// Trust & Security Report

    Automattic Inc. logo

    Automattic Inc.

    WooCommerce - open-source ecommerce plugin for WordPress (self-hosted); commercial SaaS add-ons include WooPayments (integrated payment processing), extensions marketplace, and enterprise managed ecommerce offerings

    Certifications held

    2

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    GDPR (compliance posture)
    HELD

    Automattic offers a Data Processing Agreement (DPA) that 'satisfies the requirement for standard model clauses that govern the transfer of your data to Automattic and its subsidiaries' and 'documents Automattic's compliance with the GDPR requirements that apply to us as a data processor.' Per automattic.com/privacy, for Woo services in Designated Countries WooCommerce Ireland Ltd. handles processing with Automattic Inc. and WooCommerce, Inc. as joint controllers (Aut O'Mattic A8C Ireland Ltd. covers non-Woo services). Standard contractual arrangements approved by the European Commission/UK government are used for cross-border transfers.

    Verify on wordpress.com
    PCI DSS
    HELD

    WooCommerce.com states for its WooPayments product: 'Yes, WooPayments is PCI DSS compliant as a Level 1 service provider.' Card details are collected via hosted payment fields that are 'served securely from our payment partner's PCI DSS-validated environment,' and a copy of WooPayments' own Attestation of Compliance (AOC) is available on request from support. The core WooCommerce plugin is separately not PCI certified, as it 'does not handle cardholder data or process payments directly'; merchants retain ultimate PCI DSS responsibility for their own checkout environment.

    Verify on woocommerce.com
    > Show 8 unconfirmed / not-held certifications
    SOC 2 Type II
    NOT CONFIRMED

    No public evidence of a SOC 2 audit for Automattic Inc. or WooCommerce.com. WordPress VIP (a separate Automattic enterprise product) obtained SOC 2 Type I attestation in October 2025, but that attestation covers WordPress VIP infrastructure only and does not extend to WooCommerce.com services.

    source: automattic.com
    ISO 27001
    NOT CONFIRMED

    No public evidence found. No mention of ISO 27001 certification on automattic.com, woocommerce.com, or any Automattic trust/compliance documentation reviewed. The rtCamp agency partner holds ISO 27001, not Automattic.

    source: automattic.com
    HIPAA
    NOT CONFIRMED

    No public evidence of HIPAA compliance or Business Associate Agreement (BAA) availability. WooCommerce is not positioned for healthcare data and no HIPAA documentation was found on vendor domains.

    source: automattic.com
    ISO/IEC 27017
    NOT CONFIRMED

    No public evidence found on any Automattic or WooCommerce domain.

    source: automattic.com
    ISO/IEC 27018
    NOT CONFIRMED

    No public evidence found on any Automattic or WooCommerce domain.

    source: automattic.com
    ISO/IEC 42001 (AI governance)
    NOT CONFIRMED

    No public evidence found. No mention on any Automattic or WooCommerce domain reviewed.

    source: automattic.com
    CSA STAR
    NOT CONFIRMED

    No public evidence found on any Automattic or WooCommerce domain.

    source: automattic.com
    FedRAMP
    NOT CONFIRMED

    No public evidence found. WooCommerce is not positioned as a government cloud offering.

    source: automattic.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    US (Automattic Inc., San Francisco) for non-EU/UK users; EU (Aut O'Mattic A8C Ireland Ltd., Dublin) as data controller for EU/UK/Australia/Canada/Japan/Mexico/New Zealand/Russia users. Data may be stored and accessed globally via Standard Contractual Clauses.

    In February 2024, Automattic entered talks to share public WordPress.com and Tumblr content with AI companies (OpenAI, MidJourney) for model training. Automattic explicitly excluded self-hosted WooCommerce store data: 'We are not including content from sites hosted elsewhere even if they use Automattic plugins like Jetpack or WooCommerce.' An opt-out toggle was added for WordPress.com/Tumblr hosted content. For WooCommerce AI features (Jetpack AI, etc.), inputs are shared with OpenAI and Anthropic; neither company uses those inputs to train or improve their models per Automattic's AI Guidelines page.

