Our success is dependent on your trust
We are committed to being responsible, trustworthy custodians of our customers’ data. We believe that you have the right to know where we store your data, how we manage and how we use it.Download Whitepaper
Information security plays a very important role for commercetools, as well as for our customers and partners. This is due to a high dependency on efficient and available information processing.
To this end, a framework of governance, risk management and compliance monitoring has been established, based on industry standards and applicable data protection laws. Information security is, therefore, an integral part of the commercetools corporate strategy.
Managing customer data responsibly is of the utmost importance. The commercetools platform has been built as a truly cloud-native, multi-tenancy platform and runs in certified data centers at several locations in Europe, the US and APAC. The entire infrastructure, development and processes take full advantage of state-of-the-art cloud functionality.
Data center: The commercetools platform is hosted on Google Cloud Platform (GCP) or Amazon Web Services (AWS) and guarantees the implementation of measures according to the red security level. Both cloud service providers operate state-of-the-art data centers that focus on security and protection of data among the primary design criteria. This is demonstrated by ISO/IEC 27001 certificate and SOC II reports.
Offices: The access to commercetools offices is restricted and monitored by the reception who are also responsible for visitor management. According to the security zone concept, some areas are locked, and visitors must be guided by employees.
The cloud traffic is protected by pre-configured WAF rules from our cloud service providers and the traffic to the commercetools platform is encrypted by state-of-the-art ciphers only.
All access to the commercetools office network is controlled, limited and monitored and the whole communication is encrypted by using WPA2 with AES-256-bit key. The implemented firewall enables scalable and centralized management of multiple endpoints.
All communications are only available via HTTPS and are secured by TLS 1.2. The storage layer (hard disk) is encrypted with AES-256. All user passwords are securely encrypted with state-of-the-art algorithms; never stored in plain text. The platform is continuously scanned for open ports and weak SSL certificates/configuration. Full isolation and segregation of persistent data are ensured and checked by regular penetration tests.
commercetools requires all employees and contractors to sign a confidentiality agreement before commencement. Security and Privacy awareness training is regularly delivered to all commercetools members.
commercetools utilizes geographically separate environments to ensure protection from data loss, provide reliability and constant uptime of our systems. Backups are encrypted and stored on different storage media than production.
We have implemented policies and procedures, managed by our Information Security Management System (ISMS). The Information Security Officer coordinates and reviews all areas of our ISMS to continuously improve effectiveness and efficiency.
commercetools is a visionary headless commerce platform best suited for microservices architecture. commercetools enables businesses to create seamless shopping experiences across all digital touchpoints, such as smartphones, tablets and mobile devices like smartwatches and digital PoS. The SaaS (software-as-a-service) solution is deployed containerized and has the same structure regardless of the cloud service provider (GCP or AWS). Full auto-scaling provides very high availability.
Business Continuity Management (BCM)
The goal of our Business Continuity Management is to ensure that the required services can be recovered within defined and agreed business timescales. The implemented business continuity plan identifies an organization’s exposure to internal and external threats and synthesizes hard and soft assets to provide effective prevention and recovery for the organization. The plan includes activities under adverse circumstances, such as natural disasters, organized crime or human failure, to keep the day-to-day business going.
The goal of Performance Management is to optimize the capability of the infrastructure, services and supporting organization to deliver a cost-effective and sustained level of availability and reliability that enables the customer to satisfy their business objectives. Due to the distributed, cloud-native and asynchronous architecture of the commercetools platform, there is the possibility to auto-scale as overall platform load across all customers is increasing.
Change Management Process
A change can be requested by the customer via support ticket, initiated by the Platform Support Team, or suggested internally to improve a component, process, or to resolve a bug. All development of platform and infrastructure is pushed through automated CI/CD pipelines in appropriate development and test environments. Several reviews and approvals are required to further deploy the code to environments through to production.
Before new suppliers are onboarded, a verification of the same protection level is carried out and technical and organizational measures are documented. Our most important subcontractors are our cloud service providers.
Our cloud service providers are regularly subject to independent verification of their security, privacy and compliance controls, achieving certifications, attestations of compliance or audit reports against standards around the world.
Want to know more?
commercetools also continuously undergoes independent verification of platform security, privacy and compliance controls. Our strong and growing focus on standard conformance and compliance will help you meet your regulatory and policy objectives.
The audit reports can be requested with a signed NDA. Please contact your sales contact or send your request to see the audit reports to firstname.lastname@example.org.Join the Composable Commerce Revolution
Our data protection management system has been integrated into our information security management system and they are based on the controls ISO/IEC 27001 and ISO/IEC 27701. Both management systems are centrally managed and regularly checked as part of internal and external audits.
Security of Data Processing Activities
Service provider/processor will implement appropriate technical and organizational measures (TOMs) to secure information.
Data controller deletion requests are executed upon instruction. Deletion concepts for internal business data have been implemented.
Data Processing Agreement
The GDPR requires data controllers (such as organizations using the commercetools platform) to only use data processors (commercetools) that provide sufficient guarantees to meet the requirements of GDPR Article 28. The data processing agreement can be requested at email@example.com.
Data Protection Officer
commercetools has assigned an external Data Protection Officer who works closely with the internal Data Protection Coordinator. Get in touch via email: firstname.lastname@example.org.
International Data Transfer
Like previously applicable EU data protection law, the GDPR requires companies to use a recognized legal mechanism for the transfer of data from the EU to other countries that do not provide a similar framework for data protection. EU standard clauses have been agreed with all processors outside the EU.
Compliant with GDPR, CCPA and Australia Privacy Act
Privacy is such an important aspect of our lives and affects the way we all do business. Compliance with a number of privacy laws worldwide is a top priority for commercetools and our customers.