Coupa Data Privacy Framework Statement

Data Privacy Framework Statement 

under the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, 
and the Swiss-U.S. DPF

Coupa (as defined below) complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce.Coupa has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Coupa has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. 

As used in this DPF Statement, “Coupa”, "we," "our" and "us" means Coupa Software Inc. and the following US-based Coupa entities:

  • LLamasoft LLC
  • BELLIN Treasury Services USA Inc.
  • Opex Analytics LLC

To learn more about the Data Privacy Framework (“DPF”) program, and to view Coupa’s certification, please visit https://www.dataprivacyframework.gov/.


Scope

This DPF Statement describes the DPF Principles and tells you how Coupa complies with those Principles.

This DPF Statement applies to and covers Personal Data which is transferred by Coupa from the European Economic Area (EEA), the United Kingdom, and/or Switzerland, to the United States of America, in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, as set forth by the U.S. Department of Commerce. If there is any conflict between the terms of this DPF Statement and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern.

You may also refer to the Coupa Privacy Policy for more information on how Coupa collects, uses, discloses and protects the Personal Data you submit to us, and for more information on how Coupa conducts cross-border data transfers and the measures we take to safeguard such Personal Data. If there is any conflict between the terms of the Coupa Privacy Policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern.

The way we refer to the personal data that we handle, and which is covered by this Statement:

Personal Data” for the purposes of this Statement means any information relating to an identified or identifiable natural person. The DPF Principles and this Statement use certain terms that are defined by Applicable Data Privacy Laws.

Applicable Data Privacy Laws” may include (i) EU General Data Protection Regulation (EU) 2016/679 (“GDPR”), (ii) other data protection laws applicable in member states of the EEA, (iii) the UK Data Protection Act 2018, and/or (iv) the Swiss Federal Act on Data Protection (“FADP”).

We collect, maintain, use, and share “Business Personal Data” and “Human Resources Personal Data.”. Here is what we mean by those terms:

Business Personal Data” is personal data that enables identification of, authentication of, coordination of, and/or communication to, from, between, and/or among people who work for or with us, and/or for whom we provide goods or services. These people include, but aren’t limed to, employees, agents, contractors, customers, suppliers, users of our goods and services and others with or through whom we do business or might do business, or for whose benefit we do business. Business Personal Data includes, but is not limited to, contact information, identification information, information about whereabouts, information about travel plans, information about goods and/or services to be provided by (or to) us, applications used, manner and extent of the use of applications, and directory information such as name, mobile and/or land telephone number, fax number, e-mail address, physical address, user ID, IP address, picture, language(s) spoken, title, organizational role, and systems or processes that such persons are authorized to utilize.

Human Resources Personal Data” is human resources and benefit information used by one or more Coupa companies to evaluate, employ, retain, administer the employment and/or or contractor relationship with, and/or receive or provide the services of, employees and/or direct or indirect contractors who are being considered to do, who do, or have done work for, or for the benefit of, one or more Coupa companies.

How We Comply with the DPF Principles

The following sections will help you learn about how the DPF Principles protect your data and to see how Coupa’s policies and practices line up with such Principles.