    // Security controls

    Encryption in transit

    TLS/SSL required for all checkout pages and integrated payment gateways; free SSL certificates available via hosting partners

    woocommerce.com

    Encryption at rest

    No specific vendor-domain disclosure found; depends on hosting provider chosen by merchant

    automattic.com

    Payment data storage

    Credit card numbers and CVV codes are never stored by WooCommerce. Only last 4 digits and card type stored locally when using payment tokens. Sensitive card data processed directly by payment gateway.

    woocommerce.com

    Bug bounty program

    Active HackerOne bug bounty program; Automattic commits to reviewing and replying to every legitimate security report within 24 hours

    automattic.com

    Vulnerability disclosure

    Responsible disclosure via HackerOne portal; https://hackerone.com/automattic

    automattic.com

    PCI DSS scope (WooPayments)

    WooPayments is a PCI DSS Level 1 certified service provider; it uses hosted payment fields served from its payment partner's PCI DSS-validated environment, reducing merchant PCI scope. WooPayments' own Attestation of Compliance (AOC) is available on request from support.

    woocommerce.com

    // Products & data scope

    WooCommerce core pluginOpen-source ecommerce plugin (self-hosted WordPress)

    data: Customer orders, PII (name, address, email), product catalog, payment tokens (partial card data only). Data stored on merchant's own hosting environment. Automattic does not receive store customer data unless optional cloud services are enabled.

    Free, open-source. PCI compliance is merchant's responsibility. No Automattic-held certifications apply to self-hosted deployments.

    WooPaymentsIntegrated payment processing (SaaS, powered by Stripe)

    data: Payment card data handled via Stripe's hosted payment fields (never touches merchant server). Non-payment data (name, address) stored in WordPress database on merchant server.

    WooPayments is itself a PCI DSS Level 1 certified service provider (its own AOC available on request), built in partnership with Stripe whose PCI DSS-validated environment serves the hosted payment fields. The core plugin is not PCI certified.

    WooCommerce extensions marketplaceThird-party plugin marketplace

    data: Marketplace browsing data on woocommerce.com; individual extension data scopes vary by third-party developer.

    Extensions are third-party products. Automattic certifications do not cover third-party extension data practices.

    Enterprise ecommerce (Woo Enterprise)Managed enterprise ecommerce

    data: Varies by deployment; may include managed hosting via WordPress.com or Pressable.

    Enterprise plans include dedicated Customer Success Manager. No SOC 2 or ISO 27001 specific to WooCommerce enterprise was found; WordPress VIP (separate product) holds SOC 2 Type I.

    // What to watch

    • PCI DSS scope: WooPayments is itself a PCI DSS Level 1 certified service provider with its own AOC available on request (built in partnership with Stripe, whose validated environment serves the hosted payment fields). The core WooCommerce plugin is not PCI certified, and merchants still bear PCI responsibility for their overall checkout environment.
    • SOC 2 and ISO 27001 absence: No public evidence of these certs for Automattic or WooCommerce.com. WordPress VIP (separate enterprise product) has SOC 2 Type I but this does not cover WooCommerce.com services.
    • AI training controversy (2024): Automattic was reported to be in talks to sell WordPress.com and Tumblr public content to OpenAI and MidJourney. Opt-out was added and self-hosted WooCommerce store data was explicitly excluded. The episode raised public scrutiny about Automattic data practices.
    • No dedicated trust center: Automattic's security page only covers bug bounty/HackerOne; no compliance portal, no cert registry, no audit summary page found.
    • DPA scope unclear: The DPA is documented as covering WordPress.com services; it is not clearly stated whether it covers all WooCommerce.com SaaS services. Merchants should confirm scope with Automattic.

    // At a glance

    Pricing model

    Freemium: WooCommerce core is free and open-source. Paid add-ons (extensions, themes) range from ~26 EUR to 300+ EUR annually. WooPayments charges transaction fees. Enterprise plans are custom-priced.

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Automattic Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    automattic.com

    > Browse all vendor trust reports