Trust Center Our success is dependent on your trust

We are committed to being responsible, trustworthy custodians of our customers’ data. We believe that you have the right to know where we store your data, how we manage and how we use it.

Download Whitepaper
commercetools Technology Trust Center

Security Culture

Information security plays a very important role for commercetools, as well as for our customers and partners. This is due to a high dependency on efficient and available information processing.

To this end, a framework of governance, risk management and compliance monitoring has been established, based on industry standards and applicable data protection laws. Information security is, therefore, an integral part of the commercetools corporate strategy.



commercetools Technology Trust Center Security Culture

Security

Managing customer data responsibly is of the utmost importance. The commercetools platform has been built as a truly cloud-native, multi-tenancy platform and runs in certified data centers at several locations in Europe, the US and APAC. The entire infrastructure, development and processes take full advantage of state-of-the-art cloud functionality.

Physical Security

Data center: The commercetools platform is hosted on Google Cloud Platform (GCP) or Amazon Web Services (AWS) and guarantees the implementation of measures according to the red security level. Both cloud service providers operate state-of-the-art data centers that focus on security and protection of data among the primary design criteria. This is demonstrated by ISO/IEC 27001 certificate and SOC II reports.

Offices: The access to commercetools offices is restricted and monitored by the reception who are also responsible for visitor management. According to the security zone concept, some areas are locked, and visitors must be guided by employees.

Network Security

The cloud traffic is protected by pre-configured WAF rules from our cloud service providers and the traffic to the commercetools platform is encrypted by state-of-the-art ciphers only.

All access to the commercetools office network is controlled, limited and monitored and the whole communication is encrypted by using WPA2 with AES-256-bit key. The implemented firewall enables scalable and centralized management of multiple endpoints.

Platform Security

All communications are only available via HTTPS and are secured by TLS 1.2. The storage layer (hard disk) is encrypted with AES-256. All user passwords are securely encrypted with state-of-the-art algorithms; never stored in plain text. The platform is continuously scanned for open ports and weak SSL certificates/configuration. Full isolation and segregation of persistent data are ensured and checked by regular penetration tests.

Training and Awareness

commercetools requires all employees and contractors to sign a confidentiality agreement before commencement. Security and Privacy awareness training is regularly delivered to all commercetools members.

Backup and Recovery

commercetools utilizes geographically separate environments to ensure protection from data loss, provide reliability and constant uptime of our systems. Backups are encrypted and stored on different storage media than production.

Operational Security

We have implemented policies and procedures, managed by our Information Security Management System (ISMS). The Information Security Officer coordinates and reviews all areas of our ISMS to continuously improve effectiveness and efficiency.

Reliability

commercetools is a visionary headless commerce platform best suited for microservices architecture. commercetools enables businesses to create seamless shopping experiences across all digital touchpoints, such as smartphones, tablets and mobile devices like smartwatches and digital PoS. The SaaS (software-as-a-service) solution is deployed containerized and has the same structure regardless of the cloud service provider (GCP or AWS). Full auto-scaling provides very high availability.

Business Continuity Management (BCM)

The goal of our Business Continuity Management is to ensure that the required services can be recovered within defined and agreed business timescales. The implemented business continuity plan identifies an organization’s exposure to internal and external threats and synthesizes hard and soft assets to provide effective prevention and recovery for the organization. The plan includes activities under adverse circumstances, such as natural disasters, organized crime or human failure, to keep the day-to-day business going.

commercetools Technology Trust Center Business Continuity Management (BCM)

Performance Management

The goal of Performance Management is to optimize the capability of the infrastructure, services and supporting organization to deliver a cost-effective and sustained level of availability and reliability that enables the customer to satisfy their business objectives. Due to the distributed, cloud-native and asynchronous architecture of the commercetools platform, there is the possibility to auto-scale as overall platform load across all customers is increasing.

commercetools Technology Trust Center Performance Management

Change Management Process

A change can be requested by the customer via support ticket, initiated by the Platform Support Team, or suggested internally to improve a component, process, or to resolve a bug. All development of platform and infrastructure is pushed through automated CI/CD pipelines in appropriate development and test environments. Several reviews and approvals are required to further deploy the code to environments through to production.

commercetools Technology Trust Center Change Management Process

Compliance

Before new suppliers are onboarded, a verification of the same protection level is carried out and technical and organizational measures are documented. Our most important subcontractors are our cloud service providers.

Our cloud service providers are regularly subject to independent verification of their security, privacy and compliance controls, achieving certifications, attestations of compliance or audit reports against standards around the world.

Google Cloud Compliance

AWS Compliance Program

commercetools Technology Trust Center Compliance

Want to know more?

commercetools also continuously undergoes independent verification of platform security, privacy and compliance controls. Our strong and growing focus on standard conformance and compliance will help you meet your regulatory and policy objectives.

The audit reports can be requested with a signed NDA. Please contact your sales contact or send your request to see the audit reports to security@commercetools.com.



commercetools Technology Trust Center Tisax

Tisax

We are TISAX-certified in the modules “Handling of Information with High Protection Level” and “Handling of Personally Identifiable Information according to Article 28 of the EU General Data Protection Regulation.” TISAX stands for Trusted Information Security Assessment Exchange, a mechanism for the exchange of testing information, which is operated by ENX Association as a common trust anchor. The basis is an assessment with a clearly defined scope of services, which is equally suitable and binding to all organizations across the entire value-added chain of the automotive industry. The duration of a test is dependent on the size and number of locations of the organization.

commercetools Technology Trust Center ISAE3000

ISAE3000

We are ISAE3000-certified in the areas of information security and data protection. ISAE 3000 is the standard for assurance over non-financial information. ISAE 3000 is issued by the International Federation of Accountants (IFAC). The standard consists of guidelines for the ethical behavior, quality management and performance of an ISAE 3000 engagement. Generally, ISAE 3000 is applied for audits of internal control, sustainability and compliance with laws and regulations.

commercetools Technology Trust Center GDPR Logo

GDPR

We are GDPR-compliant, verified by external audits. The General Data Protection Regulation (GDPR) aims to strengthen personal data protection in Europe, and affects the way we all do business. Compliance with GDPR is a top priority for commercetools and our customers.

Privacy

Management Processes

Our data protection management system has been integrated into our information security management system and they are based on the controls ISO/IEC 27001 and ISO/IEC 27701. Both management systems are centrally managed and regularly checked as part of internal and external audits.

Security of Data Processing Activities

Service provider/processor will implement appropriate technical and organizational measures (TOMs) to secure information.

Data Deletion

Data controller deletion requests are executed upon instruction. Deletion concepts for internal business data have been implemented.

Data Processing Agreement

The GDPR requires data controllers (such as organizations using the commercetools platform) to only use data processors (commercetools) that provide sufficient guarantees to meet the requirements of GDPR Article 28. The data processing agreement can be requested at privacy@commercetools.com.

Data Protection Officer

commercetools has assigned an external Data Protection Officer who works closely with the internal Data Protection Coordinator. Get in touch via email: privacy@commercetools.com.

International Data Transfer

Like previously applicable EU data protection law, the GDPR requires companies to use a recognized legal mechanism for the transfer of data from the EU to other countries that do not provide a similar framework for data protection. EU standard clauses have been agreed with all processors outside the EU.

Compliant with GDPA, CCPA and Australia Privacy Act

Privacy is such an important aspect of our lives and affects the way we all do business. Compliance with a number of privacy laws worldwide is a top priority for commercetools and our customers.