Information Security White Paper commercetools platform This white paper applies to the commercetools platform running in Europe, the US and APAC

www.commercetools.com Table of Contents

Introduction 3

What is commercetools? 4

Security Culture 4 Information Security Management Information Security Controls Human Resource Security

Physical Security 5 Data Center Offices

commercetools Platform 6 System Overview API Security Payment API Product Security Data in Transit Data at Rest Data Access Restrictions Separation of Production and Non-Production Environments

Operational Security 8 Network Security Vulnerability Management Patch Management Malware Prevention Monitoring Incident Management

Security in Development Process 10

Performance Management 10

Data Backup and Business Continuity Management 10

Supplier Relationships 11

Compliance 11 Data Processing Agreements International Data Transfer Data Protection Officer Information Security Certifications

Conclusion 12 Introduction

From the world’s largest public companies to early-stage startups, people rely on the commercetools ecommerce platform to run their business. Using the platform, companies can provide customers with detailed product data and create and update carts. Order data and customer data are then managed together in the platform. Thus, it’s mission critical for all our merchants that the commercetools platform - especially its API - is running nonstop. But, providing a reliable solution is only the first step. commercetools must also follow the latest information security best practices and comply with privacy regulations. This allows all companies to securely run their business on commercetools.

We believe that transparency in security processes and controls is indispensable. For our customers it is important to know who can access their data when, and what measures are taken to prevent unauthorized access. This white paper provides a behind-the-scenes look at our security measures and how they protect our customers around the world.

Information Security White Paper commercetools platform 3 What is commercetools?

Our headless commerce platform separates frontend and backend functionality, enabling businesses to create seamless shopping experiences across all digital touchpoints. Our flexible API lets you engage with your customers via webshops, mobile apps, voice assistants, AR/VR applications, social networks, and others.

We offer a catalogue of 300+ API endpoints for your commerce projects which you can consume à la carte. Our modular architecture enables you to rapidly build new customized services for your customers, iterate quickly, and run new business models at a global scale.

Security Culture

Information security plays a very important role for commercetools, as well as for our customers and partners. To this end, a framework of governance, risk management and compliance monitoring has been established, based on industry standards as well as applicable data protection laws. Information security is therefore an integral part of the commercetools corporate strategy.

commercetools customers own their data, and we commit to keeping our customers data confidential. We offer our customers a detailed data processing agreement which describes our commitment to protect personal data of end-users. It states that commercetools will not process data for any purpose other than to fulfill our contractual obligations.

Data will be deleted upon request, including backup and log/monitoring data. Finally, we provide data portability so customers may take their data with them if they choose to stop using our services, without penalty or additional cost imposed by commercetools.

Information Security Management

commercetools takes numerous steps to protect our employees, customers, partners and service providers from risks associated with information processing. We have implemented an industry-based standard Information Security Management System (ISMS) to regulate the handling of information across the organization.

Information Security White Paper commercetools platform 4 Information Security Controls

The effectiveness and efficiency of the ISMS is reviewed by the Information Security Officer (ISO) as part of internal and external audits as well as annual penetration tests, according to industry standards.

Human Resource Security

Personnel security measures are designed to reduce the risk of human error, theft, fraud or misuse of facilities. These include measures for internal and external employees as well as service providers. They cover measures in the recruitment phase, during the employment relationship and after termination. commercetools requires all employees and contractors to sign a confidentiality agreement before commencement. Security and Privacy awareness training is regularly delivered to all commercetools members.

Physical Security

Appropriate measures for the protection of property (perimeter protection, burglary protection) are implemented to prevent both unauthorized access and damage to commercial buildings and information. These also define measures that protect against loss, damage or compromise of assets and disruption of business activity. Data Center

The commercetools platform is hosted globally on Google Cloud Platform (GCP) or Amazon Web Services (AWS) and guarantees the implementation of measures according to the red security level. Both cloud service providers operate state-of-the-art data centers that focus on security and protection of data among the primary design criteria. This is demonstrated by ISO/IEC 27001 certificate and SOC II reports.

Offices commercetools has a security program that manages visitors, building entrances and overall office security. Access to commercetools offices is restricted and monitored by receptionists, who are also responsible for visitor management. According to our security zone concept, some areas are locked, and visitors must be guided by employees. Our office buildings are protected by a sophisticated fire alarm system. All fire extinguishers are co2 based to protect the hardware in use and all affected IT systems.

