Trust Center2021-01-14T22:30:20+01:00

Our success is dependent on your trust.

We are committed to being responsible, trustworthy custodians of our customers’ data. We believe that you have the right to know where we store your data, how we manage, and how we use it.

Download the Whitepaper

Information security plays a very important role for commercetools, as well as for our customers and partners. This is due to a high dependency on efficient and available information processing.

To this end, a framework of governance, risk management and compliance monitoring has been established, based on industry standards and applicable data protection laws. Information security is therefore an integral part of the commercetools corporate strategy.

Physical Security

Read more

Network Security

Read more

Platform Security

Read more

Training and Awareness

Read more

Backup and Recovery

Read more

Operational Security

Read more


commercetools is a visionary headless commerce platform best suited for microservices architecture. commercetools enables businesses to create seamless shopping experiences across all digital touchpoints such as smartphones, tablets, mobile devices like smartwatches and digital PoS. The SaaS (software-as-a-service) solution is deployed containerized and has the same structure regardless of the cloud service provider (GCP or AWS). Full auto-scaling provides very high availability.

Business Continuity Management (BCM)

The goal of our Business Continuity Management is to ensure that the required services can be recovered within defined and agreed business timescales. The implemented business continuity plan identifies an organization’s exposure to internal and external threats and synthesizes hard and soft assets to provide effective prevention and recovery for the organization. The plan includes activities under adverse circumstances such as natural disasters, organized crime or human failure, to keep the day-to-day business going.

Performance Management

The goal of Performance Management is to optimize the capability of the infrastructure, services and supporting organization to deliver a cost-effective and sustained level of availability and reliability that enables the customer to satisfy their business objectives. Due to the distributed, cloud-native and asynchronous architecture of the commercetools platform, there is the possibility to auto-scale as overall platform load across all customers is increasing.

Change Management Process

A change can be requested by the customer via support ticket, initiated by the Platform Support Team, or suggested internally to improve a component, process, or to resolve a bug. All development of platform and infrastructure is pushed through automated CI/CD pipelines in appropriate development and test environments. Several reviews and approvals are required to further deploy the code to environments through to production.


Before new suppliers are onboarded, a verification of the same protection level is carried out and technical and organizational measures are documented. Our most important subcontractors are our cloud service providers.

Our cloud service providers are regularly subject to independent verification of their security, privacy, and compliance controls, achieving certifications, attestations of compliance or audit reports against standards around the world.

Google Cloud compliance
AWS Compliance program
Group 8

commercetools also continuously undergoes independent verification of platform security, privacy and compliance controls. Our strong and growing focus on standard conformance and compliance will help you meet your regulatory and policy objectives.

The audit reports can be requested with signed NDA. Please contact your sales contact or send your request to see the audit reports to

commercetools trust center tisax

We are TISAX certified in the modules “Handling of Information with High Protection Level” and “Handling of Personally Identifiable Information according to Article 28 of the EU General Data Protection Regulation” TISAX stands for Trusted Information Security Assessment Exchange, a mechanism for the exchange of testing information which is operated by ENX Association as a common trust anchor. The basis is an assessment with a clearly defined scope of services which is equally suitable and binding to all organizations across the entire value-added chain of the automotive industry. The duration of a test is dependent on the size and number of locations of the organization.


Read more
commercetools trust center isae 3000

We are ISAE3000 certified in the areas of information security and data
protection. ISAE 3000 is the standard for assurance over non-financial information. ISAE 3000 is issued by the International Federation of Accountants (IFAC). The standard consists of guidelines for the ethical behavior, quality management and performance of an ISAE 3000 engagement. Generally, ISAE 3000 is applied for audits of internal control, sustainability and compliance with laws and regulations.


Read more
commercetools trust center gdpr

We are GDPR compliant, verified by external audits. The General Data Protection Regulation (GDPR) aims to strengthen personal data protection in Europe, and affects the way we all do business. Compliance with GDPR is a top priority for commercetools and our customers.


Read more


Management Processes2020-12-23T05:24:13+01:00

Our data protection management system has been integrated into our information security management system and they are based on the controls ISO/IEC 27001 and ISO/IEC 27701. Both management systems are centrally managed and regularly checked as part of internal and external audits.

Security of Data Processing Activities2020-12-23T05:23:59+01:00

Service provider/processor will implement appropriate technical and organizational measures (TOMs) to secure information.

Data Deletion2020-12-23T05:23:45+01:00

Data controller deletion requests are executed upon instruction.
Deletion concepts for internal business data have been implemented.

Data Processing Agreement2020-12-23T05:23:31+01:00

The GDPR requires data controllers (such as organizations using the commercetools platform) to only use data processors (commercetools) that provide sufficient guarantees to meet the requirements of GDPR Article 28. The data processing agreement can be requested at

Data Protection Officer2020-12-23T05:23:16+01:00

commercetools has assigned an external Data Protection Officer who works closely with the internal Data Protection Coordinator. Get in touch via email:

International Data Transfer2020-12-23T05:22:45+01:00

Like previously applicable EU data protection law, the GDPR requires companies to use a recognized legal mechanism for the transfer of data from the EU to other countries that do not provide a similar framework for data protection. EU standard clauses have been agreed with all processors outside the EU.

Compliant with GDPA, CCPA and Australia Privacy Act2020-12-23T05:22:28+01:00

Privacy is such an important aspect of our lives and affects the way we all do business. Compliance with a number of privacy laws worldwide is a top priority for commercetools and our customers.“

Go to Top