Platform Trust Center

BigCommerce’s certifications, completed by cybersecurity advisory group Coalfire ISO and evaluated by an independent quality assurance organization, ensures that the company has established a formal set of policies, procedures, processes and systems that manage information risks, privacy risks and business resiliency risks for its digital and physical presence.

• ISO27701, also known as the Privacy Information Management System (PIMS) framework, is the data privacy extension to ISO 27001, which outlines controls and processes for managing data privacy and protecting PII.

• ISO23301 is the recognized international standard for Business Continuity Management Systems (BCMS), published by the international organization for Standardization (ISO).

The ISO 22701 and ISO 22301 certifications are the latest in a series of commitments BigCommerce is making to its information security, privacy, compliance and regulation practices.

BigCommerce is committed to open, transparent communications that put our users first. We have recently made several important privacy-related updates to our Terms of Service(TOS), including: Incorporating our Data Processing Addendum (DPA) into our TOS. Our DPA makes certain commitments to merchants about how we use and protect their customer’s personal data when acting as a processor. Where merchants have already executed a separate data protection agreement with BigCommerce, the executed agreement will remain in force and prevail except where the TOS provides a more stringent level of data protection. Updating our Privacy Policy to account for new privacy laws and clarify how we use, share, and retain personal data, including additional information about our efforts to respond to data subject access requests.

Relatedly, we will soon make several changes to our list of third-party subprocessors. These changes are the result of substantial internal efforts to minimize shopper data as part of our broader commitment to our merchants’ privacy.

We are providing information about the type of shopper data that may be processed by our subprocessors, as well as how merchants can avoid the use of certain subprocessors.

We encourage you to read the full Terms of Service at https://www.bigcommerce.com/terms/ and view our list of third-party subprocessors.

For current customers, additional information about the protections we employ when processing shopper data can be found in this Platform Trust Center, in our Data Protection & Transfer Impact Summary.

If you have any questions, please visit the BigCommerce Help Center or contact us: https://www.bigcommerce.com/contact/

Update: BigCommerce is not affected by this vulnerability.

On Oct 25, 2022 The OpenSSL project announced a forthcoming release of OpenSSL (version 3.0.7) to address a critical security vulnerability. This release should go live on Tuesday, November 1, 2022. Versions prior to 3.0.0 are confirmed as not vulnerable. BigCommerce has checked our own systems and tools for usage of vulnerable versions of OpenSSL. We will be on alert for any impacts when the vulnerability details are disclosed.

Reference:

• https://www.openssl.org/news/vulnerabilities-3.0.html
• https://blog.qualys.com/vulnerabilities-threat-research/2022/10/31/qualys-research-alert-prepare-for-a-critical-vulnerability-in-openssl-3-0

This advisory will be updated as new information is provided.

BigCommerce believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. We are excited for you to participate as a security researcher to help us identify vulnerabilities in our applications. Good luck, and happy hunting!

Report your findings using the link on the footer of this page.

This Report is found under the 'Other Reports' tile. It is is a summary of BigCommerce’s data protection and transfer practices. This document is not legal advice and does not provide an exhaustive list of the protections maintained by BigCommerce. For the avoidance of doubt, the information provided in this document is BigCommerce confidential and proprietary information and can be shared only: (i) in relation to a legitimate business purpose; and (ii) subject to an appropriate confidentiality expectation or obligation.

BigCommerce operates as a PCI DSS Level 1 Service Provider and Level 1 Merchant, accepting online payments by card-not-present transactions only. Current PCI AOC Issuance Date: 6/13/2022. PCI AOC's are available from the 'Compliance' Tile/ PCI DSS Link

As a PCI DSS Level 1 Merchant, BigCommerce accepts payments for subscriptions via the BMP billing application (manage.bigcommerce.com) which is used by all customers.

As a PCI DSS Level 1 Service Provider, BigCommerce facilitates the tools for merchants to accept credit card payments at their individual eShops. Merchants provide BigCommerce with the name of the payment gateway provider of their choice and their individual Merchant IDs; BigCommerce configures the merchant eShops with a shopping cart that enables them to accept credit/debit card payments.

