// Trust & Security Report
BigCommerce Pty. Ltd. (trading as Commerce; NASDAQ: CMRC)
Enterprise e-commerce platform (SaaS) with composable commerce, B2B/B2C, multichannel, headless capabilities. Sub-products: Feedonomics (product feed management), Makeswift (visual site builder).
Certifications held
14
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on bigcommerce.com“BigCommerce completed independent audits and obtained attestation reports verifying their data security practices. SOC 2 Type 1 certification achieved July 26, 2022, affirming security, availability, and confidentiality meet AICPA trust principles.”
Verify on bigcommerce.com“BigCommerce achieved SOC 2 Type 2 certification on July 26, 2022, demonstrating sustained compliance with security, availability, and confidentiality trust service criteria over an audit period.”
Verify on security.bigcommerce.com“SOC 3 certification is listed as current on the Platform Trust Center, indicating summary-level SOC report availability.”
Verify on bigcommerce.com“ISO/IEC 27001:2022 certification achieved April 16, 2019 (originally ISO/IEC 27001:2013), making BigCommerce one of the first SaaS ecommerce platforms to achieve this rigorous information security management certification.”
Verify on security.bigcommerce.com“ISO/IEC 27017:2015 certified, addressing cloud-specific information security controls.”
Verify on security.bigcommerce.com“ISO/IEC 27018:2019 certified, ensuring protection of personally identifiable information (PII) in cloud computing environments.”
Verify on bigcommerce.com“ISO/IEC 27701 Privacy Information Management System certification strengthens privacy and data protection management. Announced as part of privacy and business continuity enhancements.”
Verify on bigcommerce.com“ISO/IEC 22301 Business Continuity Management System certification demonstrates resilience and continuity planning capabilities.”
Verify on commerce.com“ISO 9001:2015 Quality Management certification achieved September 2025, affirming consistent product delivery and customer satisfaction per international best practices.”
Verify on commerce.com“ISO/IEC 42001:2023 Artificial Intelligence Management System certification achieved September 2025. CISO Dan Holden stated: 'These certifications are backed by comprehensive audits twice each year and provide assurance that the company will not train AI models using merchant data.' Awarded by Coalfire.”
Verify on security.bigcommerce.com“PCI DSS v4.0.0 Level 1 Attestation of Compliance as both Merchant and Service Provider, confirming payment card data security standards.”
Verify on commerce.com“Platform confirmed as GDPR compliant with EU-US Data Privacy Framework (DPF) certification. Data Processing Addendum explicitly restricts use of personal data to service delivery only: 'A Commerce Entity shall act as Processor and Process the Personal Data only to provide the Services, on Customer's documented instructions.'”
Verify on commerce.com“California Consumer Privacy Act compliance confirmed in Data Processing Addendum: 'the Commerce Entity will not Sell or Share Personal Data of California residents.'”
Verify on security.bigcommerce.com“California Privacy Rights Act compliance listed on Platform Trust Center with CCPA/CPRA protections for California residents.”
> Show 1 unconfirmed / not-held certifications
source: support.bigcommerce.comBigCommerce services are explicitly not intended to process protected health information (PHI) as defined by HIPAA. Per help center: BigCommerce does not offer HIPAA compliance. The platform can support healthcare businesses through integrations with compliant systems, but does not itself hold a BAA or provide HIPAA-compliant data processing.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Multi-region: USA (primary), Germany, Australia available via Google Cloud infrastructure. AWS and Google Cloud used for data hosting. Data can be transmitted internationally including to the United States. No explicit data residency isolation options documented.
ISO/IEC 42001:2023 certification (September 2025) explicitly confirms BigCommerce will NOT train AI models using merchant data. Data Processing Addendum prohibits use of personal data beyond service delivery. No provisions for AI training or machine learning on customer data found in contractual documentation.
// Security controls
Encryption in Transit
Encryption implemented; specific protocols (TLS version) not disclosed in public documentation
commerce.comEncryption at Rest
Encryption at rest implemented; specific algorithms and key management not disclosed in public documentation
commerce.comInfrastructure
Multi-datacenter architecture (minimum 2 data centers + 1 backup), High Availability (HA) with 99.99% uptime SLA. Hosted on Amazon Web Services (AWS) and Google Cloud Platform (GCP). Cloudflare for DDoS protection and CDN.
commerce.comAccess Controls
Access controls, firewalls, network segmentation, and role-based permissions implemented. NIST Cybersecurity Framework and NIST 800-53 Rev. 5 aligned.
commerce.comVulnerability Management
Annual penetration testing and vulnerability assessments conducted; PCI-DSS compliance audits performed.
commerce.comMonitoring & Incident Response
24/7 monitoring via Sentry I/O, NewRelic, Sumo Logic, and Sysdig. Comprehensive audit logging and security monitoring.
commerce.comData Residency
Multi-region architecture with primary infrastructure in USA; secondary regions available through Google Cloud (Germany, Australia). Data may be transmitted internationally per privacy policy.
commerce.com// Products & data scope
data: Merchant store data, customer data (orders, accounts, preferences), product catalog, inventory, transaction data
Available in Standard, Plus, Pro, and Enterprise tiers. B2C and B2B capabilities. Supports multichannel and multi-storefront deployments.
data: Product catalog data, marketplace feed data, syndication data
Syncs product data across 150+ marketplaces and advertising channels. Separate sub-product with its own data processing.
data: Site design data, configuration, visual elements
Drag-and-drop builder for storefronts and landing pages. Integrates with BigCommerce platform.
// What to watch
- HIPAA not supported: BigCommerce explicitly does not offer HIPAA compliance and is not suitable for healthcare data processing.
- Multi-cloud architecture: Reliance on both AWS and Google Cloud introduces subprocessor dependency chain; both are SOC 2 certified but increases complexity.
- Data residency: No explicit single-region data residency or data isolation guarantee; suitable for most global commerce but not for strict data localization requirements.
- AI governance leading-edge: ISO 42001 certification (Sept 2025) is among first in industry; explicitly prohibits AI training on merchant data, which is a strong privacy posture.
// At a glance
Pricing model
Subscription (SaaS) with tiered pricing (Standard, Plus, Pro, Enterprise) based on usage/GMV. Enterprise plans available.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on BigCommerce Pty. Ltd. (trading as Commerce; NASDAQ: CMRC)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
security.bigcommerce.com