Information Security White Paper commercetools platform 5 commercetools follows a clean desk policy and requests locking access to all devices, such as laptops and cell phones, are encrypted and password protected. commercetools Platform System Overview

The commercetools platform is a visionary headless commerce SaaS (software-as-a-service) offering best suited for microservices architecture. It is available on different cloud solutions – like GCP and AWS. The application is containerized and supports auto-scaling to provide for high availability.

Business User Tooling BringYourUIs Merchant Center

SDK(Optional)

Global Load Balancingand CDN

API

Back-end

Storage

CloudInfrastructure

API Security

The API of the commercetools platform is only accessible with a valid OAuth2 token that has a short period of validity. These tokens are created by our OAuth2 service and hold specific permissions defining which data can be accessed or modified.

Information Security White Paper commercetools platform 6 Payment API

No payment information must be made available on our platform. We only offer a payment API to reference a payment transaction. This means that this information can later be transferred to an ERP system for further processing with an order. A possible implementation in a frontend is completely independent of the commercetools platform and must run in an infrastructure provided by the customer or the payment service provider. It is recommended to build checkout frontend implementations that comply with a PCI-A level certification.

Product Security

One focus of commercetools’ security initiatives is to build and run the commercetools platform in a way to always protect our customers’ data. As a multi-tenant solution, we also ensure the highest level of data separation within the platform by storing the data of each project in a separate database. Projects are only accessible by the customer who created them. Full isolation and segregation of persistent data are ensured and regularly checked.

Data in Transit

We selected the software stack to create the commercetools platform that was designed and built to operate securely. Using the principles of ‘defense in depth‘, we’ve chosen cloud service providers with an IT infrastructure that is more secure and easier to manage than more traditional technologies. All communications are only available via HTTPS and are secured by TLS 1.2. It is not possible to access any data in the commercetools protocol using a non- TLS secured method.

Data at Rest

All data at rest is protected by hard disk encryption using AES-256. The central key management service of each cloud service provider is configured to encrypt data before it is written to physical storage. Keys are automatically rotated and provide an extensive audit log. Backups are encrypted via GPG (Gnu Privacy Guard) keys and separated from production. All user passwords are securely encrypted with state-of-the-art algorithms; never stored in plain text.

Information Security White Paper commercetools platform 7 Data Access and Restrictions

The authorization process is subject to the principles ‘need to know’ and ‘least privileges’. The detail of the role is set and documented by the asset owner (administrator) and approved by the team lead. This will be updated in the event of function change or personnel changes. Regular review processes are defined and carried out.

Separation of Production and Non-Production Environments commercetools has a strict separation between production and non- production environments. Production and customer data is never utilized for non-production purposes. Non-production environments are utilized for development and testing objectives.

Operational Security

Operational security is a risk management process to protect sensitive information from falling into the wrong hands. commercetools ensures that operational security is an integral part of its operations.

Network Security

Access to the commercetools office network is controlled, limited and monitored by a firewall that enables scalable and centralized management of multiple endpoints. Remote access is secured using a virtual private network (VPN). All internal wireless network communication is encrypted by using WPA2 with AES- 256-bit key. The commercetools office network is monitored 24/7 for unknown or unsecure devices.

A separate guest network was implemented to protect our segments from unauthorized access.

All traffic to the commercetools platform is encrypted with TLS 1.2 whereas commercetools ensures to use state-of-the-art ciphers only.

Information Security White Paper commercetools platform 8 Vulnerability Management

Regular vulnerability scans are performed within the office networks and additional threat notifications are tracked. The platform is continuously scanned for open ports and weak SSL certificates/configuration.

Further, commercetools conducts a penetration test of the commercetools platform by different external agencies at least once a year.

Patch Management

All services offered by commercetools are reviewed constantly for security relevant aspects. Automation is applied where possible. Security updates are applied in regular intervals or immediately depending on the severity of the issue.

Malware Prevention

Formal policies are in place prohibiting the use of unauthorized software and establishing rules regarding acceptable use of systems and incident response procedures.

All commercetools devices are protected with suitable anti-virus software, centrally managed and kept up to date.

Monitoring commercetools’ IT systems are continuously monitored by means of automatic processes targeted to different levels consisting of physical infrastructure, such as platform components and the office network. end- to-end monitoring measures the availability of applications with a focus on minimizing incidents which may cause business critical outages. Monitoring consists of both white-box monitoring of metrics exposed by the internals of the systems and black-box monitoring of the platform behavior as experienced by external systems calling it.

Incident Management

The commercetools operation team follows standard diagnostic procedures to drive resolution during business-impacting events. Operators provide 24x7x365 coverage to detect incidents and to manage the impact and resolution.