Principle 1: Notice

  • We participate in the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF and this DPF Statement tells you how we do it. To see the DPF List, and find out more about the DPF, please visit Data Privacy Framework List.
  • We collect Business Personal Data and Human Resources Personal data, as defined above. Each of the Coupa companies collects such data.
  • Our U.S. subsidiaries below also adhere to the DPF Principles in the same manner.
  • LLamasoft LLC
  • BELLIN Treasury Services USA Inc.
  • Opex Analytics LLC
  • We commit to subject to the Principles all of the personal data received from EEA, the United Kingdom and Switzerland, respectively, in reliance on the DPF.
  • We collect personal data for the following reasons.
    1. So that data subjects can be contacted, and/or can contact each other, in order to do business.
    2. So that we can provide goods or services to data subjects and/or their organizations and/or receive goods or services from data subjects and/or their organizations.
    3. So that we can monitor the use of our goods and services for the purposes of maintenance, improvement, and contractual compliance.
    4. So that we can give to employees, agents, and/or contractors access to the systems and databases that they need to perform their work.
    5. So that we can effectively manage human resources, provide opportunities for individuals, and generally make advice and analyses available regarding employer-employee and contractor relationships between us and prospective, current, and past employees and/or contractors.
  • You can contact us using the information below in the section below called “How to Contact Coupa”.
  • We may disclose personal information with certain third parties for specific purposes as described in the Coupa Privacy Policy and as further detailed below:
    1. Persons with whom we do business. We may provide personal data to others involved in the provision or receipt of goods and/or services so that we can cooperate in providing or receiving goods and/or services.
    2. Outsourcing providers. We may provide personal data to outsourcing providers who perform functions in support of our conduct of business. This might include data processing, storage, system administration, and similar functions.
    3. Successors. If we sell or otherwise transfer all or a part of our business, or are investigating the possibility of doing so, we may transfer to, or share with, the actual or potential buyer or other transferee, the personal data associated with the actually or potentially sold or transferred business.
    4. To comply with legal requirements. We may share personal data if required by law enforcement, government agencies, courts, or others where we believe that our cooperation with information requests is required by law.
    5. We provide personal information to others so that we can accomplish the purposes stated above.
    6. Anonymized information.If we anonymize personal data, we may share that personal data with anyone for any purpose.
  • You have the right to know what personal data we possess about you. You can access that personal data by contacting us using the information below in the section called “How to Contact Coupa”.
  • You have choices about what personal data we retain and how we use it. See the details in Principle 2: Choice
  • Coupa commits to resolve complaints about our collection or use of your personal data. Individuals with inquiries or complaints regarding our DPF Statement should first contact Coupa at:

Privacy Office 
Coupa Software, Inc. 
[email protected]

  • Coupa has further committed to cooperate with the panel established by the EU data protection authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved DPF complaints concerning data transferred from the EEA and Switzerland.
  • We are subject to the investigatory and enforcement powers of the United States Federal Trade Commission (the “FTC”). You can learn more about the FTC’s role in enforcement of the DPF here.
  • Under certain circumstances, you can invoke binding arbitration. You can consult the DPF website for more information on conditions giving rise to binding arbitration.
  • We will disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
  • If we transfer personal data to a third party and that transfer, or an act or omission by the third party, results in a violation of the Principles, we are liable for the transfer and/or the act or omission, even if it was the third party that committed the act or omission.

Principle 2: Choice

  • You have the right to choose (opt out) whether your personal data is (i) to be disclosed to a third party or (ii) to be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by you.
  • If you wish to opt out, all you need to do is contact us using the information in the section called “How to Contact Coupa
  • Applicable Data Privacy Laws allow certain exceptions to your ability to opt out, such as where we are parties to a contract that is still being performed, where law requires us to maintain such information, or otherwise. Where applicable law permits us to retain and continue to use such information and we do so, we will do so only to the extent permitted or required by law. 
  • If you contact us to opt out, we will explain the options available and comply with your request as required by the Principles and applicable law.
  • The above choice/opt-out doesn’t apply where the sharing of your personal data is with a third party who is acting as our agent (such as our service providers who perform services that help us to run our business). We won’t provide your personal data to a third party under these circumstances unless we have a contract in place with that third party that requires the third party to comply with the Principles.
  • We will obtain your affirmative express consent (opt in) from you if we connect sensitive information and that information is to be (i) disclosed to a third party or (ii) used for a purpose other than those for which it was originally collected or subsequently authorized by the individuals through the exercise of opt-in choice. We also treat as sensitive any personal data received from a third party where the third party identifies and treats it as sensitive.

