as provided elsewhere in this Agreement, either party may give notice by written communication sent by next-day mail delivered by a nationally recognized delivery service: (i) if to Customer, to Customer’s address on record in Coupa’s account information or (ii) if to Coupa, to 1855 S. Grant Street, San Mateo, CA 94402, addressed to the attention of: Legal Dept. Such notice shall be deemed to have been given upon the expiration of 48 hours after mailing.

    3. Assignment. Neither party may assign any of its rights or obligations hereunder, whether by operation of law or otherwise, without the prior written consent of the other party (not to be unreasonably withheld). Notwithstanding the foregoing, either party may assign this Agreement in its entirety (including all Order Forms), without consent of the other party, to its Affiliate or in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of its assets. Subject to the foregoing, this Agreement shall bind and inure to the benefit of the parties, their respective successors and permitted assigns.

    4. Dispute Resolution. This Agreement shall be governed by California law and controlling United States federal law, without regard to the choice or conflicts of law provisions of any jurisdiction and without regard to the United Nations Convention on the International Sale of Goods or the Uniform Computer Information Transactions Act. Any disputes, actions, claims or causes of action arising out of or in connection with this Agreement (“Dispute”) shall be subject to the exclusive jurisdiction of the state and federal courts located in San Francisco, California (and the parties hereby consent to jurisdiction and venue in the U.S. federal courts located in the Northern District of California). However, notwithstanding the above, any Dispute shall be submitted to and finally settled by arbitration in San Francisco, California for any arbitration, using the English language in accordance with the Arbitration Rules and Procedures of the Judicial Arbitration and Mediation Services, Inc. (JAMS) then in effect, by one or more commercial arbitrator(s) with substantial experience in the industry and in resolving complex commercial contract disputes. Judgment upon the award so rendered may be entered in a court having jurisdiction or application may be made to such court for judicial acceptance of any award and an order of enforcement, as the case may be. Notwithstanding the foregoing, each party shall have the right to institute an action in any court of proper jurisdiction for injunctive relief. The prevailing party in any dispute arising under this Agreement shall be awarded its reasonable attorney fees and costs.

    5. Entirety. The Agreement comprises the entire agreement between Customer and Coupa and supersedes all prior or contemporaneous negotiations, discussions or agreements, whether written or oral, between the parties regarding the subject matter contained herein. In the event of any conflict between this Agreement and the Order Form, the Order Form shall govern. No text or information set forth on any other purchase order, preprinted form or document shall add to or vary the terms and conditions of this Agreement. If any provision of this Agreement is held by a court of competent jurisdiction to be invalid or unenforceable, then such provision(s) shall be construed, as nearly as possible, to reflect the intentions of the invalid or unenforceable provision(s), with all other provisions remaining in full force and effect. Customer agrees that Customer’s purchase of any subscription is neither contingent upon the delivery of any future functionality or features nor dependent upon any oral or written comments made by Coupa with respect to future functionality or features. No joint venture, partnership, employment, or agency relationship exists between Customer and Coupa as a result of the Agreement or use of the Hosted Applications or Coupa Platform. The failure of a party to enforce any right or provision in this Agreement shall not constitute a waiver of such right or provision.

    6. Force Majeure. No party shall be liable or responsible to the other party, nor be deemed to have defaulted under or breached this Agreement, for any failure or delay in fulfilling or performing any term of this Agreement (excluding Customer’s failure to pay amounts owed when due), when and to the extent such failure or delay is caused by or results from acts beyond the affected party’s reasonable control, including without limitation: strikes, lock-outs or other industrial disputes (whether involving its own workforce or a third party’s), trespassing, sabotage, theft or other criminal acts, cyber-attacks, failure of energy sources or transport network, acts of God, export bans, sanctions and other government actions, war, terrorism, riot, civil commotion, interference by civil or military authorities, national or international calamity, armed conflict, malicious damage, breakdown of plant or machinery, nuclear, chemical or biological contamination, explosions, collapse of building structures, fires, floods, storms, earthquakes, epidemics or similar events, natural disasters or extreme adverse weather conditions (each a “Force Majeure Event”). The party suffering a Force Majeure Event shall use reasonable efforts to mitigate against the effects of such Force Majeure Event.


EXHIBIT A - SUBSCRIPTION SCHEDULE EXHIBIT

A-1: TECHNICAL SUPPORT

The following describes the technical support services (“Technical Support”) Coupa shall provide for the support level purchased by Customer (“Support Level”) as stated on the Order Form. The following terms may be updated from time to time, however, for each Order Form, the terms effective as of the execution of the Order Form shall apply for the duration of the applicable Subscription Term.

