Coupa's Master Subscription Agreement


This Master Subscription Agreement (“Agreement”), between Coupa Software Inc. (“Coupa”) and the company or other legal entity (“Customer”) that has executed an Order Form (as defined below), is made as of the last signature date (“Effective Date”) on the first Order Form that references this Agreement.

This Agreement incorporates by reference the Subscription Schedule, attached as Exhibit A, which describes the following operational matters of the Hosted Applications (as defined below): (1) technical support & update process; (2) service level agreement; and (3) data security measures.

      1. Affiliate means any entity which directly or indirectly controls, is controlled by, or is under common control with the subject entity; and "control" for the purposes of this definition means direct or indirect ownership or control of more than 50% of the voting interest of the subject entity, provided that any such Affiliate shall be deemed an Affiliate only for so long as such control lasts. Affiliates may purchase subscriptions to the Hosted Application that are subject to the terms and conditions of this Agreement by executing an Order Form hereunder.
      2. Confidential Information means all confidential and proprietary information of a disclosing party or any of its Affiliates disclosed by or on behalf of such party to the receiving party, whether orally or in writing, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure, including Customer Data, the terms and conditions of this Agreement (including pricing and other terms reflected in all Order Forms hereunder), business and marketing plans, technology and technical information, product designs, and business processes. Notwithstanding anything to the contrary, the Hosted Applications, Documentation, and Coupa Platform are deemed to be Confidential Information of Coupa. Confidential Information shall not include any information that: (i) is or becomes generally known to the public without breach of any obligation owed to the disclosing party; (ii) was known to the receiving party without restriction prior to its disclosure by the disclosing party and without breach of any obligation owed to the disclosing party; (iii) was independently developed by the receiving party without either use of or reference to any Confidential Information or breach of any obligation owed to the disclosing party; or (iv) is received from a third party without restriction and without breach of any obligation owed to the disclosing party.
      3. Coupa Platform means any software and hardware that enables Coupa to provide Customer with access to and use of the Hosted Applications as contemplated by this Agreement.
      4. Customer Data means any data, information or material provided or submitted by Customer or on behalf of Customer to the Coupa Platform in the course of using the Hosted Applications.
      5. Documentation means the Coupa product documentation relating to the operation and use of the Hosted Applications, including technical program or interface documentation, operating instructions, update notes, and support knowledge base, as made available and updated from time to time by Coupa.
      6. Hosted Application(s) means applications and associated content (as identified on an Order Form) to be provided by Coupa to Customer as a subscription service and made accessible on a website designated by Coupa.
      7. Order Form means an order form mutually executed by the parties evidencing the purchase of subscriptions to the Hosted Applications specifying, among other things, the Subscription Term, the number of Users, the applicable fees, and the billing period as agreed to between the parties. Each Order Form, once mutually executed, shall be governed by and become part of this Agreement, and is hereby incorporated by this reference.
      8. Protected Health Information has the meaning given to it in the Health Insurance Portability and Accountability Act (“HIPAA”).
      9. Restricted Information means Protected Health Information and Sensitive Information and such term is used solely in respect of Section 3.5 hereof.
      10. Sensitive Information means, if applicable, (a) special categories of data as defined in Article 9 of the EU General Data Protection Regulation (GDPR); and/or (b) an individual’s first name and last name (or first initial and last name) in combination with any of the following that relate to an individual person: (i) Social Security number; (ii) driver’s license number or government-issued identification card number; or (iii) financial account number, or credit or debit card number, access code, personal identification number or password that would permit access to an individual’s financial account.
      11. Subscription Term means the period(s) during which Customer is authorized to use the Hosted Applications pursuant to an Order Form.
      12. Support means the Coupa technical support as specified on the Order Form in accordance with the terms in Exhibit A-1.
      13. Updates means Coupa’s updates of the Hosted Applications for repairs, enhancements or new features applied by Coupa to Customer’s instances, including updates to the Documentation as a result of such updates, at no additional fee during the Subscription Term. Updates shall not include additional new functionality or upgrades to modules or applications that Customer has not already subscribed to in an Order Form and for which Coupa requires a separate charge from its other customers generally for such new modules or applications.
      14. Users means employees of Customer and its Affiliates and their representatives, consultants, contractors, subcontractors, or agents who are authorized to use the Hosted Applications and have been supplied unique user identifications and passwords by Customer.
      1. Provision of the Hosted Applications. Coupa will make available to Customer, and Customer is authorized to use, the Hosted Applications during the Subscription Term as set forth in an applicable Order Form for its and its Affiliates’ internal business purposes in accordance with the Documentation.
      2. Support, Uptime & Updates. Coupa shall: (i) provide the level of support specified in the Order Form in accordance with Exhibit A-1; (ii) provide Updates at no additional charge as part of Customer’s subscription during the Subscription Term in accordance with Exhibit A-1; and (iii) make the Hosted Applications available in accordance with Exhibit A-2.
