Coupa’s Commitment

We are committed to providing Spend Management solutions the Coupa Business Spend Management Platform to our customers in compliance with applicable laws and regulations in general and data privacy laws such as the EU General Data Protection Regulation (GDPR) in particular.

We seek to partner with our customers and their users to help them understand how we achieve data privacy compliance as processor and how the Coupa platform enables our customers to achieve data privacy compliance as controller.

This website generally outlines our approach to GDPR compliance.

GDPR and what it means for you

Effective as of May 25, 2018 the GDPR replaced the former EU Data Protection Directive. Unlike the Data Protection Directive, the GDPR has a direct effect in all EU member states without any need for local implementing legislation and overrides previously existing national privacy laws.

Besides strengthening and standardizing user data privacy across the EU nations, the GDPR requires new or additional obligations on all organizations that handle EU citizens’ personal data, regardless of where the organizations themselves are located.

Whenever the GDPR applies to our customers they are deemed the controller of the personal data included on the Coupa platform and Coupa is deemed the processor. As such, both Coupa and our customers have to comply with their respective obligations under the GDPR accordingly. One side of these obligations relates to the controller-processor relationship, while the other side relates to the controller obligations vis-à-vis the data subject, typically the user of the Coupa platform (i.e. employees, contractors and partners of our customers).

We expect our customers and their users to comply with all applicable laws and regulation in connection with the use of the Coupa platform, in particular making sure, that our customers have all rights and consents necessary to allow Coupa to use and process such data.

As a service provider, Coupa is committed to supporting our customers in their compliance activities, including as outlined in GDPR Chapter III (Rights of the data subject), most notably the rights of access and rectification (Art. 15 + 16 GDPR), right to erasure or ‘right to be forgotten’ (Art. 17 GDPR), right to data portability (Art. 20 GDPR), and right not to be subject to automated decision-making, including profiling (Art. 22 GDPR).

Living GDPR @ Coupa

Data privacy is at the heart of Coupa’s operating model. Our existing Coupa compliance program is comprehensive and based on globally accepted standards. It includes compliance certifications such as ISO 27001, SOC1, SOC2 and the TÜV Rheinland Certified Cloud Service. In light of the GDPR, our Legal, Security, Cloud Operations and Product teams have operated a Coupa GDPR readiness project where a dedicated group of internal & external compliance experts have worked diligently towards meeting the May 2018 deadline. The same team continues to support GDPR compliance and keeps an eye on new developments in the market.

Top 5 Priorities for GDPR compliance

(*The following section refers to the Gartner Blog “Smarter with Gartner” on GDPR)

Gartner lists the top 5 priorities for organizations to focus on to ensure compliance when GDPR applies to them.

Below we explain Coupa’s position relating to these priorities:

#1 - Determine Your Role Under the GDPR

As a cloud-based spend management provider, Coupa is processing data on behalf of its customers using the Coupa platform; therefore, Coupa is seen as a data processor under the GDPR. In light of existing data privacy laws and data security measures generally expected from a global cloud service provider such as Coupa, we have implemented an information security program consisting of policies and procedures to help ensure that Coupa is acting in accordance with current and new compliance requirements when providing our services.

#2 - Appoint a Data Protection Officer

The GDPR requires some organisations to designate a Data Protection Officer (DPO). Organisations requiring DPOs include public authorities, organisations whose activities involve the regular and systematic monitoring of data subjects on a large scale, or organisations who process what is known as sensitive personal data on a large scale. At Coupa we have appointed a DPO in line with the GDPR.

#3 - Demonstrate Accountability in All Processing Activities

Our Coupa compliance program is already comprehensive and based on globally accepted standards. Its effectiveness is periodically attested to by 3rd parties under various compliance certifications (e.g., ISO 27001, SOC1, SOC2). Coupa has implemented an information security program consisting of policies and procedures that define how system information is entered, managed, and protected. Coupa’s current information security program is further specified in our Master Subscription Agreement (MSA) as well as our Data Processing Agreement (DPA). In particular, Coupa commits to monitor, analyse and respond to security incidents in a timely manner in accordance with Coupa’s standard operating procedure, which sets forth the steps that Coupa employees must take in response to a threat or security incident. Coupa continues to invest in a growing global security team, a group of well trained and experienced talents with industry expertise that includes technical, policy and legal experts in combination with a strong network of external specialists.

#4 - Check Cross-Border Data Flows

Both the repealed Data Protection Directive and now the GDPR permit personal data transfers outside of the EU subject to compliance with defined conditions, including conditions for onward transfer. When a customer contracts with Coupa, we can enter into a Data Processing Agreement (DPA) with applicable customers. In the DPA, we agree with our customer on the terms for the compliant processing of customer personal data, including the description of our security and data privacy policy and the EU standard contractual clauses.

#5 - Prepare for Data Subjects Exercising Their Rights

Within the Coupa platform, our customers use the personal data of their users to interact with each other in order to better manage their spend. These acting individuals are the data subjects and our customers - acting as data controllers - need to be able to answer certain legitimate requests under the GDPR. As such, our customers will look to Coupa as service provider and data processor to offer functionalities within the Coupa platform that enable our customers to achieve compliance. Our internal product design processes are focused on the user and their positive and productive experience on the Coupa platform. In light of GDPR, Coupa periodically reviews the Coupa platform features in order to validate that the Coupa platform provides the required functionalities to our customers.

Staying Current

Ensuring the privacy and security of our customer’s data is an ongoing commitment for Coupa. We will update this website to reflect any GDPR-related developments. If you have any questions, please contact us via e-mail (gdpr@coupa.com).

Additional External Resources

Legal Disclaimer - This website is provided for informational purposes only and should not be considered as a contractual commitment or legal advice and does not discuss other privacy-related laws or regulations that may also be relevant to our customers and prospects, including any industry specific requirements. The relevant privacy and data protection laws and regulations applicable to individual companies will depend on several factors, including but not limited to where a company conducts its business, the industry in which it operates, the type of content it wishes to store, where or from whom the content originates, and where the content will be stored.