Master Subscription Agreement

Version: 1 July 2021 (Global) rev 1
For a PDF download of this MSA and further information please go to

Coupa's MSA is a TermScout Certified Contract award winner

This Master Subscription Agreement (“Agreement”), between Coupa Software Inc. (“Coupa”) and the company or other legal entity (“Customer”) that has executed an Order Form (as defined below), is made as of the last signature date (“Effective Date”) on the first Order Form that references this Agreement. This Agreement incorporates by reference Exhibit A, which describes: (Exhibit A-1) technical support & update process; (Exhibit A-2) service level agreement; and (Exhibit A-3) data security measures.

    1. “Affiliate” means any entity which directly or indirectly controls, is controlled by, or is under common control with the subject entity; and "control" for the purposes of this definition means direct or indirect ownership or control of more than 50% of the voting interest of the subject entity, provided that any such Affiliate shall be deemed an Affiliate only for so long as such control lasts. Customer Affiliates may purchase subscriptions to the Hosted Application that are subject to the terms and conditions of this Agreement by executing an Order Form hereunder.
    2. “Confidential Information” means all confidential and proprietary information of a disclosing party or any of its Affiliates disclosed by or on behalf of such party to the receiving party, whether orally or in writing, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure, including Customer Data, the Auditor’s Report, the terms and conditions of this Agreement (including pricing and other terms reflected in all Order Forms hereunder), business and marketing plans, technology and technical information, product designs, and business processes. Notwithstanding anything to the contrary, the Hosted Applications, Documentation, and Coupa Platform are deemed to be Confidential Information of Coupa. Confidential Information shall not include any information that: (i) is or becomes generally known to the public without breach of any obligation owed to the disclosing party; (ii) was known to the receiving party without restriction prior to its disclosure by the disclosing party and without breach of any obligation owed to the disclosing party; (iii) was independently developed by the receiving party without either use of or reference to any Confidential Information or breach of any obligation owed to the disclosing party; or (iv) is received from a third party without restriction and without breach of any obligation owed to the disclosing party.
    3. “Coupa Platform” means any software and hardware that enables Coupa to provide Customer with access to and use of the Hosted Applications as contemplated by this Agreement.
    4. “Customer Data” means any data, information or material provided or submitted by Customer or on behalf of Customer to the Coupa Platform in the course of using the Hosted Applications.
    5. “Documentation” means the Coupa product documentation relating to the operation and use of the Hosted Applications, including technical program or interface documentation, operating instructions, update notes, and support knowledge base and updated from time to time by Coupa in accordance with Section 7.1.
    6. “Hosted Application(s)” means applications and associated content (as identified on an Order Form) to be provided by Coupa to Customer as a subscription service and made accessible on a website designated by Coupa or by other means as described in the Order Form.
    7. “Order Form” means an order form mutually executed by the parties evidencing the purchase of subscriptions to the Hosted Applications specifying, among other things, the Subscription Term, the number of Users, the applicable fees, and the billing period as agreed to between the parties. Each Order Form, once mutually executed, shall be governed by and become part of this Agreement, and is hereby incorporated by this reference.
    8. “Restricted Information” means (i) sensitive personal information as defined in Article 9 and 10 of the EU General Data Protection Regulation (GDPR) and other applicable data protection laws, and (ii) personal health information (meaning health or medical condition of an individual or the provision of health care to an individual).
    9. “Subscription Term” means the period(s) during which Customer is authorized to use the Hosted Applications pursuant to an Order Form.
    10. “Support” means the technical support as specified on the Order Form in accordance with the terms in Exhibit A-1.
    11. “Updates” means updates of the Hosted Applications for repairs, enhancements or new features applied by Coupa to Customer’s instances, including updates to the Documentation as a result of such updates, at no additional fee during the Subscription Term. Updates shall not include additional new functionality or upgrades to modules or applications that Customer has not already subscribed to in an Order Form and for which Coupa requires a separate charge from its other customers generally for such new modules or applications.
    12. “Users” means employees of Customer and its Affiliates and their representatives, consultants, contractors, subcontractors, or agents who are authorized to use the Hosted Applications by Customer or its Affiliates.
    1. Provision of the Hosted Applications. Coupa will make available to Customer, and Customer and its Affiliates are authorized to use, the Hosted Applications during the Subscription Term as set forth in an applicable Order Form for their internal business purposes in accordance with the Documentation.
    2. Support, Uptime & Updates. Coupa shall: (i) provide the level of support specified in the Order Form in accordance with Exhibit A-1; (ii) provide Updates at no additional charge as part of Customer’s subscription during the Subscription Term in accordance with Exhibit A-1; and (iii) make the Hosted Applications available in accordance with Exhibit A-2.
    3. Security. Coupa shall maintain a written information security program of policies, procedures and controls (“Security Program”) governing the processing, storage, transmission and security of Customer Data. The Security Program as of the Effective Date is set forth in Exhibit A-3. The Security Program shall include industry standard practices designed to protect Customer Data from unauthorized access, acquisition, use, disclosure, or destruction. Coupa may periodically review and update the Security Program to address new and evolving security technologies, changes to industry standard practices, and changing security threats, provided that any such update does not materially reduce the overall level of security provided to Customer as described herein.