      3. Security. Coupa shall maintain a written information security program of policies, procedures and controls (“Security Program”) governing the processing, storage, transmission and security of Customer Data. The Security Program as of the Effective Date is set forth in Exhibit A-3. The Security Program shall include industry standard practices designed to protect Customer Data from unauthorized access, acquisition, use, disclosure, or destruction. Coupa may periodically review and update the Security Program to address new and evolving security technologies, changes to industry standard practices, and changing security threats, provided that any such update does not materially reduce the overall level of security provided to Customer as described herein.
      4. Breach Notification. Unless notification is restricted by law, Coupa shall report to Customer’s support contacts designated in Coupa’s customer support portal (“Support Portal”) any unauthorized acquisition, access, use, disclosure or destruction of Customer Data (“Breach”) promptly without undue delay after Coupa determines that a Breach has occurred. Unless prohibited by law, Coupa shall share information about the nature of the Breach that is reasonably requested by Customer to enable Customer to notify affected individuals, government agencies and/or credit bureaus. Customer has sole control over the content of Customer Data that it enters into the Coupa Platform and is responsible for determining whether to notify impacted individuals and the applicable regulatory bodies or enforcement commissions and for providing such notice.
      5. Audit Report. Coupa shall engage at its expense, an independent accounting firm to conduct an audit of Coupa’s operations with respect to the Hosted Applications in accordance with the Statement on Standards for Attestation Engagements No. 18 (the “SSAE 18”), and have such accounting firm issue SSAE 18, SOC 1 Type 2 and SOC 2 Type 2 reports (or substantially similar report of a successor auditing standard in the event the SSAE 18 auditing standard is no longer an industry standard) (the “Auditor’s Report”), which shall cover Coupa’s security policies, procedures, and controls. Upon Customer’s request, Coupa shall provide Customer and its external auditors with a current copy of (a) such Auditor’s Report and (b) Coupa’s security and compliance guide (“Coupa Security Guide”), which Coupa will provide to Customer in response to Customer’s requests of Coupa to complete security questionnaires and/or surveys, provided that such Auditor’s Report and Coupa Security Guide shall be deemed Confidential Information of Coupa. Customer may raise reasonable security-related questions to Coupa after completing its review of such Auditor’s Report and Coupa Security Guide.
      6. U.S. Privacy (including CCPA).
        1. For purposes of this section 2.6 only: (i) “Personal Information” means any information relating, directly or indirectly, to any identified or identifiable natural person or household, including but not limited to information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular natural person or household; (ii) “Process” or “Processing” means any operation or set of operations which is performed on Personal Information or on sets of Personal Information, whether or not by automated means; (iii) “Applicable Law” means any U.S. privacy, security, breach notification, or other data protection laws applicable to Personal Information, including but not limited to the California Consumer Privacy Act, Cal. Civ. Code 1798.100 et seq.
        2. To the extent that Coupa collects or Processes Personal Information in connection with performing functions on behalf of Customer specified in the Agreement and further to the extent applicable and required by Applicable Law, Coupa agrees as follows:
          1. Coupa shall use, disclose, or otherwise Process the Personal Information only to perform functions under the Agreement or as otherwise required by law. Without limiting the generality of the foregoing, Coupa agrees it shall not: (i) sell the Personal Information; (ii) retain, use, or disclose the Personal Information for any purpose other than for the specific purpose of performing functions under the Agreement, including retaining, using, or disclosing the Personal Information for a commercial purpose other than performing functions under the Agreement; or (iii) retain, use, or disclose the Personal Information outside of the direct business relationship between Coupa and Customer. Coupa hereby certifies that it understands the restrictions set forth in this section and will comply with them.
          2. Coupa shall reasonably assist Customer to comply with Applicable Law, including but not limited to providing reasonable assistance honoring individual rights requests as necessary for Customer to comply with Applicable Law. In the event Coupa receives any requests relating to Personal Information directly from an individual in connection with the Agreement, Coupa shall direct the individual to Customer, promptly notify Customer of the request, and reasonably assist Customer to respond to such request.
          3. Coupa shall maintain reasonable security measures to protect Personal Information within Customer Data in accordance with the Agreement.
      7. Insurance. Coupa shall maintain during the term of this Agreement: (a) Commercial General Liability Insurance with minimum limits of US$1,000,000 combined single limit and combined bodily injury and property damage per occurrence and US$2,000,000 dollars in the aggregate; (b) Commercial Automobile Liability Insurance providing coverage for owned, hired, and non-owned motor vehicles used in connection with this Agreement in an amount of not less than US$1,000,000 per accident combined single limit for bodily injury and property damage; (c) Umbrella Liability providing excess liability coverage in the minimum amount of US$5,000,000.00 per occurrence, to supplement the primary coverage provided in the policies listed above; (d) Professional Liability Insurance (Errors and Omissions Insurance), which policy also includes cyber-liability insurance for financial losses arising from destruction or corruption of data, including but not limited to privacy and data security breaches, virus transmission, unauthorized access, denial of service and loss of income from network security failures, with minimum limits of US$5,000,000.00; (e) Workers Compensation Insurance covering Coupa employees pursuant to applicable state laws, and at the maximum limits statutorily required for each such state; and (f) Commercial Crime Insurance including coverage for loss or damage resulting from theft committed by the Coupa’s employees, acting alone or in collusion with others, and coverage for computer crime, with a minimum per event and annual aggregate limit of US$2,000,000. Upon request, Coupa shall promptly furnish Customer with a certificate evidencing the coverages set forth above.
