// Trust & Security Report

    Coupa Software Inc. logo

    Coupa Software Inc.

    AI-native total spend management platform covering procurement, finance, and supply chain

    Certifications held

    10

    Maturity

    Enterprise

    Trains on your data

    Yes

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Coupa Compliance Program performs an annual audit to validate that Coupa is in compliance with HIPAA, SSAE 18 SOC 1 and SOC 2 Type II Controls.

    Verify on get.coupa.com
    SOC 1 Type II (SSAE 18)
    HELD

    Coupa Compliance Program performs an annual audit to validate that Coupa is in compliance with HIPAA, SSAE 18 SOC 1 and SOC 2 Type II Controls.

    Verify on get.coupa.com
    ISO/IEC 27001:2022
    HELD

    Coupa maintains a certified Information Security Management System (ISMS) that conforms to ISO/IEC 27001:2022 requirements.

    Verify on success.coupa.com
    ISO/IEC 27701:2019
    HELD

    ISO 27701/ISO 27001 and Global Privacy Recognition for Processor (Global/PRP) - certified global privacy program

    Verify on compass.coupa.com
    ISO/IEC 42001:2023 (AI Management System)
    HELD

    Coupa Earns ISO 42001 AI Certification Press Release Feb 7, 2026

    Verify on coupa.com
    PCI DSS
    HELD

    some of the standards that we certify with include AICPA SOC I and SOC II, PCI, and ISO27001

    Verify on compass.coupa.com
    HIPAA
    HELD

    Coupa Compliance Program performs an annual audit to validate that Coupa is in compliance with HIPAA, SSAE 18 SOC 1 and SOC 2 Type II Controls.

    Verify on get.coupa.com
    FedRAMP Moderate
    HELD

    Coupa Business Spend Management for Federal Achieves FedRAMP Authorization (newsroom; applies to the dedicated federal-edition product, not the general commercial instance)

    Verify on coupa.com
    GDPR (DPA available)
    HELD

    We are happy to enter into a GDPR compliant DPA. And, if you wish to get to a compliant GDPR compliant contract fast and efficient we need to start from the Coupa DPA template.

    Verify on compass.coupa.com
    Global Privacy Recognition for Processor (Global/PRP)
    HELD

    Coupa's privacy program is ISO27701 and Global PRP1 certified, and it is integrated into our Enterprise Risk Management process together with all other significant compliance domains.

    Verify on compass.coupa.com
    > Show 2 unconfirmed / not-held certifications
    CSA STAR
    NOT CONFIRMED

    No public evidence found on any coupa.com or compass.coupa.com page confirming CSA STAR registration or certification.

    ISO/IEC 27017
    NOT CONFIRMED

    No public evidence found on Coupa domain pages confirming ISO 27017 certification.

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Offered

    Data region

    US, EU/EEA, APAC, UAE; 'Coupa hosts customer instances either in the Europe Economic Area, United States of America, in the APAC region or as otherwise agreed.'

    Coupa uses aggregated, anonymized customer transaction data for its community AI intelligence: 'Coupa AI is community-generated — trained on the world's largest anonymized, customer-contributed enterprise data set' ($10T in spend data from 10M+ buyer/supplier community). Raw customer-identifiable data is not used; however, customer spend transactions contribute to community benchmarking and AI model training by default. A US Privacy Addendum, UK Addendum, Swiss Addendum, and LGPD Addendum are available alongside the EU GDPR DPA. The privacy program is mapped to GDPR, CCPA, CPRA, HIPAA, PIPEDA, and privacy laws in 15+ jurisdictions.

    // Security controls

    Encryption in transit

    TLS 1.2+ (HTTPS for all web access; SFTP for file transfers). 'Access to Coupa's on-demand applications and services is only available through secure sessions (https).'

    compass.coupa.com

    Encryption at rest

    AES-256. 'All communications are encrypted between the data exporter and the data centers using high-grade encryption (AES-256), and customer data is encrypted at rest in the Coupa Platform.'

    success.coupa.com

    Backup encryption

    All backups encrypted at rest; 10-minute backup cycle to AWS S3.

    success.coupa.com

    Penetration testing

    Regular penetration testing conducted as part of application security controls.

    success.coupa.com

    Firewall and IDS

    Firewalls at network, host, and application levels; intrusion detection systems across all servers.

    success.coupa.com

    Uptime SLA

    99.99% contractual SLA; May 2026 actual: 99.98%.

    compass.coupa.com

    Data center infrastructure

    RAID-class hardware with real-time replication to secondary data center. Hosted on AWS across US, EU, APAC, and UAE regions.

    coupa.com

    Access control

    Authenticated login required for all access; passwords never transmitted or stored in original form; 2FA/MFA available.

    compass.coupa.com

    // Products & data scope

    Coupa ProcurementSource-to-Pay / Procurement

    data: Purchase orders, supplier data, requisitions, contracts, spend data

    Core product; handles full S2P lifecycle. Community AI benchmarking uses aggregated/anonymized spend data.

    Coupa Finance (AP Automation)Accounts Payable / Invoice Management

    data: Invoices, payment data, financial records

    Includes digital payments and AP automation. PCI DSS certification covers cardholder data in Coupa Pay.

    Coupa Supply Chain Design and PlanningSupply Chain Management

    data: Supply chain models, logistics data, demand/supply forecasts

    Uses GenAI and ML trained on customer-contributed supply chain data.

    Coupa PayDigital Payments / Treasury

    data: Payment card data, banking data, FX transactions

    PCI DSS compliant environment; FedRAMP-authorized variant for federal government clients.

    Coupa Travel and ExpenseT&E Management

    data: Employee expense reports, travel bookings, receipts

    Integrated with Coupa Finance; covered under same compliance certifications.

    Coupa Strategic SourcingSourcing / RFx

    data: Supplier bids, sourcing event data, pricing benchmarks

    Community AI pricing intelligence uses anonymized market data from the Coupa network.

    Coupa Contract ManagementCLM

    data: Contract documents, obligations, counterparty data

    Covered under main platform certifications.

    Coupa AI (cross-platform)AI / Analytics

    data: Aggregated, anonymized spend and transaction data from all customers

    Community intelligence model: customer transactions contribute (anonymized) to $10T spend dataset. ISO 42001 certified AI governance.

    // What to watch

    • AI trains on aggregated anonymized customer spend data by default ('community intelligence'): customers implicitly contribute $10T+ spend dataset. Review MSA Section on data use before signing.
    • FedRAMP Moderate applies only to 'Coupa Business Spend Management for Federal', a dedicated government instance — not the standard commercial product.
    • Trust portal (compass.coupa.com) requires Okta SSO for detailed compliance reports; only summary information is publicly accessible without authentication.
    • coupa.com main domain returns HTTP 403 for direct fetch of compliance, privacy policy, and newsroom pages — evidence gathered via search summaries and non-authenticated trust portal pages.
    • Cloud-only SaaS — no self-hosted or on-premise option for the standard platform (legacy on-premise Master License Agreement exists for prior customers).
    • Data residency region is assigned at contract time; no documented self-service ability to choose or change region post-deployment.
    • ISO 42001 newsroom page returned 403 on direct fetch; certification confirmed via search index showing coupa.com newsroom URL and title dated February 7, 2026.

    // At a glance

    Pricing model

    Enterprise SaaS subscription; custom pricing only, not publicly listed. Modular by product (procurement, finance, supply chain).

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Coupa Software Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    compass.coupa.com

    > Browse all vendor trust reports