GitHub revealed on 4/15/2022 that an attacker is using stolen user tokens (issued to Heroku and Travis-CI OAuth) to download data from private repositories. BigCommerce can confirm that we have conducted an internal investigation and we have no evidence of impact. BigCommerce will continue to monitor the situation closely and will provide updates where we have them available to us.

Reference: https://status.heroku.com/incidents/2413 https://github.blog/2022-04-15-security-alert-stolen-oauth-user-tokens/

The PCI Security Standards Council published version 4.0 of the PCI Data Security Standard (PCI DSS) The updated standard and Summary of Changes document are available now on the PCI SSC website. https://www.pcisecuritystandards.org/document_library?category=pcidss&document=pci_dss

VIEW: “PCI DSS v4.0 At a Glance” an overview document on the changes to PCI DSS v4.0. https://www.pcisecuritystandards.org/documents/PCI-DSS-v4-0-At-A-Glance.pdf

Published on 3/31/2022 BigCommerce became aware of a recently disclosed CVE-2022-22965 - “SpringShell” RCE vulnerability in spring-beans before 5.2.20/5.3.18, BigCommerce can confirm we have conducted an internal investigation and can confirm that we have no evidence that BigCommerce customers or internal employees have been targeted or impacted by this vulnerability.

BigCommerce will continue to monitor the situation closely and will provide updates where we have them available to us.

BigCommerce values the security of its services extremely highly and to this end we maintain appropriate industry accepted third party accreditation of our security controls and program.

Published on 3/31/2022 BigCommerce has been made aware of both the recent potential Okta security incident and the recent potential Microsoft security incident and is actively assessing the situation as events unfold.

​We have been in touch with OKTA and have no evidence of impact to BigCommerce. We have researched the Microsoft issue and found no evidence of impact to BigCommerce. We continue to monitor the situations closely and will provide updates where we have updates available to us.

OKTA Statement: https://www.okta.com/blog/2022/03/updated-okta-statement-on-lapsus/ Microsoft Statement: https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/

The US Cybersecurity & Infrastructure Security Agency provides guidance for organizations to prepare for, respond to, and mitigate the impact of cyber attacks during this period of unrest. https://www.cisa.gov/shields-up

SECURITY NOTICE (click to expand): about the recently disclosed Log4j vulnerabilities, references: https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance, https://logging.apache.org/log4j/2.x/security.html and: https://nvd.nist.gov/vuln/detail/CVE-2021-44228 https://nvd.nist.gov/vuln/detail/CVE-2021-45046 https://nvd.nist.gov/vuln/detail/CVE-2021-45105 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104

Exploits related to vulnerabilities affecting Apache’s Log4j, known as "Log4Shell" and "log4shell" were publicly disclosed on December 9, 2021.

There have been reports confirming that active scanning and exploitation attempts are occurring in the wild across a variety of Internet connected systems, separate and unrelated to BigCommerce systems.

BigCommerce has been working diligently to assess our internal systems and 3rd party dependencies in order to mitigate what has become a ubiquitous vulnerability for attackers.

What is the impact? From our investigation no impact to our platform has been identified. Merchants and partners are strongly encouraged to assess their own environments for this vulnerability and remediate immediately.

Who is impacted? Versions of Log4j2 from 2.0-beta9 to 2.15.0, excluding 2.12.2 are affected by this vulnerability. An extensive list of responses from impacted organizations has been compiled here for greater context: https://www.bleepingcomputer.com/news/security/log4j-list-of-vulnerable-products-and-vendor-advisories/

What action is required for BigCommerce's customers? No action is required related to your BigCommerce store. However, if you have engaged a third party development partner or leverage 3rd party applications you are strongly encouraged to request confirmation that they are not vulnerable to the Log4j vulnerability.

Note: BigCommerce will not send you any code to upload to your site or require you to install anything on your computer or in your store