      1. User Accounts. Customer is responsible for activity occurring under its User accounts and shall ensure that it and its Users abide by all laws, treaties and regulations applicable to Customer’s use of the Hosted Applications. Customer shall: (i) notify Coupa promptly of any unauthorized use of any password or account or any other breach of security; (ii) notify Coupa promptly and use reasonable efforts to promptly stop any unauthorized use, copying, or distribution of the Hosted Applications that is known or suspected by Customer or its Users; (iii) not impersonate another Coupa user or provide false identity information to gain access to or use the Hosted Applications or Coupa Platform; and (iv) restrict each User account to only one authorized User at a time.
      2. Restrictions. Except as otherwise permitted under this Agreement, Customer shall not (i) license, sublicense, sell, resell, transfer, rent, lease, assign (except as provided in Section 11.4 (Assignment)), distribute, disclose, or otherwise commercially exploit the Hosted Applications; (ii) copy, modify or make derivative works based upon the Hosted Applications; (iii) “frame” or “mirror” the Hosted Applications on any other server or device; (iv) access the Hosted Applications for competitive purposes or use the Hosted Applications for application service provider, timesharing or service bureau purposes, or any purpose other than its own internal use, (v) decompile, disassemble, reverse engineer or attempt to discover any source code or underlying ideas or algorithms of the Hosted Applications, (vi) remove, obscure or modify a copyright or other proprietary rights notice in the Hosted Applications; (vii) use the Hosted Applications to send or store infringing, obscene, threatening, libelous, or otherwise unlawful material; (viii) use the Hosted Applications to create, use, send, store, or run material containing software viruses, worms, Trojan horses or otherwise engage in any malicious act or disrupt the security, integrity or operation of the Hosted Applications or the Coupa Platform; (ix) attempt to gain or permit unauthorized access to the Hosted Applications or its related systems or networks; or (x) permit or assist any other party (including any User) to do any of the foregoing.
      3. User Reassignment. User subscriptions are for designated Users and cannot be shared or used by more than one User but may be reassigned to new Users replacing former Users who no longer require use of the Hosted Applications. Unless otherwise specified in the relevant Order Form, the replacement User shall be under the same Subscription Term of the original User.
      4. Additional Users. Additional Users may be purchased by signing an Order Form and unless otherwise specified in the relevant Order Form, the Subscription Term of additional Users shall be coterminous with the Subscription Term in effect at the time the additional Users are added.
      5. Restricted Information. The intended purpose of the Hosted Applications is to optimize Customer’s spend management processes in a business-to-business environment and Customer agrees that use of the Hosted Applications does not require Customer to provide any Restricted Information in the Hosted Applications or Coupa Platform. Customer shall not (and shall use all reasonable commercial efforts to ensure that its suppliers and Users do not) upload, provide or submit any Restricted Information to the Hosted Applications or Coupa Platform. Coupa shall have no responsibility related to Restricted Information if Customer breaches this section.
      6. Third Party Interactions.
        1. No Supplier Fees. No Supplier Fees. Except as otherwise agreed on an Order Form, each party agrees that it shall not charge Customer’s suppliers for the right to interact with Customer through the Coupa Platform.
        2. Supplier Interactions. When using the Hosted Applications, Customer may enter into correspondence with and purchase goods and/or services from suppliers. Any such activities and associated terms are solely between Customer and the applicable third party supplier and Coupa shall have no obligation or responsibility for such correspondence or purchase between Customer and such third party supplier.
      1. Billing and Payment of Fees. Customer shall pay subscription fees annually in advance for use of the Hosted Applications. All payment obligations are non-cancellable and all amounts paid are nonrefundable except as otherwise specified in this Agreement. Coupa shall issue invoices to Customer as specified in the Order Form and Customer agrees to pay such amounts not subject to a good faith dispute in accordance with the payment terms as specified in the Order Form and if any such undisputed invoice is more than 30 days overdue, Coupa may, without limiting its other rights and remedies, suspend the Hosted Applications until such undisputed invoice is paid in full. Coupa shall provide at least 30 days’ prior written notice to Customer of the payment delinquency before exercising any suspension right. Customer agrees to pay Coupa in the currency specified on the Order Form. If Customer believes its invoice is incorrect, Customer must contact Coupa in writing within 60 days of the date of the invoice containing the amount in question to be eligible to receive an adjustment or credit.