  1. 1. Scope. The purpose of Technical Support is to address defects in the Hosted Applications that prevent them from performing in substantial conformance with the applicable Documentation. A resolution to such a defect may consist of a fix, workaround or other relief reasonably determined by Coupa’s Technical Support staff.
  2. 2. Online Support Portal. The Support Portal includes an online knowledge base, best practices for use of the Hosted Applications, and a portal for the Designated Support Contacts (as defined below) to submit support tickets.
  3. 3. Live Phone Support. Coupa personnel is available to provide Technical Support to Customer, depending on the Support Level (as defined below) purchased by Customer.
  4. 4. Severity Levels. Each support ticket shall be categorized by Customer into one of the following severity levels.
  5. Severity

    Definition

    Level 1

    Severe error that results in the Hosted Applications experiencing complete unavailability and halting transactions with no workaround.

    Level 2

    Serious error that results in a major function of the Hosted Applications suffering a reproducible problem causing either major inconvenience to Users or consistent failure in a common functionality.

    Level 3

    Error that results in a common functionality experiencing an intermittent problem or a consistent failure in a less common functionality.

    Level 4

    Service requests such as sandbox refreshes, SSO setups, and other how-to type of questions.

  6. 5. Support Levels
  7. Support Level

    Silver

    Gold

    Platinum

    Online Ticket Submission

    Yes

    Yes

    Yes

    Phone Support

    Weekdays (8 am to 6 pm at Customer’s headquarters)

    24x7 for Severity 1 cases

    24x7 for Severity 1 cases

    Designated Support Contacts

    Maximum of 3

    Maximum of 5

    Maximum of 7

    Response Times

     

     

     

    Severity 1

    1 Business Day

    4 Hours

    2 Hours

    Severity 2

    2 Business Days

    1 Business Day

    4 Hours

    Severity 3

    4 Business Days

    3 Business Days

    3 Business Days

    Severity 4

    7 Business Days

    7 Business Days

    7 Business Days

  8. 6. Customer Responsibilities
  9. (a) Customer shall designate no more than the number of Coupa Platform administrators (“Designated Support Contacts”) set forth above who may contact and interact with Coupa in connection with Technical Support requests. Customer’s Designated Support Contacts shall answer questions and resolve issues as needed when they arise from other Users of the Hosted Applications. Customer’s Designated Support Contacts enter support request tickets, work through Technical Support issues with Coupa, and take action as needed to implement the resolution to the issue. Customer agrees that Coupa may communicate, and follow instructions to make changes to Customer Data and/or Customer’s instances, with its Designated Support Contacts via email, phone or through the Support Portal.
    (b) Customer shall ensure that Customer’s Designated Support Contacts are trained on the use and administration of the Hosted Applications.
    (c) Customer shall ensure that the name, contact and other information for these Designated Support Contacts are current in the Support Portal. Customer may replace Designated Support Contacts by updating the applicable information in the Support Portal, provided that at no time may Customer have more than the number of Designated Support Contacts permitted based on its Support Level.

  10. 7. Support Exclusions
    Coupa is not required to provide resolutions for immaterial defects or defects due to modifications of the Hosted Applications made by anyone other than Coupa (or anyone acting at Coupa’s direction). The following are also excluded from Technical Support:
    • • Implementation services
    • • Configuration services
    • • Integration services
    • • Customization services or other custom software development
    • • Training
    • • Assistance with administrative functions

  11. 8. Update Process

    Coupa shall use commercially reasonable efforts to (1) monitor the Hosted Applications and related infrastructure for opportunities to address performance, availability and security issues; and (2) at Coupa’s discretion, deliver functionality enhancements to address customer and market requirements to improve such Hosted Applications based on Coupa innovation.

    Coupa’s update and release process, as updated from time to time, is described at https://success.coupa.com/Success/Release_Management/01_Release_Types (“Update Process”).  Customer shall upon notice comply with the Update Process and understands that only the latest release of the Coupa Platform and Hosted Applications contains the most current features, availability, performance and security, including software fixes. Coupa is not responsible for product defects or security issues affecting the Hosted Applications or failure to meet the Uptime SLA (defined in Exhibit A-2) for Hosted Applications when Customer is not in compliance with the Update Process.