Principle 3: Accountability for Onward Transfer

  • When we transfer personal data to a third party acting as a controller, we comply with the Notice and Choice Principles in the ways stated above.
  • We also enter into contracts third-party controllers that provide that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the third-party controller will provide the same level of protection as the Principles and will notify us if the third party makes a determination that it can no longer meet this obligation. Those contracts provide that, when such a determination is made, the third party controller ceases processing or takes other reasonable and appropriate steps to remediate.
  • Where we transfer personal data to a third party acting as an agent, (i) we transfer such data only for limited and specified purposes; (ii) we require (usually by contract) at least the same level of privacy protection as is required by the Principles; (iii) we take reasonable and appropriate steps to ensure that the agent effectively processes the personal data transferred in a manner consistent with the organization’s obligations under the Principles; (iv) we require the agent to notify us if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles; (v) upon notice, including under (iv), we take reasonable and appropriate steps to stop and remediate unauthorized processing; and (vi) we will provide a summary or a representative copy of the relevant privacy provisions of our contract with that agent to the Department of Commerce upon request.

Principle 4: Security

  • We take reasonable and appropriate measures to protect personal data from loss, misuse, and unauthorized access, disclosure, alteration, and destruction, taking into due account the risks involved in the processing and the nature of the personal data. We do this by adhering to internal policies and practices designed to meet these requirements.


Principle 5: Data Integrity and Purpose Limitation

  • We process personal data that we need in order to carry out our business. We only process personal information in a way that is relevant and compatible with the purposes for which we collected it or subsequently authorized by the data subject.
  • We take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete, and current.
  • We adhere the Principles for as long as we retain the personal data.
  • Except as otherwise permitted by the Principles, we destroy or anonymize personal data after it no longer serves a purpose of processing as contemplated above and/or once a lawful basis for processing it ceases to exist.

Principle 6: Access

  • We give data subjects access to such personal data as we have that pertains to them and will help to correct, amend, or delete that information where it is inaccurate, or has been processed in violation of the Principles If you wish to contact us to access your information, you can do so using the information in the section called “How to Contact Coupa” .
  • We reserve the right to limit such access and related activity where the burden or expense of providing access would be disproportionate to the risks to your privacy in the case in question, or where the rights of persons other than you would be violated.

Principle 7: Recourse, Enforcement and Liability

  • In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Coupa commits to resolve complaints about our collection or use of your personal information. Individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF, should first contact our DPF Statement should first contact Coupa at:

Privacy Office 
Coupa Software, Inc. 
[email protected]

  • In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Coupa commits to cooperate and comply respectively with the advice of the panel established by EU data protection authorities (DPAs), the UK Information Commissioner’s Office (ICO), and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of Human Resources Personal Data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF in the context of the employment relationship.
  • In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Coupa commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss U.S. DPF to JAMS, an alternative dispute resolution provider based in the United States, the European Union, the United Kingdom and/or Switzerland. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit JAMS EU U.S. Data Privacy Framework for more information or to file a complaint. The services of JAMS are provided at no cost to you.
  • Under certain circumstances, you can invoke binding arbitration. You can consult the DPF website for more information on conditions giving rise to binding arbitration.
  • The corporate officer identified in our DPF certification (which you can see by looking us up at https://www.dataprivacyframework.gov/) is in charge of verifying that our attestations are true and that privacy practices have been implemented. That person has the necessary authority to carry out these functions. Additionally, our policies and procedures require our personnel to treat complaints and noncompliance as required by the Principles.
  • Personnel who violate our privacy policies will be subject to disciplinary process. Our procedures, as contained in appropriate handbooks, job descriptions, policies, and notices announce our compliance with the Principles and provide for appropriate sanctions for noncompliance by our employees and agents.
  • We will, and we will cause our independent recourse mechanisms to, promptly comply with any requests by any applicable government agency for information relating to the DPF and we will respond to complaints by EU Member State, UK or Swiss authorities as required by the Principles.
  • We take responsibility for our agents’ compliance with the Principles for all personal data that we receive under the DPF. We require our agents, by contract or otherwise, to comply with the Principles when processing such personal data. We will be and remain liable for such processing unless we prove that we are not responsible for the event giving rise to the damage.
  • When we become subject to an FTC or court order based on noncompliance, we will make public any relevant DPF-related sections of any compliance or assessment report submitted to the FTC, to the extent consistent with confidentiality requirements.

How to Contact Coupa

You can contact us using the following information.

Privacy Office 
Coupa Software, Inc. 
[email protected]