    4. Breach Notification. Coupa shall report to Customer’s support contacts designated in Coupa’s customer support portal (“Support Portal”) the accidental or unlawful alteration, unauthorized disclosure of, or access to Customer Data (“Breach”) within 24 hours, after Coupa determines that a Breach has occurred, unless restricted by law. Accordingly, Coupa shall share information about the nature and consequences of the Breach that is reasonably requested by Customer to enable it to notify affected individuals, government agencies and/or credit bureaus. Customer has sole control over the content of Customer Data that it enters into the subscription service and is solely responsible for determining whether to notify impacted individuals and the applicable regulatory bodies or enforcement commissions and for providing such notice. Customer shall ensure that the support contacts designated in Coupa’s customer support portal be current and ready to receive any breach notification from Coupa.
    5. Privacy Regime. If and to the extent applicable, Coupa and Customer agree to comply with the relevant privacy exhibits made available at, each of which are incorporated by reference into this Agreement as Exhibit B: (Exhibit B-1) US Privacy Annex, (Exhibit B-2) EU Privacy Annex (DPA), and (Exhibit B-3) Brazil Privacy Annex.
    6. Audit Report. Coupa shall engage at its expense, an independent accounting firm to conduct, on an annual basis, an audit of Coupa’s operations with respect to the Hosted Applications in accordance with the Statement on Standards for Attestation Engagements No. 18 (the “SSAE 18”), and have such accounting firm issue SSAE 18, SOC 1 Type 2 and SOC 2 Type 2 reports (or substantially similar report of a successor auditing standard in the event the SSAE 18 auditing standard is no longer an industry standard) (the “Auditor’s Report”), which shall cover Coupa’s security policies, procedures, and controls. Customer may request access to a current copy of the Auditor’s Report at Additionally, if Customer has security questionnaires and/or survey requests to be completed by Coupa during the Subscription Term, Coupa will assist Customer by providing a security and compliance guide in response to such requests.
    7. Insurance Program. Coupa maintains an industry standard insurance program to help manage risk that contains terms no less stringent than the following: (a) Commercial General Liability Insurance with minimum limits of US$1,000,000 combined single limit and combined bodily injury and property damage per occurrence and US$2,000,000 dollars in the aggregate; (b) Commercial Automobile Liability Insurance providing coverage for owned, hired, and non-owned motor vehicles used in connection with this Agreement in an amount of not less than US$1,000,000 per accident combined single limit for bodily injury and property damage; (c) Umbrella Liability providing excess liability coverage in the minimum amount of US$5,000,000.00 per occurrence, to supplement the primary coverage provided in the policies listed above; (d) Professional Liability Insurance (Errors and Omissions Insurance), which policy also includes cyber-liability insurance for financial losses arising from destruction or corruption of data, including but not limited to privacy and data security breaches, virus transmission, unauthorized access, denial of service and loss of income from network security failures, with minimum limits of US$5,000,000.00; (e) Workers Compensation Insurance covering Coupa employees pursuant to applicable state laws, and at the maximum limits statutorily required for each such state; and (f) Commercial Crime Insurance including coverage for loss or damage resulting from theft committed by the Coupa’s employees, acting alone or in collusion with others, and coverage for computer crime, with a minimum per event and annual aggregate limit of US$2,000,000. Upon request, Coupa shall promptly furnish Customer with a certificate evidencing the coverages set forth above.
    1. User Accounts. Customer is responsible for activity occurring under its User accounts and shall ensure that it and its Users abide by all laws, treaties and regulations applicable to Customer’s use of the Hosted Applications. Customer shall: (i) notify Coupa promptly of any unauthorized use of any password or account or any other breach of security; (ii) notify Coupa promptly and use reasonable efforts to promptly stop any unauthorized use, copying, or distribution of the Hosted Applications that is known or suspected by Customer or its Users; (iii) not impersonate another Coupa user or provide false identity information to gain access to or use the Hosted Applications or Coupa Platform; and (iv) restrict each User account to only one authorized User at a time.
    2. Restrictions. Except as otherwise permitted under this Agreement, Customer shall not (i) license, sublicense, sell, resell, transfer, rent, lease, assign (except as provided in Section 11.4 (Assignment)), distribute, disclose, or otherwise commercially exploit the Hosted Applications; (ii) copy, modify or make derivative works based upon the Hosted Applications; (iii) “frame” or “mirror” the Hosted Applications on any other server or device; (iv) access the Hosted Applications for competitive purposes or use the Hosted Applications for application service provider, timesharing or service bureau purposes, or any purpose other than its own internal use, (v) decompile, disassemble, reverse engineer or attempt to discover any source code or underlying ideas or algorithms of the Hosted Applications, (vi) remove, obscure or modify a copyright or other proprietary rights notice in the Hosted Applications; (vii) use the Hosted Applications to send or store infringing, obscene, threatening, libelous, or otherwise unlawful material; (viii) use the Hosted Applications to create, use, send, store, or run material containing software viruses, worms, Trojan horses or otherwise engage in any malicious act or disrupt the security, integrity or operation of the Hosted Applications or the Coupa Platform; (ix) attempt to gain or permit unauthorized access to the Hosted Applications or its related systems or networks; or (x) permit or assist any other party (including any User) to do any of the foregoing.
    3. User Reassignment. User subscriptions are for designated Users and cannot be shared or used by more than one User but may be reassigned to new Users replacing former Users who no longer require use of the Hosted Applications. Unless otherwise specified in the relevant Order Form, the replacement User shall be under the same Subscription Term of the original User.
    4. Additional Users. Additional Users may be purchased by signing an Order Form and unless otherwise specified in the relevant Order Form, the Subscription Term of additional Users shall be coterminous with the Subscription Term in effect at the time the additional Users are added.