EXHIBIT A-2: SERVICE LEVEL AGREEMENT (SLA)

  1. 1. If service outages result in a failure of any production instance of a Hosted Application to meet an uptime availability requirement of 99.8% over a calendar month (“Uptime SLA”), Customer’s sole and exclusive remedy shall be a service credit equal to the greater of:
    (a) Ten percent (10%) of the subscription fees set forth in the applicable Order Form for the applicable Hosted Application for that calendar month; or
    (b) The actual unavailability rate for that calendar month (as an example, if the Hosted Application has an uptime availability of 85% during a calendar month, then the service credit shall be fifteen percent (15%) of the applicable subscription fees for that calendar month).

  2. 2. The following events shall be excluded in calculating Uptime SLA:
    (a) Planned maintenance windows, which are described at https://success.coupa.com/Success/Release_Management/03_Maintenance_Window; and
    (b) Emergency maintenance required to address an exigent situation with the Hosted Application or Coupa Platform that if not addressed on an emergency basis could result in material harm to the Hosted Application or Coupa Platform. Coupa shall provide advance notice of emergency maintenance via the Support Portal to the extent practicable.
    (c) Any unavailability caused by circumstances beyond Coupa’s reasonable control, including without limitation, unavailability due to Customer or its Users’ acts or omissions, a Force Majeure Event, Internet service provider failures or delays, failure or malfunction of equipment or systems not belonging to or controlled by Coupa,

  3. Items (a) – (c) collectively, “Excused Downtime”.
    Coupa reserves the right to perform planned maintenance outside the target periods above if circumstances require, and Coupa shall provide prior notice to Customer via the Support Portal before doing so.

  4. 3. Uptime SLA is calculated as follows:
  5. 4. Customer must request all service credits in writing to Coupa within thirty (30) days of the end of the month in which the Uptime SLA was not met, including identifying the period Customer’s production instance of the Hosted Applications was not available. Coupa shall apply the service credit during Customer’s next billing cycle unless the service credit is reasonably disputed by Coupa, in which case Customer and Coupa shall work together in good faith to resolve such dispute in a timely manner. The total amount of service credits for any month may not exceed the applicable monthly subscription fee for the affected Hosted Applications, and has no cash value (unless a service credit is owed at the termination or expiration of this Agreement without a renewal order, in which case, such service credit shall be paid to Customer within ninety (90) days of the end of the Subscription Term). Uptime and other system performance metrics can be found on trust.coupa.com.

EXHIBIT A-3: DATA SECURITY MEASURES

The following terms may be updated from time to time, however, for each Order Form, terms effective as of execution of the Order Form shall apply for the duration of the applicable Subscription Term.

  1. (A) ORGANIZATIONAL ACCESS CONTROL

  2. (i) Control Environment.
    Coupa employees are required to sign a written acknowledgement form documenting their receipt and understanding of the employee handbook and their responsibility for adhering to the policies and procedures therein. Employees are also required to sign a confidentiality agreement agreeing not to disclose proprietary or confidential information, including client information, to unauthorized parties.

  3. (ii) Access Administration.
    Coupa employees do not have direct access to Customer Data, except where necessary for Technical Support, system management, maintenance, backups and other purposes separately authorized by Customer in writing. Access to Customer Data is further restricted to technical and customer support staff on a need-to-know basis. When an employee or contractor no longer has a business need for these privileges, his or her access is revoked in a timely manner, even if he or she continues to be an employee or contractor of Coupa. Coupa’s policies require Coupa personnel to report any known security incidents to Coupa management, including the Coupa Security Officer, for investigation and action.

  4. (iii) Personnel Screening.
    Criminal background checks are performed for employees with access to Customer Data as a component of the hiring process.

  5. (iv) Security Awareness and Training.
    Coupa maintains a security awareness program that includes appropriate training of Coupa personnel on Coupa’s security program. Training is conducted at the time of hire and periodically in accordance with the Coupa Information Security Policy.

  6. (v) Subprocessors and Data Transfer.
    Coupa may engage Subprocessors and other Third Party Suppliers (each as defined below) to perform some of its obligations under the Agreement. Coupa shall ensure that Subprocessors only access and use Customer Data in accordance with the terms of the Agreement and that they are bound by written obligations to protect Customer Data. At the written request of Customer, Coupa shall provide additional information regarding Third Party Suppliers and their locations. Customer may send such requests to Data Privacy Officer at legalnotices@coupa.com. “Subprocessors” means Coupa affiliates and Third Party Suppliers that have access to, and process, Customer Data. “Third Party Suppliers” means the third party contractors and suppliers engaged by Coupa for the purpose of processing Customer Data in the context of the provision of  the Hosted Applications or Coupa Platform. As part of providing the Hosted Applications or Coupa Platform, Coupa may transfer, store and process Customer Data in the United States or any other country in which Coupa and its Subprocessors maintain facilities.

