Trust Center

Our success is dependent on your trust

We are committed to being responsible, trustworthy custodians of our customers’ data. We believe that you have the right to know where we store your data, how we manage and how we use it.

Download Whitepaper
commercetools Technology Trust Center

Security Culture

Information security plays a very important role for commercetools, as well as for our customers and partners. This is due to a high dependency on efficient and available information processing.

To this end, a framework of governance, risk management and compliance monitoring has been established, based on industry standards and applicable data protection laws. Information security is, therefore, an integral part of the commercetools corporate strategy.

Security Culture


Managing customer data responsibly is of the utmost importance. The commercetools platform has been built as a truly cloud-native, multi-tenancy platform and runs in certified data centers at several locations in Europe, the US and APAC. The entire infrastructure, development and processes take full advantage of state-of-the-art cloud functionality.

Physical Security

Data center: The commercetools platform is hosted on Google Cloud Platform (GCP) or Amazon Web Services (AWS) and guarantees the implementation of measures according to the red security level. Both cloud service providers operate state-of-the-art data centers that focus on security and protection of data among the primary design criteria. This is demonstrated by ISO/IEC 27001 certificate and SOC II reports.

Offices: The access to commercetools offices is restricted and monitored by the reception who are also responsible for visitor management. According to the security zone concept, some areas are locked, and visitors must be guided by employees.

Network Security

The cloud traffic is protected by pre-configured WAF rules from our cloud service providers and the traffic to the commercetools platform is encrypted by state-of-the-art ciphers only.

All access to the commercetools office network is controlled, limited and monitored and the whole communication is encrypted by using WPA2 with AES-256-bit key. The implemented firewall enables scalable and centralized management of multiple endpoints.

Platform Security

All communications are only available via HTTPS and are secured by TLS 1.2. The storage layer (hard disk) is encrypted with AES-256. All user passwords are securely encrypted with state-of-the-art algorithms; never stored in plain text. The platform is continuously scanned for open ports and weak SSL certificates/configuration. Full isolation and segregation of persistent data are ensured and checked by regular penetration tests.

Training and Awareness

commercetools requires all employees and contractors to sign a confidentiality agreement before commencement. Security and Privacy awareness training is regularly delivered to all commercetools members.

Backup and Recovery

commercetools utilizes geographically separate environments to ensure protection from data loss, provide reliability and constant uptime of our systems. Backups are encrypted and stored on different storage media than production.

Operational Security

We have implemented policies and procedures, managed by our Information Security Management System (ISMS). The Information Security Officer coordinates and reviews all areas of our ISMS to continuously improve effectiveness and efficiency.


commercetools is a visionary composable commerce platform best suited for microservices architecture. commercetools enables businesses to create seamless shopping experiences across all digital touchpoints, such as smartphones, tablets and mobile devices like smartwatches and digital PoS. The SaaS (software-as-a-service) solution is deployed containerized and has the same structure regardless of the cloud service provider (GCP or AWS). Full auto-scaling provides very high availability.

Business Continuity Management (BCM)

The goal of our Business Continuity Management is to ensure that the required services can be recovered within defined and agreed business timescales. The implemented business continuity plan identifies an organization’s exposure to internal and external threats and synthesizes hard and soft assets to provide effective prevention and recovery for the organization. The plan includes activities under adverse circumstances, such as natural disasters, organized crime or human failure, to keep the day-to-day business going.

Business Continuity Management (BCM)

Performance Management

The goal of Performance Management is to optimize the capability of the infrastructure, services and supporting organization to deliver a cost-effective and sustained level of availability and reliability that enables the customer to satisfy their business objectives. Due to the distributed, cloud-native and asynchronous architecture of the commercetools platform, there is the possibility to auto-scale as overall platform load across all customers is increasing.

commercetools Technology Trust Center Performance Management

Change Management Process

A change can be requested by the customer via support ticket, initiated by the Platform Support Team, or suggested internally to improve a component, process, or to resolve a bug. All development of platform and infrastructure is pushed through automated CI/CD pipelines in appropriate development and test environments. Several reviews and approvals are required to further deploy the code to environments through to production.

commercetools Technology Trust Center Change Management Process


Before new suppliers are onboarded, a verification of the same protection level is carried out and technical and organizational measures are documented. Our most important subcontractors are our cloud service providers.

Our cloud service providers are regularly subject to independent verification of their security, privacy and compliance controls, achieving certifications, attestations of compliance or audit reports against standards around the world.