    5. Restricted Information. Unless otherwise agreed by the parties in writing on an Order Form with reference to this Section 3.5, Customer shall not (and shall use commercially reasonable efforts to ensure that its suppliers do not) upload, provide or submit any Restricted Information to the Hosted Applications or Coupa Platform.
    6. Third Party Interactions.
      1. No Supplier Fees. Except as otherwise agreed on an Order Form, each party agrees that it shall not charge Customer’s suppliers for the right to interact with Customer through the Coupa Platform.
      2. Supplier Interactions. When using the Hosted Applications, Customer may enter into correspondence with and purchase goods and/or services from suppliers. Any such activities and associated terms are solely between Customer and the applicable third-party supplier and Coupa shall have no obligation or responsibility for such correspondence or purchase between Customer and such third-party supplier.
    1. Billing and Payment of Fees. Customer shall pay subscription fees annually in advance for use of the Hosted Applications. All payment obligations are non-cancellable, and all amounts paid are nonrefundable except as otherwise specified in this Agreement. Coupa shall issue invoices to Customer as specified in the Order Form and Customer agrees to pay such amounts not subject to a good faith dispute in accordance with the payment terms as specified in the Order Form and if any such undisputed invoice is more than 30 days overdue, Coupa may, without limiting its other rights and remedies, suspend the Hosted Applications until such undisputed invoice is paid in full. Coupa shall provide at least 30 days’ prior written notice to Customer of the payment delinquency before exercising any suspension right. Customer agrees to pay Coupa in the currency specified on the Order Form. If Customer believes its invoice is incorrect, Customer must contact Coupa in writing within 60 days of the date of the invoice containing the amount in question to be eligible to receive an adjustment or credit.
    2. Taxes. Coupa’s fees are exclusive of all taxes, levies, or duties imposed by taxing authorities, including for example, value-added, sales, use or withholding taxes, assessable by any jurisdiction whatsoever (collectively, “Taxes”) and Customer shall be responsible for payment of all Taxes associated with this Agreement and all Order Forms, except that Coupa is solely responsible for taxes assessable against Coupa based on Coupa’s net income, property and employees. If Customer is legally entitled to an exemption from any sales, use, or similar transaction tax, upon signing an Order Form, Customer shall provide to Coupa with a legally sufficient tax exemption certificate for each taxing jurisdiction, and Coupa shall not charge Customer any taxes from which it is exempt. If any deduction or withholding is required by law, Customer shall notify Coupa and shall pay Coupa any additional amounts necessary to ensure that the net amount that Coupa receives, after any deduction and withholding, equals the amount Coupa would have received if no deduction or withholding had been required. Upon request, Customer shall provide documentation showing that the withheld and deducted amounts have been paid to the relevant taxing authority.
    1. Coupa’s Intellectual Property Rights. As between Coupa and Customer, all right, title, and interest in and to the Hosted Applications, Documentation, and Coupa Platform (including all rights therein, and all derivatives, translations, modifications and enhancements thereof) are, and shall remain, owned exclusively by Coupa notwithstanding any other provision in this Agreement, Order Form, or statement of work hereunder. This Agreement is not a sale and does not convey to Customer any rights of ownership in or related to the Hosted Applications, Coupa Platform, or Documentation. The Coupa name, logo and product names are trademarks of Coupa, and no right or license is granted to use them. All rights not expressly granted to Customer are reserved by Coupa. Coupa alone shall own all rights, title and interest in and to any suggestions, enhancement requests, feedback, or recommendations provided by Customer or any third party relating thereto.
    2. Customer Data. As between Customer and Coupa, Customer exclusively owns all rights, title and interest in and to all Customer Data. Customer shall have sole responsibility for the accuracy, quality, integrity, legality, reliability, appropriateness, and intellectual property ownership of and right to use all Customer Data, and hereby warrants that it has and will continue to have all rights and consents necessary to allow Coupa to use all such data as contemplated by this Agreement. Customer hereby grants to Coupa a royalty-free, fully paid, non-exclusive, non-transferable (except as set forth in Section 11.4 (Assignment)), sub-licensable, worldwide right and license to reproduce, use, process, transfer and store Customer Data solely for the purposes of performing Coupa’s obligations under this Agreement and any other activities expressly agreed to by Customer.
    3. Use of Aggregate Data. Customer agrees that as part of providing the Hosted Applications, Coupa may collect, use and disclose quantitative data derived from the use of the Hosted Applications for service improvements, industry analysis, benchmarking, analytics and supporting Customer's usage of the Hosted Applications. All data disclosed will be in aggregate and anonymous form only and will not identify Customer or its specific Users or its relationship to their suppliers.
    1. Obligations. The receiving party shall not disclose or use any Confidential Information of the disclosing party for any purpose outside the scope of this Agreement, except with the disclosing party's prior written permission. Each party agrees to protect the confidentiality of the Confidential Information of the other party in the same manner that it protects the confidentiality of its own proprietary and confidential information of like kind (but in no event using less than reasonable care). If the receiving party is compelled by law to disclose Confidential Information of the disclosing party, it shall provide the disclosing party with prior written notice of such compelled disclosure (to the extent legally permitted) and reasonable assistance, at disclosing party's cost, if the disclosing party wishes to contest the disclosure, and any information so disclosed shall continue to be treated as Confidential Information for all other purposes.