      2. Taxes. Coupa’s fees are exclusive of all taxes, levies, or duties imposed by taxing authorities, including for example, value-added, sales, use or withholding taxes, assessable by any jurisdiction whatsoever (collectively, “Taxes”) and Customer shall be responsible for payment of all Taxes associated with this Agreement and all Order Forms, except that Coupa is solely responsible for taxes assessable against Coupa based on Coupa’s net income, property and employees. If Customer is legally entitled to an exemption from any sales, use, or similar transaction tax, upon signing an Order Form, Customer shall provide to Coupa with a legally sufficient tax exemption certificate for each taxing jurisdiction, and Coupa shall not charge Customer any taxes from which it is exempt. If any deduction or withholding is required by law, Customer shall notify Coupa and shall pay Coupa any additional amounts necessary to ensure that the net amount that Coupa receives, after any deduction and withholding, equals the amount Coupa would have received if no deduction or withholding had been required. Upon request, Customer shall provide documentation showing that the withheld and deducted amounts have been paid to the relevant taxing authority.
      1. Coupa’s Intellectual Property Rights. As between Coupa and Customer, all right, title, and interest in and to the Hosted Applications, Documentation, and Coupa Platform (including all rights therein, and all derivatives, translations, modifications and enhancements thereof) are, and shall remain, owned exclusively by Coupa notwithstanding any other provision in this Agreement, Order Form, or statement of work hereunder. This Agreement is not a sale and does not convey to Customer any rights of ownership in or related to the Hosted Applications, Coupa Platform, or Documentation. The Coupa name, logo and product names are trademarks of Coupa, and no right or license is granted to use them. All rights not expressly granted to Customer are reserved by Coupa. Coupa alone shall own all rights, title and interest in and to any suggestions, enhancement requests, feedback, or recommendations provided by Customer or any third party relating thereto.
      2. Customer Data. As between Customer and Coupa, Customer exclusively owns all rights, title and interest in and to all Customer Data. Customer shall have sole responsibility for the accuracy, quality, integrity, legality, reliability, appropriateness, and intellectual property ownership of and right to use all Customer Data, and hereby warrants that that it has and will continue to have all rights and consents necessary to allow Coupa to use all such data as contemplated by this Agreement. Customer hereby grants to Coupa a royalty-free, fully-paid, non-exclusive, non-transferable (except as set forth in Section 11.4 (Assignment)), sub-licensable, worldwide right and license to reproduce, use, process, transfer and store Customer Data solely for the purposes of performing Coupa’s obligations under this Agreement and any other activities expressly agreed to by Customer.
      3. Use of Aggregate Data. Customer agrees that as part of providing the Hosted Applications, Coupa may collect, use and disclose quantitative data derived from the use of the Hosted Applications for industry analysis, benchmarking, analytics and other business purposes. All data collected, used, and disclosed will be in aggregate form only and will not identify Customer or its Users.
      1. Obligations. The receiving party shall not disclose or use any Confidential Information of the disclosing party for any purpose outside the scope of this Agreement, except with the disclosing party's prior written permission. Each party agrees to protect the confidentiality of the Confidential Information of the other party in the same manner that it protects the confidentiality of its own proprietary and confidential information of like kind (but in no event using less than reasonable care). If the receiving party is compelled by law to disclose Confidential Information of the disclosing party, it shall provide the disclosing party with prior written notice of such compelled disclosure (to the extent legally permitted) and reasonable assistance, at disclosing party's cost, if the disclosing party wishes to contest the disclosure, and any information so disclosed shall continue to be treated as Confidential Information for all other purposes.
      2. Remedies. Except as expressly provided in this Agreement, if the receiving party discloses or uses (or threatens to disclose or use) any Confidential Information of the disclosing party in breach of confidentiality protections hereunder, the disclosing party shall have the right, in addition to any other remedies available to it, to seek injunctive relief to enjoin such acts, it being specifically acknowledged by the parties that any other available remedies may be inadequate.
      1. Coupa’s Obligations. Coupa warrants that during the Subscription Term (i) Customer’s production instances of the Hosted Applications shall materially conform to the Documentation and (ii) that the functionality of the Hosted Applications at the time of the Order Form shall not materially decrease during the Subscription Term.
      2. Procedure. To submit a warranty claim under this Section, Customer shall (1) reference this Section; and (2) submit a support request to resolve the non-conformity as provided in the Subscription Schedule. If the non-conformity persists without relief more than thirty (30) days after written notice of a warranty claim provided to Coupa under this Section, then Customer may terminate the affected Hosted Applications and Coupa, as its sole liability in connection with a breach of this warranty, shall refund to Customer any prepaid subscription fees covering the remainder of the Subscription Term of the affected subscription after the effective date of termination. Notwithstanding the foregoing, this warranty shall not apply to any non-conformity due to any modification of or defect in the Hosted Applications that is made or caused by someone other than Coupa (or someone acting at Coupa’s direction).
