Technical and Organizational Measures as Processor

Last Updated: January 23, 2025

The following technical and organizational measures according to Art. 32 GDPR concerns the protection of the data processing of commercetools as a data processor.

Technical and organizational measures of the cloud providers of commercetools can be reviewed here:

Google: https://cloud.google.com/security/compliance

AWS: https://aws.amazon.com/de/compliance/programs/

The following abbreviations are used in this document: C=Confidentiality, I=Integrity, A=Availability.

If Offices are not explicitly named, the measures apply generally.

1. Access Control

  • Access to office premise with key token (Offices Berlin & Munich) (C, I, A)
  • Formal documentation of key and key token distribution procedures (Offices Berlin & Munich) (I)
  • Action defined in case of loss of key token or cylinder key (Offices Berlin & Munich) (C, I, A)
  • Guidelines for the presence of visitors (visitor management) (Offices Berlin & Munich) (C, I, A)
  • Documents with personal data must be stored in lockable furniture at times of absence and after business hours according to security zone concept (Offices Berlin & Munich) (C, I, A)
  • Burglar alarm to protect all access areas after business hours (Offices Berlin & Munich) (C, I, A)
  • Security Zone Concept (Access Management) (Offices Berlin & Munich) (C, I, A)
  • Lockable office rooms (Offices Berlin & Munich) (C, I, A)
  • Technical room is locked and access restricted to authorized persons only (Offices Berlin & Munich) (C, I, A)
  • Mobile Working Policy (C, I, A)

2. Admission Control

  • Documented application procedures for user account identification with issuing authority (4-eyes-principle) (C, I)
  • Assignment of personalized usernames and accounts, account sharing and generic accounts (e.g. “admin”) are prohibited (C,I)
  • Guidelines for the secure handling of passwords (C, I, A)
  • Documented password recovery procedure (C, I)
  • Multiple failed login attempts in IAM result in account lockout which must be unlocked by IT Operations (C, I, A)
  • Access to productive backend systems for authorized administrators only (C, I, A)
  • 2-factor-authentication for admin accounts (C, I)
  • Remote access via password protected SSH keys on Linux systems (C, I)
  • Instructions for set up a password protected screen lock latest after 15 minutes of idle time (C, I)
  • Regular sanity checks on user accounts configurations (C,I, A)
  • Usage of firewall appliances (C, I, A)
  • Access to the office network only possible via VPN (C, I, A)

3. Logical Access Control

  • Assignment of user permissions must follow formal procedures including application and approval instances (C,I)
  • Limitation of user permissions (need-to-know principle) (C)
  • Role-based access control. Employees are granted user permissions based on pre-defined default profiles. All default profiles are described in and part of a global authorization concept. Additional user permissions must be approved by the management (C, I)
  • Regular sanity check on account permissions (C, I, A)
  • Clean Desk Policy and Deletion and Destruction Process (C, I, A)
  • Firewall appliances for network segmentation (C, I, A)
  • Backend systems are only accessible via VPN (C, I, A)
  • Regular penetration tests and security scans (C, I, A)
  • Regular, partly automated, security update procedures (C, I, A)

4. Separation Control

  • Data collected for different purposes and data of different clients are stored and processed separately by logical access control (C,I)
  • Productive data sets are strictly separated from test data sets (C, I)
  • Function separation possible by user profiles (C, I)

5. Transfer Control

  • File encryption of data being transferred. (Password protected ZIP- or RAR-files with AES256 encryption. Passwords are conveyed in person, via telephone or via text message (sms). Minimum password length of 12 characters) (C, I)
  • Ban on mobile removable storage devices (C, I)
  • Full disk encryption on all laptops (C, I)
  • Encryption at rest and of all backups with AES-256 (C,I, A)
  • Encryption of data transfer with TLS1.2 (C,I)
  • Data protection compliant destruction of data storage devices (C,I)
  • Rules for e-mail handling, use of virus protection software, firewall and usage of VPN`s (C, I)

6. Input Control

  • System wide event logs that records all file modifications by a specific user with time stamps (I)
  • System and network access logs (I)
  • Least-Privilege-Privileges ensure that unauthorized persons cannot enter, modify or delete data (C, I, A)

7. Availability and Resilience Control

  • Business Continuity Plan (A)
  • Comprehensive backup and recovery concept (A)
  • Fire protection measures and fire detection measures (A)
  • Multiple internet connections for redundancy (A)
  • Use of anti-virus software (C, I, A)
  • Health monitoring of IT-components and IT-services (A)
  • Change Management Proceedings that make all changes comprehensible (I)

8. Regularly Tests, Assessments and Evaluations

  • 3rd party certifications, audits, compliance, and assessments including but not limited to ISO 27001, SOC 2 Type 2, TISAX Level 2, Cyber Essential UK, HIPAA, HDS, and external penetration testing (C, I, A)
  • All employees are bound to data secrecy and are regularly instructed in the provisions of the laws relevant to data protection (in particular GDPR) (C)
  • Technical documentation and work instructions describe and regulate processes relevant to data protection (C)
  • The external data protection officer regularly monitors internal compliance with the data protection regulations (C, I, A)
  • Subcontractors are carefully selected and regularly reviewed (C, I, A)
  • A record of the processing activities is maintained and regularly revised (C)
  • If necessary, data protection impact assessments will be carried out (C, I)
  • In the event of data protection breaches according to Art. 33 GDPR are notification processes defined (C)
  • In the event of data protection breaches according to Art. 34 GDPR are notification processes defined (C)
  • In the case of commercetools acts as data processor, commercetools grants to support the notification processes of the data controller in the event of data protection breaches (Art. 28 Par. 3 lit. f GDPR) (C)
  • commercetools products are designed in such a way that data protection-friendly basic settings are preset when new accounts are created (C)
  • Key performance indicators (KPIs) in the basic settings of the products are only evaluated in anonymous form (C)
  • In certain processes, personal data is managed separately from standardized processing runs (C, I)
  • Data protection-friendly default settings and automated processes ensure that data is deleted as soon as the purpose of its storage has become obsolete (C, I)
  • Appointment of an external Data Protection Officer who supervises all relevant data processing procedures (C, I, A)
  • Employees must sign obligation to data secrecy (C)
  • Non-Disclosure-Agreements for service providers (C)
  • Organizational instructions and security policies for handling IT systems and data (C, I, A)
  • Regular training sessions for employees on data protection and information security as well as the correct handling of personal data (C, I, A)
  • Data protection agreements with data processors include detailed information about the nature and extent of the agreed processing procedures (C, I, A)
  • Data protection agreements with third parties contain detailed information on the purpose of the personal data of the data controller and a prohibition on use by the service provider outside the scope of the written order (C, I, A)