Information Security White Paper commercetools platform 9 Security in Development Process commercetools offers platforms in the EU, the US and in APAC. All platforms are totally separated in order to address different regulations within these regions. The software offered is the same. commercetools operates under a full CI/CD agile development model, combining continuous integration and either continuous delivery or continuous deployment. Development teams develop software in short cycles, ensuring that the software can be reliably released at any time. The aim is to build, test, and release software with greater speed and frequency. All necessary development and test environments are separated. Several reviews and approvals are required to further deploy the code into production.

Performance Management

The goal of Performance Management is to optimize the capability of the infrastructure, services and supporting organization to deliver a cost-effective and sustained level of availability and reliability that enables the customer to satisfy their business objectives. Due to the distributed, cloud-native and asynchronous architecture of the commercetools platform, there is the possibility to auto-scale as overall platform load across all customers increases. Internal simulations have been run successfully.

Data Backup and Business Continuity Management

The implemented business continuity plan identifies an organization’s exposure to internal and external threats and synthesizes hard and soft assets to provide effective prevention and recovery for the organization. The plan includes activities under adverse circumstances, such as natural disasters, organized crime or human failure, to keep the day-to-day business going. The cloud service providers are built with redundancy within the physical availability zones to address any kind of failure. Database clusters are distributed across all physical availability zones of the data center (typically three). This is why data in the commercetools platform is still available, even if one availability zone becomes unavailable.

Information Security White Paper commercetools platform 10 Data backups have a small to medium RTO (recovery time objective) and a small RPO (recovery point objective). commercetools can either do partial or full restores, based on the impact of the loss.

Multiple tests have been completed, such as incremental testing, as part of standard releases. All backups are done automatically, managed by a storage management system, and completed four times a day (every six hours). These backups are stored encrypted for a maximum of 180 days, depending on the cloud service provider.

Supplier Relationships

Before new suppliers are onboarded, a verification of the same protection level is carried out and technical and organizational measures are documented. The TOM inspection report and the processing agreements are collected and reviewed on a regular basis. In case personal data needs to be processed, a data processing agreement is concluded and, as soon as customer data is concerned, the supplier is named as a subcontractor in our DPA.

Compliance

Compliance means conforming with relevant laws, regulations, business rules and internal policies. commercetools ensures compliance through various external and internal measures.

Data Processing Agreement

The GDPR requires data controllers (like companies using the commercetools platform) to only use data processors (commercetools) that provide sufficient guarantees to meet the requirements of GDPR Article 28. The data processing agreement can be requested at [email protected].

International Data Transfer

The GDPR requires companies to ensure adequate safeguard to transfer personally identifiable data to third countries outside the EU. EU standard clauses have been agreed with all processors outside the EU, if no other safeguard (e.g. EU adequacy decision) is in place.

Information Security White Paper commercetools platform 11 Data Protection Officer

commercetools has assigned an external Data Protection Officer who works closely with the internal Data Protection Coordinator. Get in touch via email: [email protected]

Information Security Certifications

Compliance with the rules and corporate work instructions are regularly checked during internal and external audits. Furthermore, commercetools regularly undergoes independent verification of platform security, privacy and compliance controls. The commercetools solution stack is not and does not need to be PCI certified.

The audit reports can be requested with signed NDA. Please contact your sales contact or request at [email protected]. Our cloud service providers are also regularly subject to independent verifications around the world. Please find more information under the following links: GCP: https://cloud.google.com/security/compliance AWS: https://aws.amazon.com/compliance/programs/

Conclusion

Here at commercetools, we pride ourselves on the vigilance we employ to protect our customers data assets and, we continually stress that a mature security organization requires coordinated dedication across technology, procedures and people.

We take numerous measures to ensure that our customers’ data is protected.

Information Security White Paper commercetools platform 12 About commercetools

commercetools is the world’s leading platform for next-generation B2C and B2B commerce. To break the market out of being restrained by legacy suites, commercetools invented a headless, API-first, multi-tenant SaaS commerce platform that is cloud-native and uses flexible microservices. Using modern development building blocks in a true cloud platform provided by commercetools, customers can deliver the best commerce experiences across every touchpoint on a large scale.

commercetools has offices across the US, Europe, and Asia Pacific, with headquarters in . Since its founding in 2006, commercetools software has been implemented by Fortune 500 companies across industries, from retail to manufacturing and from telecommunications to fashion.

www.commercetools.com - - Jena - - London - Durham NC - Singapore -

Information Security White Paper commercetools platform 13