      1. Coupa’s Obligations. Subject to Section 8.3, Coupa shall: (a) defend Customer, its officers, directors, and employees against any third party suit, claim, or demand (each a “Claim”) that alleges the Hosted Applications used in accordance with this Agreement and the applicable Order Form infringe any issued patent, copyright, trademark or misappropriate any trade secret of, such third party; and (b) pay any court-ordered award of damages or settlement amount which may include any expense, liability, loss, damage, costs or reasonable attorneys' fees, each to the extent payable to a third party, to the extent arising from such Claims. Notwithstanding the foregoing, if Coupa reasonably believes that Customer’s use of any portion of the Hosted Applications is likely to be enjoined by reason of any Claims then Coupa may, at its expense and in its sole discretion: (i) procure for Customer the right to continue using the Hosted Applications; (ii) replace the same with other products having substantially equivalent functions that are not subject to any Claims of infringement; or (iii) modify the applicable Hosted Applications so that there is no longer any infringement, provided that such modification does not materially and adversely affect the functional capabilities of the Hosted Applications as set out herein or in the applicable Order Form. If (i), (ii), and (iii) above are not available on commercially reasonable terms in Coupa’s judgment, Coupa may terminate the affected Hosted Applications and refund to Customer the fees paid by Customer covering the remaining portion of the applicable Subscription Term for the affected Hosted Applications after the date of termination. The foregoing indemnification obligation of Coupa shall not apply: (1) if the Hosted Application is modified by any party other than Coupa (or someone acting at Coupa’s direction), but solely to the extent the alleged infringement is related to such modification; (2) if the Hosted Application is combined with other non-Coupa products, applications, or processes not authorized in writing by Coupa, but solely to the extent the alleged infringement is related to such combination; (3) to the extent the Claim arises in connection with any unauthorized use of the Hosted Application, or use that is not in compliance with any applicable laws, regulations, and/or Documentation; (4) to any third party products, processes or materials that are not provided by Coupa; or (5) to any Claims arising as a result of the content of the Customer Data. THIS SECTION SETS FORTH COUPA’S SOLE LIABILITY AND CUSTOMER’S SOLE AND EXCLUSIVE REMEDY WITH RESPECT TO ANY CLAIM OF INTELLECTUAL PROPERTY INFRINGEMENT.
      2. Customer’s Obligations. Subject to Section 8.3, Customer shall: (a) defend Coupa, its officers, directors, and employees against any Claim that arises from the Customer Data or that relates to a dispute between Customer and its supplier; and (b) pay any court-ordered award of damages or settlement amount which may include any expense, liability, loss, damage, costs, or reasonable attorneys' fees, each to the extent payable to a third party, to the extent arising from such Claims. Customer’s indemnification obligation shall not apply: (1) if the Customer Data is modified by Coupa or by any party under Coupa’s control, without Customer’s authorization but solely to the extent the Claim is caused by such modification or (2) if the Claim arises as a result of any use or disclosure of the Customer Data by Coupa not contemplated by this Agreement.
      3. Process. Each party's indemnity obligations are subject to the following: (i) the indemnified party shall promptly notify the indemnifier in writing of any Claims (provided, however, that the failure to give prompt written notice shall not limit the rights to indemnification except to the extent that the indemnifier is materially prejudiced by such failure); (ii) the indemnifier shall have sole control of the defense and all related settlement negotiations with respect to any Claims (provided that the indemnifier may not settle any Claims that require the indemnified party to admit any civil or criminal liability or incur any financial obligation without the indemnified party’s consent, which consent shall not be unreasonably withheld); and (iii) the indemnified party shall cooperate fully to the extent necessary at the indemnifier’s cost in such defense and settlement.
      1. Term. The Agreement commences on the Effective Date and continues until all Order Forms subject to this Agreement have expired or terminated, unless this Agreement is earlier terminated in accordance with this Section 10. User subscriptions commence on the subscription start date specified in the relevant Order Form and continue for the Subscription Term specified therein. Unless otherwise provided in the Order Form, user subscriptions shall automatically renew for additional periods of one year on the same terms unless either party gives the other notice of non-renewal or a new price quote at least 30 days prior to the end of the relevant Subscription Term.
      2. Termination. A party may immediately terminate this Agreement for cause: (i) upon 30 days written notice of a material breach to the other party if such breach remains uncured at the expiration of such period or (ii) if the other party becomes the subject of a petition in bankruptcy or any other proceeding relating to insolvency, receivership, liquidation or assignment for the benefit of creditors that is not dismissed within sixty (60) days of its commencement or an assignment for the benefit of creditors. Upon any termination for cause by Customer, Coupa shall refund any prepaid fees covering the remainder of the Subscription Term after the effective date of termination. Termination shall not relieve Customer of the obligation to pay any fees accrued or payable to Coupa prior to the effective date of termination.
      3. Transition Services. Upon termination of the Agreement, at Customer’s option, Coupa shall provide transition services to facilitate the orderly and complete transfer of the Customer Data to Customer or to any replacement provider designated by Customer (“Transition Services”), provided that the scope and fees of the Transition Services shall be mutually agreed in a statement of work prior to commencing Transition Services. Notwithstanding the provisions of this section, in no event shall Coupa be required to disclose any of its Confidential Information or provide a license under any of its intellectual property to Customer or any third party as part of the Transition Services. For the avoidance of doubt, if Customer elects to receive Transition Services, Customer shall continue to pay pro-rated subscription fees for the use of the Hosted Applications during the transition period.