Google Cloud Compliance

AWS Compliance Program

Humio Compliance

commercetools Technology Trust Center Compliance

Want to know more?

commercetools also continuously undergoes independent verification of platform security, privacy and compliance controls. Our strong and growing focus on standard conformance and compliance will help you meet your regulatory and policy objectives.

The audit reports can be requested with a signed NDA. Please contact your sales contact or send your request to see the audit reports to

Join the Composable Commerce Revolution

ISO 27001

ISO 27001

ISO 27001 is an international standard, developed by the International Organization for Standardization (ISO), that sets rigorous requirements for managing information and ensuring its confidentiality, integrity and availability. TÜV Rheinland, an independent auditor, has verified that our Information Security Management System (ISMS) meets or exceeds the requirements of ISO 27001.

commercetools Technology Trust Center Tisax


We are TISAX-certified in the modules “Handling of Information with High Protection Level” and “Handling of Personally Identifiable Information according to Article 28 of the EU General Data Protection Regulation.” 

TISAX stands for Trusted Information Security Assessment Exchange, an exchange mechanism for the information security assessments of enterprises, which is operated by ENX Association as a common trust anchor. The basis is an assessment with a clearly defined scope of services, which is equally suitable and binding to all organizations across the entire value-added chain of the automotive industry. 



commercetools meets SOC II standards, demonstrating our commitment to a secure, reliable and compliant service environment. A SOC II (System and Organization Controls) report addresses relevant controls for operational compliance, based on AICPA's Trust Services Criteria (TSC). Verified by independent auditors, our compliance with this renowned US standard highlights our dedication to protecting client information and privacy within our cloud-native infrastructure. Our continuous monitoring and robust control measures ensure uninterrupted availability, processing integrity and confidentiality.

commercetools Technology Trust Center GDPR Logo


We are GDPR-compliant, verified by external audits. The General Data Protection Regulation (GDPR) aims to strengthen personal data protection in Europe, and affects the way we all do business. Compliance with GDPR is a top priority for commercetools and our customers.

HIPAA (Health Insurance Portability and Accountability Act)

HIPAA (Health Insurance Portability and Accountability Act)

commercetools implements all the necessary safeguards as a Business Associate to allow organizations that are Covered Entities to process protected health information (PHI) through the composable commerce platform. Our HIPAA compliance is affirmed by third-party security risk assessments, adoption of industry standards and established frameworks, direct alignment with the guidance set by the US Department of Health & Human Services, technical, administrative and physical controls, as well as continuous internal training. 

commercetools is committed to powering secure and exceptional commerce and patient experiences for all types of healthcare and life sciences customers.

HDS (Hébergeur de Données de Santé)

HDS (Hébergeur de Données de Santé)

As an IT-managed service provider, commercetools holds the HDS certification for the scope of personal health data management, which is a requirement by the French Public Health Code for handling personal health information (Hébergeur de Données de Santé). This certification underscores our commitment to securely managing health data and affirms our meticulous approach to data protection.

commercetools Technology Trust Center Cyber Essentials

Cyber Essentials

commercetools complies with the requirements of the Cyber Essentials Scheme. Cyber Essentials is a scheme backed by the UK Government that is intended to help protect organizations of all sizes against a whole range of the most common cyber attacks.


Management Processes

Our data protection management system has been integrated into our information security management system and they are based on the controls ISO/IEC 27001 and ISO/IEC 27701. Both management systems are centrally managed and regularly checked as part of internal and external audits.

Security of Data Processing Activities

Service provider/processor will implement appropriate technical and organizational measures (TOMs) to secure information.

Data Deletion

Data controller deletion requests are executed upon instruction. Deletion concepts for internal business data have been implemented.

Data Processing Agreement

The GDPR requires data controllers (such as organizations using the commercetools platform) to only use data processors (commercetools) that provide sufficient guarantees to meet the requirements of GDPR Article 28. The data processing agreement can be requested at

Data Protection Officer

commercetools has assigned an external Data Protection Officer who works closely with the internal Data Protection Coordinator. Get in touch via email:

International Data Transfer

Like previously applicable EU data protection law, the GDPR requires companies to use a recognized legal mechanism for the transfer of data from the EU to other countries that do not provide a similar framework for data protection. EU standard clauses have been agreed with all processors outside the EU.

Compliant with GDPR, CCPA and Australia Privacy Act

Privacy is such an important aspect of our lives and affects the way we all do business. Compliance with a number of privacy laws worldwide is a top priority for commercetools and our customers.