// Trust & Security Report

    WeCommerce Holdings Limited Partnership dba Stamped logo

    WeCommerce Holdings Limited Partnership dba Stamped

    Reviews, Loyalty, and Lifecycle Marketing platform for ecommerce merchants; integrates with Shopify and other platforms to enable review collection, loyalty programs, and automated customer lifecycle campaigns.

    Certifications held

    1

    Maturity

    Growth

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    GDPR (posture/compliance)
    HELD

    Privacy Policy evidences an EU-facing GDPR posture: 'We will never sell your personal data.'; a Data Protection Officer 'can be contacted at legal@stamped.io'; EU/EEA transfers safeguarded 'by entering into the European Commission's Standard Contractual Clauses'; and breach handling states 'We will inform you without undue delay unless the risk to your individual rights and freedoms is low.' This is a compliance posture, not a formal certification.

    Verify on website.stamped.io
    > Show 8 unconfirmed / not-held certifications
    SOC 2 Type 1
    NOT CONFIRMED

    No public evidence found on the vendor's own website, help center, or any trust/security documentation. Stamped publishes no security or compliance page asserting a SOC 2 report. This reflects absence of vendor-published evidence, not a confirmed audit failure.

    source: website.stamped.io
    SOC 2 Type 2
    NOT CONFIRMED

    No public evidence found on the vendor's own website, help center, or trust documentation. No vendor-published page asserts a SOC 2 Type 2 report. This reflects absence of vendor-published evidence, not a confirmed negative audit result.

    source: website.stamped.io
    ISO 27001
    NOT CONFIRMED

    No public evidence of ISO 27001 certification held by Stamped.io. While infrastructure providers (payment processors, cloud hosts) may hold certifications, Stamped.io itself does not claim or display ISO 27001 certification.

    source: website.stamped.io
    HIPAA
    NOT CONFIRMED

    No public evidence of HIPAA certification or compliance claims. Privacy policy and terms of use make no mention of HIPAA. Product is not marketed for healthcare or regulated health data.

    source: website.stamped.io
    PCI DSS
    NOT CONFIRMED

    No public, vendor-published evidence of PCI DSS scope or a named payment processor was found. The privacy policy and terms of use do not mention Stripe, PCI DSS, or cardholder-data handling. Stamped's products (reviews, loyalty, lifecycle email) do not appear to process cardholder data directly, so PCI DSS is likely out of scope, but no vendor statement confirms this.

    source: website.stamped.io
    ISO 27017 (Cloud Security)
    NOT CONFIRMED

    No public evidence of ISO 27017 certification claimed by Stamped.io. Infrastructure may be on providers with certifications, but Stamped does not claim this certification.

    source: website.stamped.io
    ISO 27018 (PII Protection in Cloud)
    NOT CONFIRMED

    No public evidence of ISO 27018 certification. Not mentioned in privacy policy, trust documentation, or security pages.

    source: website.stamped.io
    Google Partner Certification
    NOT CONFIRMED

    No vendor evidence found. The cited support article concerns SPF, DKIM, and DMARC email-authentication setup and makes no 'Google Partner' or certification claim; the original 'Certified Google Partner' assertion could not be verified on any vendor page. Note that Google Partner is an advertising-partner program, not a security certification, and is not applicable to a security assessment.

    source: stampedsupport.stamped.io

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Not offered

    Data region

    Canada (HQ in Vancouver); data may be processed outside customer's country, with EU/EEA transfers protected by Standard Contractual Clauses

    Privacy policy allows Stamped to 'compile Aggregated Statistics based on Customer Data' and states they may 'use Aggregated Statistics to the extent and in the manner permitted under applicable law.' No explicit opt-out mentioned for AI training. Terms note vendor collects 'reviews, mentions and other contributions' from users but AI training intent is not explicitly disclosed.

    // Security controls

    Data Protection Officer

    Appointed; contact: legal@stamped.io

    website.stamped.io

    Breach Notification

    Company commits to notify 'without undue delay' unless risk to individual rights is low (e.g., well-encrypted data per GDPR Article 33)

    website.stamped.io

    Standard Contractual Clauses (SCC)

    Implemented for EU/EEA data transfers: 'Where we disclose personal data to a third party in another country, we endeavour to put safeguards in place...by entering into the European Commission's Standard Contractual Clauses.'

    website.stamped.io

    Encryption

    Privacy policy states data is 'treated securely' but does not specify AES-256, TLS version, or encryption standards explicitly

    website.stamped.io

    Email Security

    Supports DMARC/SPF/DKIM for email authentication to prevent spoofing and phishing

    stampedsupport.stamped.io

    Fraud Detection

    Platform detects suspicious activities like duplicate referrals and fraudulent redemptions with built-in controls

    website.stamped.io

    Review Verification

    Verified Buyer badge checks that review email matches order email, product reviewed aligns with purchased item, filters spam to comply with FTC Final Rule on fake reviews

    stampedsupport.stamped.io

    // Products & data scope

    ReviewsReview Collection & Management

    data: Customer reviews, ratings, photos, video testimonials; linked to order data for verification

    Integrates with Shopify and other platforms; supports Google Shopping Review integration; collects user-generated content

    LoyaltyCustomer Loyalty & Rewards

    data: Customer loyalty account data, point balances, redemption history, behavioral signals (purchases, referrals, reviews, social engagement)

    Tiered pricing by order volume; includes referral tracking and fraud detection

    Lifecycle (Repeat)Email Automation & Customer Lifecycle

    data: Customer purchase history, engagement signals, email behavior, personalization data

    Automated email flows triggered by purchase timing and customer segments; integrates with Klaviyo and other email platforms

    // What to watch

    • MISSING_TRUST_CENTER: Despite 45,000+ active merchants, Stamped.io has no publicly accessible dedicated trust center or security/certifications page. Standard for SaaS platforms serving enterprise use cases.
    • NO_FORMAL_CERTS: No SOC 2, ISO 27001, or HIPAA certifications evident despite growth-stage maturity and merchant scale. Raises questions about enterprise-readiness for regulated customers.
    • OUTDATED_TERMS: Terms of Use last modified 2022-12-07 (3+ years old). Privacy Policy language suggests older vintage but no modification date provided for privacy doc.
    • AI_TRAINING_AMBIGUITY: Privacy policy permits creation of 'Aggregated Statistics' from customer review data but does not explicitly state whether this data or aggregates are used for LLM training. Product handles customer reviews which could be sensitive.
    • IDENTITY_CONFLATION_RISK: A different company 'Stamped.ai' (online accounting/CPA firm) exists. Do not conflate their security certifications with Stamped.io reviews platform.
    • PAYMENT_PROCESSING_DELEGATION: PCI DSS compliance is outsourced to Stripe; Stamped does not store full card data. This is appropriate but means no direct PCI audit by Stamped.
    • Unable to verify current version or recent updates.

    // At a glance

    Pricing model

    Tiered by order volume: Basic (~$23/mo for 200 orders), Premium (500 orders), Business ($149 for 1,500 orders); per-review pricing available

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on WeCommerce Holdings Limited Partnership dba Stamped's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    website.stamped.io

    > Browse all vendor trust reports