      4. Survival. Upon expiration or termination of the Agreement, Sections 1 (Definitions), 3.2 (Restrictions), 4.1 (Billing and Payment of Fees), 5 (Proprietary and Other Rights), 6 (Confidential Information), 7.3 (Disclaimer of Warranties), 8 (Indemnification), 9 (Limitations of Liability), 10 (Term; Termination), and 11 (General Provisions) of this Agreement shall survive.
      1. Compliance with Laws and Export Control. Each party shall comply with all applicable laws and government regulations, including the export laws and regulations of the United States and other applicable jurisdictions, in connection with providing and using the Hosted Applications and/or Coupa Platform. Without limiting the foregoing, (i) each party represents that it is not named on any government list of persons or entities prohibited from receiving exports, and (ii) Customer shall not, and shall ensure that Users do not, violate any export embargo, prohibition, restriction or other similar law in connection with this Agreement.
      2. Force Majeure. No party shall be liable or responsible to the other party, nor be deemed to have defaulted under or breached this Agreement, for any failure or delay in fulfilling or performing any term of this Agreement (excluding Customer’s failure to pay amounts owed when due), when and to the extent such failure or delay is caused by or results from acts beyond the affected party’s reasonable control, including without limitation: strikes, lock-outs or other industrial disputes (whether involving its own workforce or a third party’s), trespassing, sabotage, theft or other criminal acts, cyber-attacks, failure of energy sources or transport network, acts of God, export bans, sanctions and other government actions, war, terrorism, riot, civil commotion, interference by civil or military authorities, national or international calamity, armed conflict, malicious damage, breakdown of plant or machinery, nuclear, chemical or biological contamination, explosions, collapse of building structures, fires, floods, storms, earthquakes, epidemics or similar events, natural disasters or extreme adverse weather conditions (each a “Force Majeure Event”). The party suffering a Force Majeure Event shall use reasonable efforts to mitigate against the effects of such Force Majeure Event.
      3. Notice. Except as provided elsewhere in this Agreement, either party may give notice by written communication sent by next-day mail delivered by a nationally recognized delivery service: (i) if to Customer, to Customer’s address on record in Coupa’s account information or (ii) if to Coupa, to 1855 S. Grant Street, San Mateo, CA 94402, addressed to the attention of: Legal Department, with an email copy to [email protected]. Such notice shall be deemed to have been given upon the expiration of 48 hours after mailing.
      4. Assignment. Neither party may assign any of its rights or obligations hereunder, whether by operation of law or otherwise, without the prior written consent of the other party (not to be unreasonably withheld). Notwithstanding the foregoing, either party may assign this Agreement in its entirety (including all Order Forms), without consent of the other party, to its Affiliate or in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of its assets. Subject to the foregoing, this Agreement shall bind and inure to the benefit of the parties, their respective successors and permitted assigns.
      5. Dispute Resolution. This Agreement shall be governed by California law and controlling United States federal law, without regard to the choice or conflicts of law provisions of any jurisdiction and without regard to the United Nations Convention on the International Sale of Goods or the Uniform Computer Information Transactions Act. Any disputes, actions, claims or causes of action arising out of or in connection with this Agreement shall be submitted to and finally settled by arbitration in San Francisco, California, using the English language in accordance with the Arbitration Rules and Procedures of the Judicial Arbitration and Mediation Services, Inc. (JAMS) then in effect, by one or more commercial arbitrator(s) with substantial experience in the industry and in resolving complex commercial contract disputes. Judgment upon the award so rendered may be entered in a court having jurisdiction or application may be made to such court for judicial acceptance of any award and an order of enforcement, as the case may be. Notwithstanding the foregoing, each party shall have the right to institute an action in any court of proper jurisdiction for injunctive relief.
      6. Entirety. The Agreement comprises the entire agreement between Customer and Coupa and supersedes all prior or contemporaneous negotiations, discussions or agreements, whether written or oral, between the parties regarding the subject matter contained herein. In the event of any conflict between this Agreement and the Order Form, the Order Form shall govern. No text or information set forth on any other purchase order, preprinted form or document shall add to or vary the terms and conditions of this Agreement. Modifications and amendments to this Agreement shall be enforceable only if they are in writing and are signed by authorized representatives of both parties. If any provision of this Agreement is held by a court of competent jurisdiction to be invalid or unenforceable, then such provision(s) shall be construed, as nearly as possible, to reflect the intentions of the invalid or unenforceable provision(s), with all other provisions remaining in full force and effect. Customer agrees that Customer’s purchase of any subscription is neither contingent upon the delivery of any future functionality or features nor dependent upon any oral or written comments made by Coupa with respect to future functionality or features. The parties are independent contractors, and no joint venture, partnership, employment, or agency relationship exists between Customer and Coupa as a result of the Agreement or use of the Hosted Applications or Coupa Platform. There are no third-party beneficiaries to this Agreement. The failure of a party to enforce any right or provision in this Agreement shall not constitute a waiver of such right or provision.