    2. Remedies. Except as expressly provided in this Agreement, if the receiving party discloses or uses (or threatens to disclose or use) any Confidential Information of the disclosing party in breach of confidentiality protections hereunder, the disclosing party shall have the right, in addition to any other remedies available to it, to seek injunctive relief to enjoin such acts, it being specifically acknowledged by the parties that any other available remedies may be inadequate.
    1. Coupa’s Obligations. Coupa warrants, during the Subscription Term, that: (i) Customer’s production instances of the Hosted Applications shall materially conform to the Documentation; and (ii) the functionality of the Hosted Applications at the time of the Order Form shall not materially decrease during the Subscription Term.
    2. Procedure. To submit a warranty claim under this Section, Customer shall (1) reference that it is making a warranty claim under this Agreement, and (2) submit a support request to resolve the non-conformity as provided in the Subscription Schedule. If the non-conformity persists without relief more than thirty (30) days after written notice of a warranty claim provided to Coupa under this Section, then Customer may terminate the affected Hosted Applications and Coupa, as its sole liability in connection with a breach of this warranty, shall refund to Customer any prepaid subscription fees covering the remainder of the Subscription Term of the affected subscription after the effective date of termination. Notwithstanding the foregoing, this warranty shall not apply to any non-conformity due to any modification of or defect in the Hosted Applications that is made or caused by someone other than Coupa (or someone acting at Coupa’s direction).
    1. Coupa’s Obligations. Subject to Section 8.3, Coupa shall: (a) defend Customer, its officers, directors, and employees against any third party suit, claim, or demand (each a “Claim”) that alleges the Hosted Applications used in accordance with this Agreement and the applicable Order Form infringe any issued patent, copyright, trademark or misappropriate any trade secret of, such third party; and (b) pay any court-ordered award of damages or settlement amount which may include any expense, liability, loss, damage, costs or reasonable attorneys' fees, each to the extent payable to a third party, to the extent arising from such Claims. Notwithstanding the foregoing, if Coupa reasonably believes that Customer’s use of any portion of the Hosted Applications is likely to be enjoined by reason of any Claims then Coupa may, at its expense and in its sole discretion: (i) procure for Customer the right to continue using the Hosted Applications; (ii) replace the same with other products having substantially equivalent functions that are not subject to any Claims of infringement; or (iii) modify the applicable Hosted Applications so that there is no longer any infringement, provided that such modification does not materially and adversely affect the functional capabilities of the Hosted Applications as set out herein or in the applicable Order Form. If (i), (ii), and (iii) above are not available on commercially reasonable terms in Coupa’s judgment, Coupa may terminate the affected Hosted Applications and refund to Customer the fees paid by Customer covering the remaining portion of the applicable Subscription Term for the affected Hosted Applications after the date of termination. The foregoing indemnification obligation of Coupa shall not apply: (1) if the Hosted Application is modified by any party other than Coupa (or someone acting at Coupa’s direction), but solely to the extent the alleged infringement is related to such modification; (2) if the Hosted Application is combined with other non-Coupa products, applications, or processes not authorized in writing by Coupa, but solely to the extent the alleged infringement is related to such combination; (3) to the extent the Claim arises in connection with any unauthorized use of the Hosted Application, or use that is not in compliance with any applicable laws, regulations, and/or Documentation; (4) to any third party products, processes or materials that are not provided by Coupa; or (5) to any Claims arising as a result of the content of the Customer Data. THIS SECTION SETS FORTH COUPA’S SOLE LIABILITY AND CUSTOMER’S SOLE AND EXCLUSIVE REMEDY WITH RESPECT TO ANY CLAIM OF INTELLECTUAL PROPERTY INFRINGEMENT.
    2. Customer’s Obligations. Subject to Section 8.3, Customer shall: (a) defend Coupa, its officers, directors, and employees against any Claim that arises from the Customer Data or that relates to a dispute between Customer and its supplier; and (b) pay any court-ordered award of damages or settlement amount which may include any expense, liability, loss, damage, costs, or reasonable attorneys' fees, each to the extent payable to a third party, to the extent arising from such Claims. Customer’s indemnification obligation shall not apply: (1) if the Customer Data is modified by Coupa or by any party under Coupa’s control, without Customer’s authorization but solely to the extent the Claim is caused by such modification; or (2) to the extent the Claim arises as a result of any use or disclosure of the Customer Data by Coupa not contemplated by this Agreement.
    3. Process. Each party's indemnity obligations are subject to the following: (i) the indemnified party shall promptly notify the indemnifier in writing of any Claims (provided, however, that the failure to give prompt written notice shall not limit the rights to indemnification except to the extent that the indemnifier is materially prejudiced by such failure); (ii) the indemnifier shall have sole control of the defense and all related settlement negotiations with respect to any Claims (provided that the indemnifier may not settle any Claims that require the indemnified party to admit any civil or criminal liability or incur any financial obligation without the indemnified party’s consent, which consent shall not be unreasonably withheld); and (iii) the indemnified party shall cooperate fully to the extent necessary at the indemnifier’s cost in such defense and settlement.
    1. Term. The Agreement commences on the Effective Date and continues until all Order Forms subject to this Agreement have expired or terminated, unless this Agreement is earlier terminated in accordance with this Section 10. User subscriptions commence on the subscription start date specified in the relevant Order Form and continue for the Subscription Term specified therein. Unless otherwise provided in the Order Form, user subscriptions shall automatically renew for additional periods of one year on the same terms unless either party gives the other notice of non-renewal or a new price quote at least 30 days prior to the end of the relevant Subscription Term.
