// Trust & Security Report

    BigCommerce Pty. Ltd. (trading as Commerce; NASDAQ: CMRC) logo

    BigCommerce Pty. Ltd. (trading as Commerce; NASDAQ: CMRC)

    Enterprise e-commerce platform (SaaS) with composable commerce, B2B/B2C, multichannel, headless capabilities. Sub-products: Feedonomics (product feed management), Makeswift (visual site builder).

    Certifications held

    14

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 1
    HELD

    BigCommerce completed independent audits and obtained attestation reports verifying their data security practices. SOC 2 Type 1 certification achieved July 26, 2022, affirming security, availability, and confidentiality meet AICPA trust principles.

    Verify on bigcommerce.com
    SOC 2 Type 2
    HELD

    BigCommerce achieved SOC 2 Type 2 certification on July 26, 2022, demonstrating sustained compliance with security, availability, and confidentiality trust service criteria over an audit period.

    Verify on bigcommerce.com
    SOC 3
    HELD

    SOC 3 certification is listed as current on the Platform Trust Center, indicating summary-level SOC report availability.

    Verify on security.bigcommerce.com
    ISO 27001
    HELD

    ISO/IEC 27001:2022 certification achieved April 16, 2019 (originally ISO/IEC 27001:2013), making BigCommerce one of the first SaaS ecommerce platforms to achieve this rigorous information security management certification.

    Verify on bigcommerce.com
    ISO 27017
    HELD

    ISO/IEC 27017:2015 certified, addressing cloud-specific information security controls.

    Verify on security.bigcommerce.com
    ISO 27018
    HELD

    ISO/IEC 27018:2019 certified, ensuring protection of personally identifiable information (PII) in cloud computing environments.

    Verify on security.bigcommerce.com
    ISO 27701
    HELD

    ISO/IEC 27701 Privacy Information Management System certification strengthens privacy and data protection management. Announced as part of privacy and business continuity enhancements.

    Verify on bigcommerce.com
    ISO 22301
    HELD

    ISO/IEC 22301 Business Continuity Management System certification demonstrates resilience and continuity planning capabilities.

    Verify on bigcommerce.com
    ISO 9001
    HELD

    ISO 9001:2015 Quality Management certification achieved September 2025, affirming consistent product delivery and customer satisfaction per international best practices.

    Verify on commerce.com
    ISO 42001
    HELD

    ISO/IEC 42001:2023 Artificial Intelligence Management System certification achieved September 2025. CISO Dan Holden stated: 'These certifications are backed by comprehensive audits twice each year and provide assurance that the company will not train AI models using merchant data.' Awarded by Coalfire.

    Verify on commerce.com
    PCI DSS
    HELD

    PCI DSS v4.0.0 Level 1 Attestation of Compliance as both Merchant and Service Provider, confirming payment card data security standards.

    Verify on security.bigcommerce.com
    GDPR
    HELD

    Platform confirmed as GDPR compliant with EU-US Data Privacy Framework (DPF) certification. Data Processing Addendum explicitly restricts use of personal data to service delivery only: 'A Commerce Entity shall act as Processor and Process the Personal Data only to provide the Services, on Customer's documented instructions.'

    Verify on commerce.com
    CCPA
    HELD

    California Consumer Privacy Act compliance confirmed in Data Processing Addendum: 'the Commerce Entity will not Sell or Share Personal Data of California residents.'

    Verify on commerce.com
    CPRA
    HELD

    California Privacy Rights Act compliance listed on Platform Trust Center with CCPA/CPRA protections for California residents.

    Verify on security.bigcommerce.com
    > Show 1 unconfirmed / not-held certifications
    HIPAA
    NOT CONFIRMED

    BigCommerce services are explicitly not intended to process protected health information (PHI) as defined by HIPAA. Per help center: BigCommerce does not offer HIPAA compliance. The platform can support healthcare businesses through integrations with compliant systems, but does not itself hold a BAA or provide HIPAA-compliant data processing.

    source: support.bigcommerce.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Multi-region: USA (primary), Germany, Australia available via Google Cloud infrastructure. AWS and Google Cloud used for data hosting. Data can be transmitted internationally including to the United States. No explicit data residency isolation options documented.

    ISO/IEC 42001:2023 certification (September 2025) explicitly confirms BigCommerce will NOT train AI models using merchant data. Data Processing Addendum prohibits use of personal data beyond service delivery. No provisions for AI training or machine learning on customer data found in contractual documentation.

    // Security controls

    Encryption in Transit

    Encryption implemented; specific protocols (TLS version) not disclosed in public documentation

    commerce.com

    Encryption at Rest

    Encryption at rest implemented; specific algorithms and key management not disclosed in public documentation

    commerce.com

    Infrastructure

    Multi-datacenter architecture (minimum 2 data centers + 1 backup), High Availability (HA) with 99.99% uptime SLA. Hosted on Amazon Web Services (AWS) and Google Cloud Platform (GCP). Cloudflare for DDoS protection and CDN.

    commerce.com

    Access Controls

    Access controls, firewalls, network segmentation, and role-based permissions implemented. NIST Cybersecurity Framework and NIST 800-53 Rev. 5 aligned.

    commerce.com

    Vulnerability Management

    Annual penetration testing and vulnerability assessments conducted; PCI-DSS compliance audits performed.

    commerce.com

    Monitoring & Incident Response

    24/7 monitoring via Sentry I/O, NewRelic, Sumo Logic, and Sysdig. Comprehensive audit logging and security monitoring.

    commerce.com

    Data Residency

    Multi-region architecture with primary infrastructure in USA; secondary regions available through Google Cloud (Germany, Australia). Data may be transmitted internationally per privacy policy.

    commerce.com

    // Products & data scope

    BigCommerce Core PlatformE-commerce SaaS

    data: Merchant store data, customer data (orders, accounts, preferences), product catalog, inventory, transaction data

    Available in Standard, Plus, Pro, and Enterprise tiers. B2C and B2B capabilities. Supports multichannel and multi-storefront deployments.

    FeedonomicsProduct Feed Management

    data: Product catalog data, marketplace feed data, syndication data

    Syncs product data across 150+ marketplaces and advertising channels. Separate sub-product with its own data processing.

    MakeswiftVisual Site Builder

    data: Site design data, configuration, visual elements

    Drag-and-drop builder for storefronts and landing pages. Integrates with BigCommerce platform.

    // What to watch

    • HIPAA not supported: BigCommerce explicitly does not offer HIPAA compliance and is not suitable for healthcare data processing.
    • Multi-cloud architecture: Reliance on both AWS and Google Cloud introduces subprocessor dependency chain; both are SOC 2 certified but increases complexity.
    • Data residency: No explicit single-region data residency or data isolation guarantee; suitable for most global commerce but not for strict data localization requirements.
    • AI governance leading-edge: ISO 42001 certification (Sept 2025) is among first in industry; explicitly prohibits AI training on merchant data, which is a strong privacy posture.

    // At a glance

    Pricing model

    Subscription (SaaS) with tiered pricing (Standard, Plus, Pro, Enterprise) based on usage/GMV. Enterprise plans available.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on BigCommerce Pty. Ltd. (trading as Commerce; NASDAQ: CMRC)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    security.bigcommerce.com

    > Browse all vendor trust reports