Exhibit A - Subscription Schedule

EXHIBIT A-1: Technical Support

The following describes the technical support services (“Technical Support”) that Coupa shall provide for the support level purchased by Customer (“Support Level”) as stated on the Order Form. The following terms may be updated from time to time, however, for each Order Form, the terms effective as of the execution of the Order Form shall apply for the duration of the applicable Subscription Term.

  1. Online Support Portal. The Support Portal includes an online knowledge base, best practices for use of the Hosted Applications, and a portal for the Designated Support Contacts (as defined below) to submit support tickets.
  2. Live Phone Support. Coupa personnel are available to provide Technical Support to Customer, depending on the Support Level (as defined below) purchased by Customer.
  3. Severity Levels. Each support ticket shall be categorized by Customer into one of the following severity levels.



    Level 1

    Severe error that results in the Hosted Applications experiencing complete unavailability and halting transactions with no workaround.

    Level 2

    Serious error that results in a major function of the Hosted Applications suffering a reproducible problem causing either major inconvenience to Users or consistent failure in a common functionality.

    Level 3

    Error that results in a common functionality experiencing an intermittent problem or a consistent failure in a less common functionality.

    Level 4

    Service requests such as sandbox refreshes, SSO setups, and other how-to type of questions.

  4. Support Levels

    Support Level



    Online Ticket Submission, Phone Support

    Severity 1: 24x7
    Severity 2-4: Mon-Fri, 8am-6pm at Customer’s headquarters


    Designated Support Contacts

    Maximum of 5

    Maximum of 10


    Response Times

    Update Frequency

    Response Times

    Update Frequency

    Severity 1

    1 hour

    2 hours

    30 minutes

    1 hour

    Severity 2

    4 hours

    1 business day

    2 hours

    6 hours

    Severity 3

    3 business days

    4 business days

    2 business days

    2 business days

    Severity 4

    7 business days

    7 business days

    5 business days

    5 business days

  5. Customer Responsibilities
    1. Customer shall designate no more than the number of Coupa Platform administrators (“Designated Support Contacts”) set forth above who may contact and interact with Coupa in connection with Technical Support requests. Customer’s Designated Support Contacts shall answer questions and resolve issues as needed when they arise from other Users of the Hosted Applications. Customer’s Designated Support Contacts enter support request tickets, work through Technical Support issues with Coupa, and take action as needed to implement the resolution to the issue. Customer agrees that Coupa may communicate, and follow instructions to make changes to Customer Data and/or Customer’s instances, with its Designated Support Contacts via email, phone or through the Support Portal.
    2. Customer shall ensure that Customer’s Designated Support Contacts are trained on the use and administration of the Hosted Applications.
    3. Customer shall ensure that the name, contact and other information for these Designated Support Contacts are current in the Support Portal. Customer may replace Designated Support Contacts by updating the applicable information in the Support Portal, provided that at no time may Customer have more than the number of Designated Support Contacts permitted based on its Support Level.
  6. Support Exclusions Coupa is not required to provide resolutions for immaterial defects or defects due to modifications of the Hosted Applications made by anyone other than Coupa (or anyone acting at Coupa’s direction). Technical Support does not include professional services for implementation, configuration, integration or customization of a Hosted Application or custom software development, training or assistance with administrative functions.
  7. Update Process Coupa shall use commercially reasonable efforts to (1) monitor the Hosted Applications and related infrastructure for opportunities to address performance, availability and security issues; and (2) at Coupa’s discretion, deliver functionality enhancements to address customer and market requirements to improve such Hosted Applications based on Coupa innovation. Coupa’s update and release process, as updated from time to time, is described at (“Update Process”). Customer shall upon notice comply with the Update Process and understands that not all Technical Support may be available if Customer does not comply with the Update Process and only the latest release of the Coupa Platform and Hosted Applications contains the most current features, availability, performance and security, including software fixes. Coupa is not responsible for product defects or security issues affecting the Hosted Applications or failure to meet the Uptime SLA (defined in Exhibit A-2) for Hosted Applications when Customer is not in compliance with the Update Process.

EXHIBIT A-2: service level agreement (SLA)

  1. If service outages result in a failure of any production instance of a Hosted Application to meet an uptime availability requirement of 99.8% over a calendar month (“Uptime SLA”), Customer’s sole and exclusive remedy shall be a service credit equal to the greater of:
    1. Ten percent (10%) of the subscription fees set forth in the applicable Order Form for that calendar month; or
    2. The actual unavailability rate for that calendar month (as an example, if the Hosted Application has an uptime availability of 85% during a calendar month, then the service credit shall be fifteen percent (15%) of the applicable subscription fees for that calendar month).
  2. The following events shall be excluded in calculating Uptime SLA:
    1. Planned maintenance windows, which are described at
    2. Emergency maintenance required to address an exigent situation with the Hosted Application or Coupa Platform that if not addressed on an emergency basis could result in material harm to the Hosted Application or Coupa Platform. Coupa shall provide advance notice of emergency maintenance via the Support Portal to the extent practicable.
    3. Any unavailability caused by circumstances beyond Coupa’s reasonable control, including without limitation, unavailability due to Customer or its Users’ acts or omissions, a Force Majeure Event, Internet service provider failures or delays, failure or malfunction of equipment or systems not belonging to or controlled by Coupa.

    Items (a) – (c) collectively, “Excused Downtime”.

    Coupa reserves the right to perform planned maintenance outside the target periods above if circumstances require, and Coupa shall provide prior notice to Customer via the Support Portal before doing so.

  3. Uptime SLA is calculated as follows:

  4. Customer must request all service credits in writing to Coupa within thirty (30) days of the end of the month in which the Uptime SLA was not met, including identifying the period Customer’s production instance of the Hosted Applications was not available. Coupa shall apply the service credit during Customer’s next billing cycle unless the service credit is reasonably disputed by Coupa, in which case Customer and Coupa shall work together in good faith to resolve such dispute in a timely manner. The total amount of service credits for any month may not exceed the applicable monthly subscription fee for the affected Hosted Applications, and has no cash value (unless a service credit is owed at the termination or expiration of this Agreement without a renewal order, in which case, such service credit shall be paid to Customer within ninety (90) days of the end of the Subscription Term). Uptime and other system performance metrics can be found on

EXHIBIT A-3: Data Security Measures

The following describes Coupa’s Security Program as of the Effective Date. The following terms may be updated from time to time, however, for each Order Form, terms effective as of execution of the Order Form shall apply for the duration of the applicable Subscription Term.

