Quick Guide: Subprocessors
Background
Subject to the instruction of a Customer, Coupa Software, Inc. ("Coupa") hosts a Customer instance either in the Europe Economic Area, United States of America, in the APAC region or as otherwise agreed. In the course of providing services on the Coupa Platform, Coupa personnel located inside and outside of the selected hosting region may require access to Customer Data.
In addition, Coupa and its Affiliates engage third-party contractors and suppliers in the context of the provision of the Coupa Platform and selected Hosted Applications (“Third-Party Suppliers”). Some of these Third-Party Suppliers may have access to, and process, Customer Data, including Customer Personal Data (“Subprocessors”).
This quick guide shall provide you with an overview on the various Subprocessors currently used by Coupa in the performance of the Coupa services. Please note that the specific details of Subprocessors used for each Customer depend on the individual subscription scope and configuration. This quick guide is subject to change.
Default Subprocessors
If you are a customer on the Coupa platform, the following Third-Party Suppliers are used as default Subprocessors.
Name and Address | Scope of Subprocessing |
---|---|
Amazon Web Services Inc. Fortune Chambers, 410 Terry Avenue North Seattle, WA 98109-5210, USA https://aws.amazon.com/ |
Cloud-Infrastructure Services (including Rekognition service (https://aws.amazon.com/rekognition/faqs/) where regional availability and restrictions applyi and Simple Email Service)ii |
Coupa and its Affiliates In the Europe Economic Area, USA, UK, Colombia ,and India |
Customer Support Services |
Additional Subprocessors
Depending on the individual subscription scope and configuration of a Customer on the Coupa platform, the following Third-Party Suppliers are used as additional Subprocessors by Coupa when providing the services.
Name and Address | Hosted Application / Service | Scope of Subprocessing |
---|---|---|
Looker Data Sciences Inc. a Google company
Snowflake Inc. |
Analytics
|
Reporting, analytics, and dashboarding |
TrustWeaver AB a Sovos Compliance, LLC company |
Compliant eInvoicing, Expenses |
Electronic signature |
Microsoft Corp. |
InvoiceSmash Supply Chain Collaboration |
Cloud-Infrastructure Services (separate hosting)
|
Amazon Web Services Inc. |
Platform Capabilities |
Sensitive information protection for Generative AI applications |
Traxo, Inc.
|
Expenses |
Parses confirmation emails and passes travel itinerary information to Coupa Travel Service for processing. |
Google LLC. |
Various (Expenses, Mobile, CSP, Spend Guard, InvoiceSmash, Contracts, Contract Intelligence) | Google Vision (OCR)iii, Google Translation, Google Maps, Google Places, Google Analyticsiv |
Twilio Inc. |
Supplier Portal - Notification (if enabled by supplier) |
Sends text message notification to the supplier |
Conferma Ltd. |
Pay | Provides connectivity to Banks, Credit Card Networks, and other Conferma partners |
Mastercard International Incorporated |
Pay | Provides connetivity to issuers and banks |
CXG Outsourcing EOOD |
Managed Services | Provides additional staffing for AIC data analytics, supplier enablement, and other managed services |
Iterable, Inc. Segment.io, Inc. a Twilio company |
Early Payment Discounting | Provides messaging services to suppliers and financing partners |
Viewpost North America, LLC |
Pay | Check Printing |
Qlik Technologies Inc. |
SCDP | Visualization |
[i] For more details see https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/.
[ii] For more details seehttps://aws.amazon.com/ses/.
[iii] Google uses distributed global data centers to temporarily process image files and return back results of the OCR function. Google currently does not offer regionalization of processing within Google Cloud Vision API. For more details see https://cloud.google.com/vision/docs/data-usage.
[iv] Google Translation, Google Maps, Google Places and Google Analytics may in their terms of use, seek to use customer personal data from time to time; however Coupa does not share such personal data with Google. Coupa utilizes Google Maps for certain products which require location-based services. Google requires that the following terms are notified to customers as part of Coupa’s obligations in its use of Google Maps: (1) Google Maps/Google Earth Additional Terms of Service: https://maps.google.com/help/terms_maps.html; and (2) Google Privacy Policy https://www.google.com/policies/privacy/.
Legacy Subprocessors & Subcontractors
If you are a Customer on a legacy platform of a company previously acquired by Coupa, the following legacy subcontractors are currently used. Depending on the configuration, some of the legacy subcontractors may have access to Customer Personal Data and thus qualify as a Subprocessor. Other subcontractors are listed for information only.
Legacy Application | Name and Address | Scope of Services |
---|---|---|
2017 - Simeno |
ITpoint Systems AG |
Cloud-Infrastructure Services |
2018 - Aquiire |
Microsoft Corp. (details as before) |
Cloud-Infrastructure Services |
2018 - DCR Workforce |
Amazon Web Services Inc. (details as before) |
Cloud-Infrastructure Services |
Microsoft Corp. (details as before) |
Cloud-Infrastructure Services | |
2019 - Exari |
Amazon Web Services Inc. (details as before) |
Cloud-Infrastructure Services |
2020 - Bellin |
PlusServer GmbH |
Colocation Services |
ComputerLine GmbH |
Colocation Services | |
2020 - LLamasoft |
Amazon Web Services Inc. (details as before) |
Cloud-Infrastructure Services |
Legal Disclaimer - This website is provided for informational purposes only and should not be considered as legal advice and does not discuss other privacy-related laws or regulations that may also be relevant to our customers and prospects, including any industry-specific requirements. The relevant privacy and data protection laws and regulations applicable to individual companies will depend on several factors, including but not limited to where a company conducts its business, the industry in which it operates, the type of content it wishes to store, where or from whom the content originates, and where the content will be stored.