Security Considerations
API Integration
cXML
For overall security and SSL encryption, Coupa supports secure HTTP using TLS 1.1 and above.
Secure REST API
To make the REST API calls secure, Coupa recommends using the OAuth capabilities.
sFTP Integration
Protocol
Coupa primarily exchanges files with customers via the SFTP protocol. We support both username/password or SSH key authentication (Talk to your Coupa contact for getting the SFTP credentials). SFTP is preferable to FTP as both the control and data channels are encrypted.
As part of R15 release Coupa would support PGP encryption of the files exchanged through SFTP.
Coupa supports RSA 2048 bit key for SSH authentication.
Whitelisting the IPs
Coupa provides the following list of IP addresses and recommends customers to whitelist them to ensure secure connection between networks. To ensure a secure connection, Coupa provides a complete list of our public IP addresses. With the exceptions listed on the pages linked below, Coupa has registered all IP addresses and ranges with Amazon Web Services (AWS). Coupa's newer IP addresses and ranges are registered with American Registry for Internet Numbers (ARIN). While it is highly recommended to whitelist our entire IP ranges, you can choose to only whitelist a subset of our IP ranges. If you must do this, review the following information on the links listed below to avoid any unintended service disruptions.
- US IP Address (for SFTP addresses look for information under the SFTP column): https://coupadocs.atlassian.net/wiki...S+IP+Addresses
- EU IP Address (for SFTP addresses look for information under the SFTP column): https://coupadocs.atlassian.net/wiki...U+IP+Addresses
- AU IP address(for SFTP addresses look for information under the SFTP column): https://coupadocs.atlassian.net/wiki...a+IP+Addresses
- HIPAA IP address - applicable only for HIPAA customers (for SFTP addresses look for information under the SFTP column): https://coupadocs.atlassian.net/wiki...A+IP+Addresses
SFTP folder structure
Once you login using the sftp account credentials, would see following Coupa standard folder structure. Use only those folders which are applicable (as mentioned in each scenarios)
Outgoing
/Outgoing/ExpenseReports
/Outgoing/Invoices
/Outgoing/PurchaseOrders
/Outgoing/Receipts
/Outgoing/Suppliers
Incoming
/Incoming/Accounts
/Incoming/AccountValidationRules
/Incoming/Addresses
/Incoming/ApprovalChains
/Incoming/BudgetLines
/Incoming/BusinessGroups
/Incoming/Commodities
/Incoming/Contracts
/Incoming/Departments
/Incoming/ExchangeRates
/Incoming/ExpensePayments
/Incoming/InvoicePayments
/Incoming/Invoices
/Incoming/Items
/Incoming/LookupValues
/Incoming/Receipts
/Incoming/RemitToAddresses
/Incoming/Requisitions
/Incoming/Suppliers
/Incoming/Users
Archive
/Archive/Incoming/
/Archive/Incoming/Accounts
/Archive/Incoming/AccountValidationRules
/Archive/Incoming/Addresses
/Archive/Incoming/ApprovalChains
/Archive/Incoming/BudgetLines
/Archive/Incoming/BusinessGroups
/Archive/Incoming/Commodities
/Archive/Incoming/Contracts
/Archive/Incoming/Departments
/Archive/Incoming/ExchangeRates
/Archive/Incoming/ExpensePayments
/Archive/Incoming/InvoicePayments
/Archive/Incoming/Invoices
/Archive/Incoming/Items
/Archive/Incoming/LookupValues
/Archive/Incoming/Receipts
/Archive/Incoming/RemitToAddresses
/Archive/Incoming/Requisitions
/Archive/Incoming/Suppliers
/Archive/Incoming/Users
File storage policies
Coupa SFTP should be used for exchanging files, and not for storing or archiving the files. All outbound files from Coupa will be placed under the respective outbound folders, and customer system should pick up the file, process it and delete the file from Coupa sftp. Partners may archive the file on partner system.
For inbound files to Coupa, files are picked up and start processing within couple of minutes, once successfully picked up, files are archived under ‘/Archive/Incoming’. Archive files are moved to AWS backup after 2 weeks timeframe.
Files are still available to download from ‘File Status’ page of Coupa.