BSM Applications
Procure
Powerful & Easy e-Procurement
Invoice
AP Automation, Compliance
Expense
Travel & Expense Management
Pay
B2B Payments and Working Capital
Spend Analysis
Predictive Spend Insights
Strategic Sourcing
Sophisticated Global Sourcing
Contract Management
Automate Contract Workflows
Contingent Workforce
Scalable Services Management
Supplier Management
Manage Suppliers
& 3rd-Party Risk
Treasury Management
Optimize Liquidity & Reduce Risk
Supply Chain Design
& Planning
Smarter Supply Chain Decisions
-
About Us
Why Coupa
Our Values
Innovation
Leadership Team
Board of Directors
Investors
Our Offices
-
Careers
Careers Overview
Job Openings
Life & Benefits
Diversity, Equity, & Inclusion
-
News
News Articles
Press Releases
Awards
Press Kit
Blog
Executive Advisory Board
-
Events
Events Overview
Inspire
Webinars
Logins
Languages
Coupa’s Commitment
We are committed to providing Spend Management solutions the Coupa Business Spend Management Platform to our customers in compliance with applicable laws and regulations in general and data privacy laws such as the EU General Data Protection Regulation (GDPR) in particular.
We seek to partner with our customers and their users to help them understand how we achieve data privacy compliance as processor and how the Coupa platform enables our customers to achieve data privacy compliance as controller.
This website generally outlines our approach to GDPR compliance.
GDPR and what it means for you
Effective as of May 25, 2018 the GDPR replaced the former EU Data Protection Directive. Unlike the Data Protection Directive, the GDPR has a direct effect in all EU member states without any need for local implementing legislation and overrides previously existing national privacy laws.
Besides strengthening and standardizing user data privacy across the EU nations, the GDPR requires new or additional obligations on all organizations that handle EU citizens’ personal data, regardless of where the organizations themselves are located.
Whenever the GDPR applies to our customers they are deemed the controller of the personal data included on the Coupa platform and Coupa is deemed the processor. As such, both Coupa and our customers have to comply with their respective obligations under the GDPR accordingly. One side of these obligations relates to the controller-processor relationship, while the other side relates to the controller obligations vis-à-vis the data subject, typically the user of the Coupa platform (i.e. employees, contractors and partners of our customers).
We expect our customers and their users to comply with all applicable laws and regulation in connection with the use of the Coupa platform, in particular making sure, that our customers have all rights and consents necessary to allow Coupa to use and process such data.
As a service provider, Coupa is committed to supporting our customers in their compliance activities, including as outlined in GDPR Chapter III (Rights of the data subject), most notably the rights of access and rectification (Art. 15 + 16 GDPR), right to erasure or ‘right to be forgotten’ (Art. 17 GDPR), right to data portability (Art. 20 GDPR), and right not to be subject to automated decision-making, including profiling (Art. 22 GDPR).
Living GDPR @ Coupa
Data privacy is at the heart of Coupa’s operating model. Our existing Coupa compliance program is comprehensive and based on globally accepted standards. It includes compliance certifications such as ISO 27001, SOC1, SOC2 and the TÜV Rheinland Certified Cloud Service. In light of the GDPR, our Legal, Security, Cloud Operations and Product teams have operated a Coupa GDPR readiness project where a dedicated group of internal & external compliance experts have worked diligently towards meeting the May 2018 deadline. The same team continues to support GDPR compliance and keeps an eye on new developments in the market.
Top 5 Priorities for GDPR compliance
(*The following section refers to the Gartner Blog “Smarter with Gartner” on GDPR)
Gartner lists the top 5 priorities for organizations to focus on to ensure compliance when GDPR applies to them.
Below we explain Coupa’s position relating to these priorities:
#1 - Determine Your Role Under the GDPR
As a cloud-based spend management provider, Coupa is processing data on behalf of its customers using the Coupa platform; therefore, Coupa is seen as a data processor under the GDPR. In light of existing data privacy laws and data security measures generally expected from a global cloud service provider such as Coupa, we have implemented an information security program consisting of policies and procedures to help ensure that Coupa is acting in accordance with current and new compliance requirements when providing our services.

#2 - Appoint a Data Protection Officer
The GDPR requires some organisations to designate a Data Protection Officer (DPO). Organisations requiring DPOs include public authorities, organisations whose activities involve the regular and systematic monitoring of data subjects on a large scale, or organisations who process what is known as sensitive personal data on a large scale. At Coupa we have appointed a DPO in line with the GDPR.

#3 - Demonstrate Accountability in All Processing Activities
Our Coupa compliance program is already comprehensive and based on globally accepted standards. Its effectiveness is periodically attested to by 3rd parties under various compliance certifications (e.g., ISO 27001, SOC1, SOC2). Coupa has implemented an information security program consisting of policies and procedures that define how system information is entered, managed, and protected. Coupa’s current information security program is further specified in our Master Subscription Agreement (MSA) as well as our Data Processing Agreement (DPA). In particular, Coupa commits to monitor, analyse and respond to security incidents in a timely manner in accordance with Coupa’s standard operating procedure, which sets forth the steps that Coupa employees must take in response to a threat or security incident. Coupa continues to invest in a growing global security team, a group of well trained and experienced talents with industry expertise that includes technical, policy and legal experts in combination with a strong network of external specialists.

#4 - Check Cross-Border Data Flows
Both the repealed Data Protection Directive and now the GDPR permit personal data transfers outside of the EU subject to compliance with defined conditions, including conditions for onward transfer. When a customer contracts with Coupa, we can enter into a Data Processing Agreement (DPA) with applicable customers. In the DPA, we agree with our customer on the terms for the compliant processing of customer personal data, including the description of our security and data privacy policy and the EU standard contractual clauses.

#5 - Prepare for Data Subjects Exercising Their Rights
Within the Coupa platform, our customers use the personal data of their users to interact with each other in order to better manage their spend. These acting individuals are the data subjects and our customers - acting as data controllers - need to be able to answer certain legitimate requests under the GDPR. As such, our customers will look to Coupa as service provider and data processor to offer functionalities within the Coupa platform that enable our customers to achieve compliance. Our internal product design processes are focused on the user and their positive and productive experience on the Coupa platform. In light of GDPR, Coupa periodically reviews the Coupa platform features in order to validate that the Coupa platform provides the required functionalities to our customers.

Staying Current
Ensuring the privacy and security of our customer’s data is an ongoing commitment for Coupa. We will update this website to reflect any GDPR-related developments. If you have any questions, please contact us via e-mail ([email protected]).
Additional Coupa Resources
Coupa GDPR White Paper
Coupa Security Data Sheet
Coupa Security Policies on success.coupa.com