EN
commercetools 2024 logo in SVG format - black version

Technical and Organizational Measures as Processor

Last Updated: 17 July 2024

The following technical and organizational measures according to Art. 32 GDPR concerns the protection of the data processing of commercetools as a data processor.

Technical and organizational measures of the cloud providers of commercetools can be reviewed here: 

Google: https://cloud.google.com/security/compliance

AWS: https://aws.amazon.com/de/compliance/programs/

Azure: https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA

The following abbreviations are used in this document: C=Confidentiality, I=Integrity, A=Availability.

If Offices are not explicitly named, the measures apply generally.

1. Access Control

  • Access to office premise with key token (Offices Durham, Berlin & Munich)  (C, I, A)

  • Formal documentation of key and key token distribution procedures (Offices Durham, Berlin & Munich) (I)

  • Action defined in case of loss of key token or cylinder key (Offices Durham, Berlin & Munich) (C, I, A)

  • Guidelines for the presence of visitors (visitor management) (Offices Durham, Berlin & Munich) (C, I, A)

  • Documents with personal data must be stored in lockable furniture at times of absence and after business hours according to security zone concept (Offices Durham, Berlin & Munich) (C, I, A)

  • Burglar alarm to protect all access areas after business hours (Offices Durham, Berlin & Munich) (C, I, A)

  • Security Zone Concept (Access Management) (Offices Durham, Berlin & Munich) (C, I, A)

  • Lockable office rooms (Offices Durham, Berlin & Munich) (C, I, A)

  • Technical room is locked and access restricted to authorized persons only (Offices Durham, Berlin & Munich) (C, I, A)

  • Mobile Working Policy (C, I, A) 

2. Admission Control

  • Documented application procedures for user account identification with issuing authority (4-eyes-principle) (C, I)

  • Assignment of personalized usernames and accounts, account sharing and generic accounts (e.g. “admin”) are prohibited (C,I)

  • Guidelines for the secure handling of passwords (C, I, A)

  • Documented password recovery procedure (C, I)

  • Multiple failed login attempts in IAM result in account lockout which must be unlocked by IT Operations (C, I, A)

  • Access to productive backend systems for authorized administrators only (C, I, A)

  • 2-factor-authentication for admin accounts (C, I)

  • Remote access via password protected SSH keys on Linux systems (C, I)

  • Instructions for set up a password protected screen lock latest after 15 minutes of idle time (C, I)

  • Regular sanity checks on user accounts configurations (C,I, A)

  • Usage of firewall appliances (C, I, A)

  • Access to the office network only possible via VPN (C, I, A)

3. Logical Access Control

  • Assignment of user permissions must follow formal procedures including application and approval instances (C,I)

  • Limitation of user permissions (need-to-know principle) (C)

  • Role-based access control. Employees are granted user permissions based on pre-defined default profiles. All default profiles are described in and part of a global authorization concept. Additional user permissions must be approved by the management (C, I)

  • Regular sanity check on account permissions (C, I, A)

  • Clean Desk Policy and Deletion and Destruction Process (C, I, A)

  • Firewall appliances for network segmentation (C, I, A)

  • Backend systems are only accessible via VPN (C, I, A)

  • Regular penetration tests and security scans (C, I, A)

  • Regular, partly automated, security update procedures (C, I, A)

4. Separation Control

  • Data collected for different purposes and data of different clients are stored and processed separately by logical access control (C,I)

  • Productive data sets are strictly separated from test data sets (C, I)

  • Function separation possible by user profiles (C, I)

5. Transfer Control

  • File encryption of data being transferred. (Password protected ZIP- or RAR-files with AES256 encryption. Passwords are conveyed in person, via telephone or via text message (sms). Minimum password length of 12 characters) (C, I)

  • Ban on mobile removable storage devices (C, I)

  • Full disk encryption on all laptops (C, I)

  • Encryption at rest and of all backups with AES-256 (C,I, A)

  • Encryption of data transfer with TLS1.2 (C,I)

  • Data protection compliant destruction of data storage devices (C,I)

  • Rules for e-mail handling, use of virus protection software, firewall and usage of VPN`s (C, I)

6. Input Control

  • System wide event logs that records all file modifications by a specific user with time stamps (I)

  • System and network access logs (I)

  • Least-Privilege-Privileges ensure that unauthorized persons cannot enter, modify or delete data (C, I, A)

7. Availability and Resilience Control

  • Business Continuity Plan (A)

  • Comprehensive backup and recovery concept (A)

  • Fire protection measures and fire detection measures (A)

  • Multiple internet connections for redundancy (A)

  • Use of anti-virus software (C, I, A)

  • Health monitoring of IT-components and IT-services (A)

  • Change Management Proceedings that make all changes comprehensible (I)

8. Regularly Tests, Assessments and Evaluations

  • All employees are bound to data secrecy and are regularly instructed in the provisions of the laws relevant to data protection (in particular GDPR) (C)

  • Technical documentation and work instructions describe and regulate processes relevant to data protection (C)

  • The external data protection officer regularly monitors internal compliance with the data protection regulations (C, I, A)

  • Subcontractors are carefully selected and regularly reviewed (C, I, A)

  • A record of the processing activities is maintained and regularly revised (C)

  • If necessary, data protection impact assessments will be carried out (C, I)

  • In the event of data protection breaches according to Art. 33 GDPR are notification processes defined (C)

  • In the event of data protection breaches according to Art. 34 GDPR are notification processes defined (C)

  • In the case of commercetools acts as data processor, commercetools grants to support the notification processes of the data controller in the event of data protection breaches (Art. 28 Par. 3 lit. f GDPR) (C)

  • commercetools products are designed in such a way that data protection-friendly basic settings are preset when new accounts are created (C)

  • Key performance indicators (KPIs) in the basic settings of the products are only evaluated in anonymous form (C)

  • In certain processes, personal data is managed separately from standardized processing runs (C, I)

  • Data protection-friendly default settings and automated processes ensure that data is deleted as soon as the purpose of its storage has become obsolete (C, I) 

  • Appointment of an external Data Protection Officer who supervises all relevant data processing procedures (C, I, A)

  • Employees must sign obligation to data secrecy (C)

  • Non-Disclosure-Agreements for service providers (C)

  • Organizational instructions and security policies for handling IT systems and data (C, I, A)

  • Regular training sessions for employees on data protection and information security as well as the correct handling of personal data (C, I, A)

  • Data protection agreements with data processors include detailed information about the nature and extent of the agreed processing procedures (C, I, A)

  • Data protection agreements with third parties contain detailed information on the purpose of the personal data of the data controller and a prohibition on use by the service provider outside the scope of the written order (C, I, A)