We believe that you have the right to know where we store, manage and use your data.
Information security plays a very important role for commercetools, as well as for our customers and partners. That’s why we’ve developed a framework of governance, risk management and compliance monitoring based on industry standards, as well as applicable data protection laws in all regions.
How we keep customer data secure
For commercetools, managing customer data responsibly is of the utmost importance. We continuously update our practices, certifications and test types to ensure an ironclad security environment, and all our internal practices follow the latest security and data regulations so we are always up to date. Our "blameless culture" supports a positive mindset for information security and privacy. Plus, the commercetools solution has been built as a cloud-native, multi-tenant solution and runs in certified data centers at several locations in Europe, the US and APAC.
To secure data against advanced cyber threats, we perform real-time monitoring, security analysis, and threat detection with rapid response capabilities. We partner with our cloud infrastructure providers to ensure security intelligence and data analysis. Complete isolation and segregation of persistent data are ensured and checked, regular penetration tests are conducted.
We protect network traffic using pre-configured WAF rules and state-of-the-art encryption. Access to the commercetools office network is limited, monitored, and encrypted. Our firewall allows centralized management of multiple endpoints.
A rundown of our certifications
commercetools continuously undergoes independent verification of platform security, privacy and compliance controls.
New! ISO/IEC 27001: Our Information Security Management System (ISMS) has been audited and meets or exceeds the requirements of ISO/IEC 27001. It is centrally managed and regularly checked as part of internal and external audits. ISO/IEC 27001 is the international standard for a rock-solid Information Security Management System (ISMS) that shows customers, suppliers, and stakeholders that we implement adequate controls to safeguard data and information assets.
TISAX: TISAX stands for Trusted Information Security Assessment Exchange, a mechanism for the exchange of testing information, which is operated by ENX Association as a common trust anchor. We are TISAX-certified in the modules “Handling of Information with High Protection Level” and “Handling of Personally Identifiable Information according to Article 28 of the EU General Data Protection Regulation.”
GDPR: We are GDPR-compliant, verified by external audits. The General Data Protection Regulation (GDPR) aims to strengthen personal data protection in the European Union. Compliance with GDPR is a top priority for commercetools and our customers.
Bulletproof protection on the cloud
commercetools is cloud-native, meaning we are in the cloud as a first-class citizen; not on the cloud to only run compute workloads. Our two cloud infrastructure partners are Google Cloud and Amazon Web Services (AWS), and both companies, alongside commercetools, take security and data protection extremely seriously.
Following the latest global, regional and local regulations, such as GDPR compliance, Google Cloud has achieved essential certifications such as ISO/IEC 27001 and SOC II. The combined solution of commercetools + Google Cloud is multi-tenant and ensures the highest level of data separation by storing the data of each project in a separate database. Projects are only accessible to the customer who created them, and complete isolation and segregation of persistent data are ensured and regularly checked. In addition, this cloud network setup is VPC-native, and protected by automated code scans, security-relevant logs and vault and credential rotations.
AWS also supports a wide array of security standards and compliance certifications, including PCI-DSS, HIPAA/HITECH, FedRAMP, GDPR, FIPS 140-2 and NIST 800-171, helping brands satisfy compliance requirements for virtually every regulatory agency around the globe. Through a shared responsibility model, brands commercetools + AWS can manage risk effectively and efficiently in the IT environment through compliance with established, widely recognized frameworks and programs.
As you can see, we take numerous measures to ensure that our customers’ data is ironclad. We pride ourselves on the vigilance we employ to protect our customers' data assets, and continually stress that a mature security organization requires coordinated dedication across technology, procedures and people. Plus, our strong and growing focus on standard conformance and compliance will help you meet your own regulatory and policy objectives.