    2. Termination. A party may immediately terminate this Agreement for cause: (i) upon 30 days written notice of a material breach to the other party if such breach remains uncured at the expiration of such period; or (ii) if the other party becomes the subject of a petition in bankruptcy or any other proceeding relating to insolvency, receivership, liquidation or assignment for the benefit of creditors that is not dismissed within sixty (60) days of its commencement or an assignment for the benefit of creditors. Upon any termination for cause by Customer, Coupa shall refund any prepaid fees covering the remainder of the Subscription Term after the effective date of termination. Termination shall not relieve Customer of the obligation to pay any fees accrued or payable to Coupa prior to the effective date of termination.
    3. Return of Customer Data. Customer will have a period of 60 days after the effective date of termination of the Agreement (“Transition Period”) to download any Customer Data. Upon such request, at no additional cost to Customer, Coupa will promptly make available for download transactional records from standard objects included in the outbound integrations (e.g., requisitions, orders, invoices, expenses) in industry standard format (e.g., JSON, CSV) at time of decommissioning along with attachments in their native format (e.g., PDF, JPEG, etc.). For clarity, such data will not include system generated log files or Coupa specific configuration data. After the Transition Period, Coupa shall have no obligation to maintain or provide any Customer Data and may thereafter, unless legally prohibited, delete all Customer Data in its systems or otherwise in its possession or under its control. For purposes of clarification, archival copies of Customer Data will be maintained subject to Coupa’s standard data backup and retention processes and subject to Coupa’s confidentiality obligations herein.
    4. Transition Services. Additionally, if Customer elects to purchase transition services upon termination of the Agreement, Coupa shall provide transition services to facilitate the orderly and complete transfer of the Customer Data to Customer or to any replacement provider designated by Customer (“Transition Services”), provided that the scope and fees of the Transition Services shall be mutually agreed in a statement of work prior to commencing Transition Services. Notwithstanding the provisions of this section, in no event shall Coupa be required to disclose any of its Confidential Information or provide a license under any of its intellectual property to Customer or any third party as part of the Transition Services. For the avoidance of doubt, if Customer elects to receive Transition Services, Customer shall continue to pay pro-rated subscription fees for the use of the Hosted Applications during the transition period.
    5. Survival. Upon expiration or termination of the Agreement, Sections 1 (Definitions), 3.2 (Restrictions), 4.1 (Billing and Payment of Fees), 5 (Proprietary and Other Rights), 6 (Confidential Information), 7.3 (Disclaimer of Warranties), 8 (Indemnification), 9 (Limitations of Liability), 10 (Term; Termination), and 11 (General Provisions) of this Agreement shall survive.
    1. Compliance with Laws. Each party shall comply with all applicable laws and government regulations, including without limitation all applicable export laws and regulations, in connection with providing and using the Hosted Applications and/or Coupa Platform. Without limiting the foregoing, (i) each party represents that it is not named on any government list of persons or entities prohibited from receiving exports, and (ii) Customer shall not, and shall ensure that Users do not, violate any export embargo, prohibition, restriction or other similar law in connection with this Agreement.
    2. Force Majeure. No party shall be liable or responsible to the other party, nor be deemed to have defaulted under or breached this Agreement, for any failure or delay in fulfilling or performing any term of this Agreement (excluding Customer’s failure to pay amounts owed when due), when and to the extent such failure or delay is caused by or results from acts beyond the affected party’s reasonable control, including without limitation: strikes, lock-outs or other industrial disputes (whether involving its own workforce or a third party’s), trespassing, sabotage, theft or other criminal acts, cyber-attacks, failure of energy sources or transport network, acts of God, export bans, sanctions and other government actions, war, terrorism, riot, civil commotion, interference by civil or military authorities, national or international calamity, armed conflict, malicious damage, breakdown of plant or machinery, nuclear, chemical or biological contamination, explosions, collapse of building structures, fires, floods, storms, earthquakes, epidemics or similar events, natural disasters or extreme adverse weather conditions (each a “Force Majeure Event”). The party suffering a Force Majeure Event shall use reasonable efforts to mitigate against the effects of such Force Majeure Event. If the effects of the Force Majeure Event continue unmitigated for a period of 30 consecutive days, then either party may terminate this Agreement and/or any Order Form, upon written notice to the other party, and Coupa, as its sole liability, shall refund any prepaid fees covering the remainder of the Subscription Term of the affected subscription after the effective date of termination.
    3. Notice. Except as provided elsewhere in this Agreement, either party may give notice by written communication sent by next-day mail delivered by a nationally recognized delivery service: (i) if to Customer, to Customer’s address on record in Coupa’s account information or (ii) if to Coupa, to 1855 S. Grant Street, San Mateo, CA 94402, addressed to the attention of: Legal Department, with an email copy to [email protected]. Such notice shall be deemed to have been given upon the expiration of 48 hours after mailing.
    4. Assignment. Neither party may assign any of its rights or obligations hereunder, whether by operation of law or otherwise, without the prior written consent of the other party (not to be unreasonably withheld). Notwithstanding the foregoing, either party may assign this Agreement in its entirety (including all Order Forms), without consent of the other party, to its Affiliate or in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of its assets. Subject to the foregoing, this Agreement shall bind and inure to the benefit of the parties, their respective successors and permitted assigns.
    5. Governing Law, Jurisdiction and Dispute Resolution. The governing law, and place of jurisdiction for purposes of Section 11.6, shall be determined according to where the Customer is domiciled:

      Customer Domicile

      Governing Law

      Place of Jurisdiction



      United Kingdom

      The laws of England and Wales

      London, United Kingdom

      International Chamber of Commerce (ICC)


      EEA or Switzerland

      The laws of Switzerland

      Zurich, Switzerland

      International Chamber of Commerce (ICC)



      The laws of New South Wales

      Sydney, Australia

      Australian Centre for International Commercial Arbitration (ACICA)


      New Zealand

      The laws of New Zealand

      Auckland, New Zealand

      New Zealand International Arbitration Centre (NZIAC)


      China, Japan, India or in one of the ASEAN member states

      The laws of Singapore

      Singapore, Republic of Singapore

      Singapore International Arbitration Centre (SIAC)



      The laws of Ontario

      Toronto, Canada

      Judicial Arbitration and Mediation Services, Inc. (JAMS)


      in all other cases

      The laws of California and controlling United States federal law

      San Francisco, California, USA

      Judicial Arbitration and Mediation Services, Inc. (JAMS)

      This Agreement, and any disputes related to this Agreement or any Order Form, will be governed by the applicable Governing Laws above, without regard to conflicts of laws rules or the United Nations Convention on the International Sale of Goods.
      Any disputes, actions, claims or causes of action arising out of or in connection with this Agreement shall be submitted to and finally settled by arbitration using the English language in accordance with the Arbitration Rules and Procedures of the applicable Forum above then in effect, by one or more commercial arbitrator(s) with substantial experience in the industry and in resolving complex commercial contract disputes. Judgment upon the award so rendered may be entered in a court having jurisdiction or application may be made to such court for judicial acceptance of any award and an order of enforcement, as the case may be. Notwithstanding the foregoing, each party shall have the right to institute an action in any court of proper jurisdiction for injunctive relief.
    6. Entirety. The Agreement comprises the entire agreement between Customer and Coupa and supersedes all prior or contemporaneous negotiations, discussions or agreements, whether written or oral, between the parties regarding the subject matter contained herein. In the event of any conflict between this Agreement and the Order Form, the Order Form shall govern. No text or information set forth on any other purchase order, preprinted form or document shall add to or vary the terms and conditions of this Agreement. Modifications and amendments to this Agreement shall be enforceable only if they are in writing and are signed by authorized representatives of both parties. If any provision of this Agreement is held by a court of competent jurisdiction to be invalid or unenforceable, then such provision(s) shall be construed, as nearly as possible, to reflect the intentions of the invalid or unenforceable provision(s), with all other provisions remaining in full force and effect. Customer agrees that Customer’s purchase of any subscription is neither contingent upon the delivery of any future functionality or features nor dependent upon any oral or written comments made by Coupa with respect to future functionality or features. The parties are independent contractors, and no joint venture, partnership, employment, or agency relationship exists between Customer and Coupa as a result of the Agreement or use of the Hosted Applications or Coupa Platform. There are no third-party beneficiaries to this Agreement. The failure of a party to enforce any right or provision in this Agreement shall not constitute a waiver of such right or provision.

Exhibit A-1: Technical Support

The following describes the technical support services (“Technical Support”) that Coupa shall provide for the support level purchased by Customer (“Support Level”) as stated on the Order Form. The following terms may be updated from time to time, however, for each Order Form, the terms effective as of the execution of the Order Form shall apply for the duration of the applicable Subscription Term.

  1. Scope. The purpose of Technical Support is to address defects in the Hosted Applications that prevent them from performing in substantial conformance with the applicable Documentation. A resolution to such a defect may consist of a fix, workaround or other relief reasonably determined by Coupa’s Technical Support staff.
  2. Online Support Portal. The Coupa support portal includes an online knowledge base, best practices for use of the Hosted Applications, and a portal for the Designated Support Contacts (as defined below) to submit support tickets.
  3. Live Phone Support. Support personnel are available to provide Technical Support to Customer, depending on the Support Level (as defined below) purchased by Customer, on the phone, as described at
  4. Severity Levels. Each support ticket shall be categorized by Customer into one of the following severity levels.



    Severity Level 1

    Severe error that results in the Hosted Applications experiencing complete unavailability and halting transactions with no workaround.

    Severity Level 2

    Serious error that results in a major function of the Hosted Applications suffering a reproducible problem causing either major inconvenience to Users or consistent failure in a common functionality.

    Severity Level 3

    Error that results in a common functionality experiencing an intermittent problem or a consistent failure in a less common functionality.

    Severity Level 4

    Service requests such as sandbox refreshes, SSO setups, and other how-to type of questions.

  5. Support Levels. Support personnel will respond to and update each support ticket in accordance with the following timelines.