  7. (vi) Business Continuity Management Process.
    Coupa shall maintain a business continuity plan (BCP) that defines the processes and procedures for the company to follow in the event of a disaster and shall review and shall regularly test Coupa’s disaster recovery plan to ensure that it is capable of recovering Coupa assets and continuing key Coupa business processes in a timely manner.

  8. (B) PHYSICAL ACCESS CONTROL

  9. (i) Physical Protection of the Data Centers.
    Physical access to data centers is strictly controlled by the cloud infrastructure provider (“IaaS Provider”, e.g., AWS, SoftLayer or Azure) both at the perimeter and at building ingress points by security staff. Authorized staff must pass a two-factor authentication to access data center floors which are monitored by cameras. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff. The IaaS Provider only provides data center access and information to employees and contractors who have a legitimate business need for such privileges. When an employee or contractor no longer has a business need for these privileges, his or her access is immediately revoked, even if he or she continues to be an employee or contractor of the IaaS Provider. All physical access to data centers is logged and audited routinely.

  10. (ii) Availability
    .
    Data centers are built in various global regions. All data centers are online and serving customers; no data center is “cold.” In case of failure, automated processes move Customer Data traffic away from the affected area. The datacenters have backup power and environmental protection systems, which are regularly maintained and tested.

  11. (iii) Disaster Recovery.
    Each customer environment has one (1) master and at least one (1)  slave instances that are mirrored continuously to one another.  These instances of the Hosted Applications are located in physically separate data centers.  Each Coupa production instance is backed up on a regular interval at the IaaS Provider.

  12. (iv) Fire Detection and Suppression.
    Automatic fire detection and suppression equipment has been installed to reduce risk and damage to data center environments.

  13. (v) Power.
    The data center electrical power systems are designed to be fully redundant and maintainable without impact to operations, 24 hours a day, and seven days a week. Data center facilities have power backup and environmental protection systems in the event of an electrical failure for critical and essential loads in the facility.

  14. (vi) Climate and Temperature.
    Data centers are conditioned to maintain atmospheric conditions at optimal levels. Personnel and systems monitor and control temperature and humidity at appropriate levels.

  15. (vii) Monitoring.
    The IaaS Provider monitors electrical, mechanical, and life support systems and equipment so that any issues are immediately identified. Preventative maintenance is performed to maintain the continued operability of equipment.


  16. (C) TECHNICAL SECURITY MEASURES

  17. (i) Database Protection.
    Database infrastructure is completely segregated from the application servers and the Internet via firewalls.

  18. (ii) Encryption.
    All communications are encrypted between the data exporter and the data centers using high-grade encryption (AES-256). Access to Coupa’s on-demand applications and services is only available through secure sessions (https) and only available with an authenticated login and password. Passwords are never transmitted or stored in their original form.

  19. (iii) Intrusion Protection.
    The application infrastructure is protected against intrusion by industry standard firewalls at the network, host, and application levels, and intrusion detection systems across all servers. Customer is prohibited from performing its own penetration on any system of Coupa or its supplier.

  20. (iv) Instance Isolation.
    Different IaaS instances are hosted on the same physical machine and are isolated from each other through the hypervisor layer. All packets pass through this layer, so that another instance has no more access to Customer’s instance than any other host on the Internet – the instances look like they are on separate physical hosts. Customer instances in the IaaS infrastructure have no access to raw disk devices, but instead are presented with virtualized disks.

  21. (v) Malicious Software Protection.
    Coupa and the IaaS Provider shall ensure that the Hosted Applications and the Coupa Platform include reasonably up-to-date versions of system security agent software which shall include reasonably current and tested malware protection, patches and anti-virus protection.

  22. (D) EXCLUSIONS
    If Customer installs, uses, or enables third party services that interoperate with the Hosted Applications then the Hosted Applications may allow such third party services to access, use, or otherwise process and transmit Customer Data. Coupa’s Security Program does not apply to any processing, storage, or transmission of any such Customer Data, and Coupa is not responsible for the security practices (or any acts or omissions) of such third party service providers with respect to data transmitted to and from such third party services. The Security Program excludes: (i) data or information shared with Coupa that is not stored in the applicable Coupa Platform; (ii) data in Customer’s virtual private network (VPN) or a third party network other than one that is under a subcontract with Coupa to assist Coupa in fulfilling its obligations in the Agreement; or (iii) any data used, processed, stored or transmitted by Customer or Users in violation of this Agreement.