  1. Organizational access control
    1. Control Environment. Coupa employees are required to sign a written acknowledgement form documenting their receipt and understanding of the employee handbook and their responsibility for adhering to the policies and procedures therein. Employees are also required to sign a confidentiality agreement agreeing not to disclose proprietary or confidential information, including customer information, to unauthorized parties.
    2. Access Administration. Coupa employees do not have direct access to Customer Data, except where necessary for Technical Support, system management, maintenance, backups and other purposes separately authorized by Customer in writing. Access to Customer Data is further restricted to technical and customer support staff on a need-to-know basis. When an employee or contractor no longer has a business need for these privileges, his or her access is revoked in a timely manner, even if he or she continues to be an employee or contractor of Coupa. Coupa’s policies require Coupa personnel to report any known security incidents to Coupa management for investigation and action.
    3. Personnel Screening. Criminal background checks are performed for employees with access to Customer Data as part of the hiring process.
    4. Security Awareness and Training. Coupa maintains a security awareness program that includes training of Coupa personnel on Coupa’s security program. Training is conducted at the time of hire and periodically in accordance with Coupa’s information security policies.
    5. Subprocessors and Data Transfer. Coupa may engage Subprocessors and other Third-Party Suppliers (each as defined below) to perform some of its obligations under the Agreement. Coupa shall require that Subprocessors only access and use Customer Data in a manner consistent with the terms of the Agreement, and bind Subprocessors to written obligations to protect Customer Data. At the written request of Customer, Coupa shall provide additional information regarding Subprocessors and their locations. Customer may send such requests to Coupa’s Data Privacy Officer at [email protected]. “Third-Party Suppliers” means third-party contractors and suppliers engaged by Coupa in the context of the provision of the Hosted Applications or Coupa Platform. “Subprocessors” means those Coupa Affiliates and Third-Party Suppliers that have access to, and process, Customer Data. As part of providing the Hosted Applications or Coupa Platform, Coupa and its Subprocessors may transfer, store and process Customer Data in the European Economic Area, United States, India or any other country in which Coupa and its Subprocessors maintain facilities.
    6. Business Continuity Management Process. Coupa shall maintain a business continuity plan (BCP) that defines the processes and procedures for the company to follow in the event of a disaster and shall review and shall regularly test Coupa’s disaster recovery plan to ensure that it is capable of recovering Coupa assets and continuing key Coupa business processes in a timely manner.
  2. Physical access control
    1. Physical Protection of the Data Centers. Physical access to data centers is strictly controlled by the cloud infrastructure provider (“IaaS Provider”) both at the perimeter and at building ingress points by security staff. The IaaS Provider only provides data center access and information to employees and contractors who have a legitimate business need for such privileges. When an employee or contractor no longer has a business need for these privileges, his or her access is immediately revoked, even if he or she continues to be an employee or contractor of the IaaS Provider. All physical access to data centers is logged and audited routinely.
    2. Availability. Data centers are built in various global regions. All data centers are online and serving customers; no data center is “cold.” In case of failure, automated processes move Customer Data traffic away from the affected area. The datacenters have backup power and environmental protection systems, which are regularly maintained and tested.
    3. Disaster Recovery. Coupa shall create a disaster recovery plan designed to provide appropriate technical and operational controls to deliver a recovery time objective (RTO) of no more than one day and a recovery point objective (RPO) of availability with data loss of no more than one hour for the Hosted Applications.
    4. Fire Detection and Suppression. Automatic fire detection and suppression equipment has been installed to reduce risk and damage to data center environments.
    5. Power. The data center electrical power systems are designed to be fully redundant and maintainable without impact to operations, 24 hours a day, and seven days a week. Data center facilities have power backup and environmental protection systems in the event of an electrical failure for critical and essential loads in the facility.
    6. Climate and Temperature. Data centers are conditioned to maintain atmospheric conditions at optimal levels. Personnel and systems monitor and control temperature and humidity at appropriate levels.
    7. Monitoring. The IaaS Provider monitors electrical, mechanical, and life support systems and equipment so that any issues are immediately identified. Preventative maintenance is performed to maintain the continued operability of equipment.
  3. Technical security measures
    1. Database Protection. Database infrastructure is segregated from the application servers and the Internet via firewalls.
    2. Encryption. All communications are encrypted between the data exporter and the data centers using high-grade encryption (AES-256). Access to Coupa’s on-demand applications and services is only available through secure sessions (https) and only available with an authenticated login and password. Passwords are never transmitted or stored in their original form.
    3. Intrusion Protection. The application infrastructure is protected against intrusion by industry standard firewalls at the network, host, and application levels, and intrusion detection systems across all servers. Unless otherwise agreed by Coupa in writing, Customer is prohibited from performing its own penetration on any system of Coupa.
    4. Instance Isolation. Different IaaS instances are hosted on the same physical machine and are isolated from each other through the hypervisor layer. All packets pass through this layer, so that another instance has no more access to Customer’s instance than any other host on the Internet (i.e., the instances look like they are on separate physical hosts). Customer instances in the IaaS Provider infrastructure have no access to raw disk devices, but instead are presented with virtualized disks.
    5. Malicious Software Protection. The Hosted Applications and the Coupa Platform shall include reasonably up-to-date versions of system security agent software which shall include reasonably current and tested malware protection, patches and anti-virus protection.
    Customer will have a period of 60 days after the effective date of termination of the Agreement (“Transition Period”) to download any Customer Data. Customer may seek assistance from Coupa during the Transition Period to download large files. Upon such request, Coupa will promptly make available for download the data in comma separated value (.csv) format along with attachments in their native format (e.g., PDF, JPEG, etc.). For clarity, such data will not include system generated log files or Coupa specific configuration data. After the Transition Period, Coupa shall have no obligation to maintain or provide any Customer Data and may thereafter, unless legally prohibited, delete all Customer Data in its systems or otherwise in its possession or under its control.
    If Customer installs, uses, or enables third party services that interoperate with the Hosted Applications, then the Hosted Applications may allow such third party services to access, use, or otherwise process and transmit Customer Data. Coupa’s Security Program does not apply to any processing, storage, or transmission of data outside the Coupa Platform, and Coupa is not responsible for the security practices (or any acts or omissions) of any third party service providers engaged by or on behalf of Customer. The Coupa Security Program excludes: (i) data or information shared with Coupa that is not stored in the Coupa Platform; or (ii) data in Customer’s virtual private network (VPN) or a third party network other than one that is under a subcontract with Coupa to assist Coupa in fulfilling its obligations in the Agreement. Additionally, Coupa shall not be liable for any data used, processed, stored or transmitted by Customer or Users in violation of this Agreement.