    Support Level



    Online Ticket Submission, Phone Support

    Severity 1: 24x7
    Severity 2-4: Mon-Fri, 8am-6pm at Customer’s main domicile

    All Severity Levels: 24x7

    Designated Support Contacts

    Maximum of 5

    Maximum of 10


    Response Times

    Update Frequency

    Response Times

    Update Frequency

    Severity Level 1

    1 hour

    2 hours

    30 minutes

    1 hour

    Severity Level 2

    4 hours

    1 business day

    2 hours

    6 hours

    Severity Level 3

    3 business days

    4 business days

    2 business days

    2 business days

    Severity Level 4

    7 business days

    7 business days

    5 business days

    5 business days

  6. Customer Responsibilities
    1. Customer shall designate no more than the number of Coupa Platform administrators (“Designated Support Contacts”) set forth above who may contact and interact with Coupa in connection with Technical Support requests. Customer’s Designated Support Contacts shall answer questions and resolve issues as needed when they arise from other Users of the Hosted Applications. Customer’s Designated Support Contacts enter support request tickets, work through Technical Support issues with Coupa, and take action as needed to implement the resolution to the issue. Customer agrees that Coupa may communicate and follow instructions to make changes to Customer Data and/or Customer’s instances, with its Designated Support Contacts via email, phone or through the Support Portal.
    2. Customer shall ensure that Customer’s Designated Support Contacts are trained on the use and administration of the Hosted Applications. Customer shall ensure that the name, contact and other information for these Designated Support Contacts are current in the Support Portal. Customer may replace Designated Support Contacts by updating the applicable information in the Support Portal, provided that at no time may Customer have more than the number of Designated Support Contacts permitted based on its Support Level.

  7. Support Exclusions
    Coupa is not required to provide resolutions for immaterial defects or defects due to modifications of the Hosted Applications made by anyone other than: (a) Coupa; or (b) Anyone acting at Coupa’s direction. Technical Support does not include professional services for implementation, configuration, integration or customization of a Hosted Application or custom software development, training or assistance with administrative functions.

  8. Update Process
    Coupa shall use commercially reasonable efforts to (1) monitor the Hosted Applications and related infrastructure for opportunities to address performance, availability and security issues; and (2) at Coupa’s discretion, deliver functionality enhancements to address customer and market requirements to improve such Hosted Applications based on Coupa innovation.
    Customer shall comply with Coupa’s update and release process, as updated from time to time, which is described at: (the “Update Process”). Customer understands that Technical Support may not be available if Customer does not comply with the Update Process, and that only the latest release of the Coupa Platform and Hosted Applications contains the most current features, availability, performance and security, including software fixes. Coupa is not responsible for product defects or security issues affecting the Hosted Applications or failure to meet the Uptime SLA (defined in Exhibit A-2) for Hosted Applications when Customer is not in compliance with the Update Process.

Exhibit A-2: Service Level Agreement (SLA)

  1. If service outages result in a failure of any production instance of a Hosted Application to meet an uptime availability requirement of 99.8% over a calendar month (“Uptime SLA”), Customer’s sole and exclusive remedy shall be a service credit equal to the greater of:
    1. Ten percent (10%) of the subscription fees set forth in the applicable Order Form for that calendar month; or
    2. The actual unavailability rate for that calendar month (as an example, if the Hosted Application has an uptime availability of 85% during a calendar month, then the service credit shall be fifteen percent (15%) of the applicable subscription fees for that calendar month).
  2. The following events shall be excluded in calculating Uptime SLA:
    1. Planned maintenance windows, which are described at
    2. Emergency maintenance required to address an exigent situation with the Hosted Application or Coupa Platform that if not addressed on an emergency basis could result in material harm to the Hosted Application or Coupa Platform. Coupa shall provide advance notice of emergency maintenance via the Support Portal to the extent practicable.
    3. Any unavailability caused by circumstances beyond Coupa’s reasonable control, including without limitation, unavailability due to Customer or its Users’ acts or omissions, a Force Majeure Event, Internet service provider failures or delays, failure or malfunction of equipment or systems not belonging to or controlled by Coupa.

    Items (a) – (c) collectively, “Excused Downtime”.

    Coupa reserves the right to perform planned maintenance outside the target periods above if circumstances require, and Coupa shall provide prior notice to Customer via the Support Portal before doing so.

  3. Uptime SLA is calculated as follows:MSA


  4. Customer must request all service credits in writing to Coupa within thirty (30) days of the end of the month in which the Uptime SLA was not met, including identifying the period Customer’s production instance of the Hosted Applications was not available. Coupa shall apply the service credit during Customer’s next billing cycle unless the service credit is reasonably disputed by Coupa, in which case Customer and Coupa shall work together in good faith to resolve such dispute in a timely manner. The total amount of service credits for any month may not exceed the applicable monthly subscription fee for the affected Hosted Applications and has no cash value (unless a service credit is owed at the termination or expiration of this Agreement without a renewal order, in which case, such service credit shall be paid to Customer within ninety (90) days of the end of the Subscription Term). Uptime and other system performance metrics can be found on

Exhibit A-3: Data Security Measures

The following describes Coupa’s Security Program as of the Effective Date. The following terms may be updated from time to time, however, for each Order Form, terms effective as of execution of the Order Form shall apply for the duration of the applicable Subscription Term.

