Quick Guide: Data Processing Agreement

Revised: 16 November 2021

Background

The coming into force of Regulation (EU) 2016/679 (“GDPR”) brought about a lot of changes to the data protection landscape and legal compliance requirements. Two of those are (1) the requirement of a written and specific data processing agreement and (2) direct responsibilities and liabilities of the data processor.

Thus, both the processor (Coupa) and the controller (You) have a joint interest to enter into a data processing agreement (“DPA”) that fully complies with the requirements of Article 28 GDPR. And, at Coupa, we are ready to get the task done in a compliant and seamless fashion.

This quick guide shall provide you with an overview of the Coupa DPA and our rational to push our template. Please note that the specific details of such DPA depend on a customer individual subscription scope and configuration. This quick guide is subject to change.

Our DPA has been updated to reflect the new standard contractual clauses of the European Untion.

The Coupa DPA

The Coupa DPA is not only fully GDPR compliant but already tailored to the Coupa offering. We have drafted the Coupa DPA template with assistance from our external legal advisors and keep it up-to-date with changes on the Coupa Platform. As a general principle, we regularly review our contract templates and take in best practices and customer feedback when updating terms.

  • On the one hand, any customer template is necessarily generic and thus is missing those solution specific details which are required for a complete and ready to use DPA. Any customer DPA template is incomplete and cannot be signed without material amendments.

  • On the other hand, Coupa operates a unified IT security policy on the platform level, not specific to a customer instance. Setting up a customer-specific IT security policy – as suggested by most customer DPA templates - just for such instance does not compute in a multi-tenant cloud environment.

  • Last but not least, our customers benefit from an all-for-one / one-for-all operations approach, which also means that any improvement in our IT policy will be available to all our customers.

We are happy to enter into a GDPR compliant DPA. And, if you wish to get to a compliant GDPR compliant contract fast and efficient we need to start from the Coupa DPA template.

Similarly to the DPA in Europe, Coupa has a US Privacy Addendum to meet the relevant US privacy requirements, and a LGPD Addendum for Brazil.