// Trust & Security Report
WeCommerce Holdings Limited Partnership dba Stamped
Reviews, Loyalty, and Lifecycle Marketing platform for ecommerce merchants; integrates with Shopify and other platforms to enable review collection, loyalty programs, and automated customer lifecycle campaigns.
Certifications held
1
Maturity
Growth
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on website.stamped.io“Privacy Policy evidences an EU-facing GDPR posture: 'We will never sell your personal data.'; a Data Protection Officer 'can be contacted at legal@stamped.io'; EU/EEA transfers safeguarded 'by entering into the European Commission's Standard Contractual Clauses'; and breach handling states 'We will inform you without undue delay unless the risk to your individual rights and freedoms is low.' This is a compliance posture, not a formal certification.”
> Show 8 unconfirmed / not-held certifications
source: website.stamped.ioNo public evidence found on the vendor's own website, help center, or any trust/security documentation. Stamped publishes no security or compliance page asserting a SOC 2 report. This reflects absence of vendor-published evidence, not a confirmed audit failure.
source: website.stamped.ioNo public evidence found on the vendor's own website, help center, or trust documentation. No vendor-published page asserts a SOC 2 Type 2 report. This reflects absence of vendor-published evidence, not a confirmed negative audit result.
source: website.stamped.ioNo public evidence of ISO 27001 certification held by Stamped.io. While infrastructure providers (payment processors, cloud hosts) may hold certifications, Stamped.io itself does not claim or display ISO 27001 certification.
source: website.stamped.ioNo public evidence of HIPAA certification or compliance claims. Privacy policy and terms of use make no mention of HIPAA. Product is not marketed for healthcare or regulated health data.
source: website.stamped.ioNo public, vendor-published evidence of PCI DSS scope or a named payment processor was found. The privacy policy and terms of use do not mention Stripe, PCI DSS, or cardholder-data handling. Stamped's products (reviews, loyalty, lifecycle email) do not appear to process cardholder data directly, so PCI DSS is likely out of scope, but no vendor statement confirms this.
source: website.stamped.ioNo public evidence of ISO 27017 certification claimed by Stamped.io. Infrastructure may be on providers with certifications, but Stamped does not claim this certification.
source: website.stamped.ioNo public evidence of ISO 27018 certification. Not mentioned in privacy policy, trust documentation, or security pages.
source: stampedsupport.stamped.ioNo vendor evidence found. The cited support article concerns SPF, DKIM, and DMARC email-authentication setup and makes no 'Google Partner' or certification claim; the original 'Certified Google Partner' assertion could not be verified on any vendor page. Note that Google Partner is an advertising-partner program, not a security certification, and is not applicable to a security assessment.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Not offered
Data region
Canada (HQ in Vancouver); data may be processed outside customer's country, with EU/EEA transfers protected by Standard Contractual Clauses
Privacy policy allows Stamped to 'compile Aggregated Statistics based on Customer Data' and states they may 'use Aggregated Statistics to the extent and in the manner permitted under applicable law.' No explicit opt-out mentioned for AI training. Terms note vendor collects 'reviews, mentions and other contributions' from users but AI training intent is not explicitly disclosed.
// Security controls
Breach Notification
Company commits to notify 'without undue delay' unless risk to individual rights is low (e.g., well-encrypted data per GDPR Article 33)
website.stamped.ioStandard Contractual Clauses (SCC)
Implemented for EU/EEA data transfers: 'Where we disclose personal data to a third party in another country, we endeavour to put safeguards in place...by entering into the European Commission's Standard Contractual Clauses.'
website.stamped.ioEncryption
Privacy policy states data is 'treated securely' but does not specify AES-256, TLS version, or encryption standards explicitly
website.stamped.ioEmail Security
Supports DMARC/SPF/DKIM for email authentication to prevent spoofing and phishing
stampedsupport.stamped.ioFraud Detection
Platform detects suspicious activities like duplicate referrals and fraudulent redemptions with built-in controls
website.stamped.ioReview Verification
Verified Buyer badge checks that review email matches order email, product reviewed aligns with purchased item, filters spam to comply with FTC Final Rule on fake reviews
stampedsupport.stamped.io// Products & data scope
data: Customer reviews, ratings, photos, video testimonials; linked to order data for verification
Integrates with Shopify and other platforms; supports Google Shopping Review integration; collects user-generated content
data: Customer loyalty account data, point balances, redemption history, behavioral signals (purchases, referrals, reviews, social engagement)
Tiered pricing by order volume; includes referral tracking and fraud detection
data: Customer purchase history, engagement signals, email behavior, personalization data
Automated email flows triggered by purchase timing and customer segments; integrates with Klaviyo and other email platforms
// What to watch
- MISSING_TRUST_CENTER: Despite 45,000+ active merchants, Stamped.io has no publicly accessible dedicated trust center or security/certifications page. Standard for SaaS platforms serving enterprise use cases.
- NO_FORMAL_CERTS: No SOC 2, ISO 27001, or HIPAA certifications evident despite growth-stage maturity and merchant scale. Raises questions about enterprise-readiness for regulated customers.
- OUTDATED_TERMS: Terms of Use last modified 2022-12-07 (3+ years old). Privacy Policy language suggests older vintage but no modification date provided for privacy doc.
- AI_TRAINING_AMBIGUITY: Privacy policy permits creation of 'Aggregated Statistics' from customer review data but does not explicitly state whether this data or aggregates are used for LLM training. Product handles customer reviews which could be sensitive.
- IDENTITY_CONFLATION_RISK: A different company 'Stamped.ai' (online accounting/CPA firm) exists. Do not conflate their security certifications with Stamped.io reviews platform.
- PAYMENT_PROCESSING_DELEGATION: PCI DSS compliance is outsourced to Stripe; Stamped does not store full card data. This is appropriate but means no direct PCI audit by Stamped.
- Unable to verify current version or recent updates.
// At a glance
Pricing model
Tiered by order volume: Basic (~$23/mo for 200 orders), Premium (500 orders), Business ($149 for 1,500 orders); per-review pricing available
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on WeCommerce Holdings Limited Partnership dba Stamped's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
website.stamped.io