  1. Organizational access control
    1. Control Environment. Coupa employees are required to sign a written acknowledgement form documenting their receipt and understanding of the employee handbook and their responsibility for adhering to the policies and procedures therein. Employees are also required to sign a confidentiality agreement agreeing not to disclose proprietary or confidential information, including customer information, to unauthorized parties.
    2. Access Administration. Coupa employees do not have direct access to Customer Data, except where necessary for Technical Support, system management, maintenance, backups and other purposes separately authorized by Customer in writing. Access to Customer Data is further restricted to technical and customer support staff on a need-to-know basis. When an employee or contractor no longer has a business need for these privileges, his or her access is revoked in a timely manner, even if he or she continues to be an employee or contractor of Coupa. Coupa’s policies require Coupa personnel to report any known security incidents to Coupa management for investigation and action.
    3. Personnel Screening. Criminal background checks are performed for employees with access to Customer Data as part of the hiring process.
    4. Security Awareness and Training. Coupa maintains a security awareness program that includes training of Coupa personnel on Coupa’s security program. Training is conducted at the time of hire and periodically in accordance with Coupa’s information security policies.
    5. Subprocessors and Data Transfer. Coupa may engage Subprocessors and other Third-Party Suppliers (each as defined below) to perform some of its obligations under the Agreement. Coupa shall require that Subprocessors only access and use Customer Data in a manner consistent with the terms of the Agreement and bind Subprocessors to written obligations to protect Customer Data. At the written request of Customer, Coupa shall provide additional information regarding Subprocessors and their locations. Customer may send such requests to Coupa’s Data Privacy Officer at [email protected]. “Third-Party Suppliers” means third-party contractors and suppliers engaged by Coupa in the context of the provision of the Hosted Applications or Coupa Platform. “Subprocessors” means those Coupa Affiliates and Third-Party Suppliers that have access to, and process, Customer Data. As part of providing the Hosted Applications or Coupa Platform, Coupa and its Subprocessors may transfer, store and process Customer Data in the European Economic Area, United States, India or any other country in which Coupa and its Subprocessors maintain facilities.
    6. Business Continuity Management Process. Coupa shall maintain a business continuity plan (BCP) that defines the processes and procedures for the company to follow in the event of a disaster and shall review and shall regularly test Coupa’s disaster recovery plan to ensure that it is capable of recovering Coupa assets and continuing key Coupa business processes in a timely manner.
  2. Physical access control
    1. Physical Protection of the Data Centers. Physical access to data centers is strictly controlled by the data center provider (“DC Provider”) both at the perimeter and at building ingress points by security staff. The DC Provider only provides data center access and information to employees and contractors who have a legitimate business need for such privileges. When an employee or contractor no longer has a business need for these privileges, his or her access is immediately revoked, even if he or she continues to be an employee or contractor of the DC Provider. All physical access to data centers is logged and audited routinely.
    2. Availability. Data centers are built in various global regions. All data centers are online and serving customers. In case of failure, automated processes move Customer Data traffic away from the affected area. The data centers have backup power and environmental protection systems, which are regularly maintained and tested.
    3. Disaster Recovery. Coupa shall create a disaster recovery plan designed to provide appropriate technical and operational controls to deliver a recovery time objective (RTO) of typically no more than one (1) day and a recovery point objective (RPO) of typically no more than one (1) hour for the Hosted Applications.
    4. Fire Detection and Suppression. Automatic fire detection and suppression equipment have been installed to reduce risk and damage to data center environments.
    5. Power. The data center electrical power systems are designed to be fully redundant and maintainable without impact to operations, 24 hours a day, and seven days a week. Data center facilities have power backup and environmental protection systems in the event of an electrical failure for critical and essential loads in the facility.
    6. Climate and Temperature. Data centers are conditioned to maintain atmospheric conditions at optimal levels. Personnel and systems monitor and control temperature and humidity at appropriate levels.
    7. Monitoring. The DC Provider monitors electrical, mechanical, and life support systems and equipment so that any issues are immediately identified. Preventative maintenance is performed to maintain the continued operability of equipment.
  3. Technical security measures
    1. Database Protection. Database infrastructure is segregated from the application servers and the Internet via firewalls.
    2. Encryption. All communications are encrypted between the data exporter and the data centers using high-grade encryption (AES-256). Access to Coupa’s on-demand applications and services is only available through secure sessions (https) and only available with an authenticated login and password. Passwords are never transmitted or stored in their original form.
    3. Intrusion Protection. The application infrastructure is protected against intrusion by industry standard protection technology (such as regular penetration testing, firewalls at the network, host, and application levels, and intrusion detection systems) across all servers. Unless otherwise agreed by Coupa in writing, Customer is prohibited from performing its own penetration on any system of Coupa.
    4. Customer Data Isolation. Coupa Platform services use application or process level segmentation to accomplish data isolation.
    5. Malicious Software Protection. The Hosted Applications and the Coupa Platform shall include reasonably up-to-date versions of system security software (including malware and anti-virus protection).
    If Customer installs, uses, or enables third party services that interoperate with the Hosted Applications, then the Hosted Applications may allow such third-party services to access, use, or otherwise process and transmit Customer Data. Coupa’s Security Program does not apply to any processing, storage, or transmission of data outside the Coupa Platform, and Coupa is not responsible for the security practices (or any acts or omissions) of any third-party service providers engaged by or on behalf of Customer. The Coupa Security Program excludes: (i) data or information shared with Coupa that is not stored in the Coupa Platform; or (ii) data in Customer’s virtual private network (VPN) or a third-party network other than one that is under a subcontract with Coupa to assist Coupa in fulfilling its obligations in the Agreement. Additionally, Coupa shall not be liable for any data (including where part of Customer Data) used, processed, stored or transmitted by Customer or Users in violation of this Agreement.