The future is agentic.

Find out why
Sign in Sign up for free

Security you can trust

Commerce Layer stands as your compliance and security partner. Our industry certifications aren't just credentials, they're a promise of protection for your most critical business asset.

SOC 2 Compliance The gold standard of security

Our SOC 2 Type 2 certification represents a rigorous approach to protecting your data. We've passed a comprehensive 12-month audit that validates:

  • Advanced cryptographic controls (AES-256 encryption)
  • Multi-factor authentication
  • Granular access management
  • Continuous monitoring and threat detection
  • Zero-trust network architecture
PCI DSS Compliance Fortress-Level payment security

PCI DSS Level 1 Provider certification means we've implemented:

  • End-to-end payment data encryption
  • Advanced tokenization of sensitive information
  • Secure transmission protocols (TLS 1.3+)
  • Dynamic fraud detection
  • Continuous compliance monitoring
ISO 27001 Compliance Global information security management

Our ISO 27001 certification demonstrates a comprehensive framework for managing information security across:

  • Asset management
  • Operational security controls
  • Crypyographic protection
  • Physical and environmental security
  • Incident response procedures

Security principles

Least privileges

In accordance with the least privilege principle, access should be granted only to those with a legitimate business need.

Separation of duties

Separation of duties helps prevent unauthorized access to sensitive information, data breaches, and other security incidents. It does this by ensuring that no single individual has complete control over a process or system.

K.I.S.S.

In this context, we can assign a slightly different meaning to this acronym, such as "Keep Information Security Simple". By simplifying the software design and implementation details, the attack surface or vulnerability of the software is reduced.

Open design

Instead of relying on security by obscurity, which hides the design of the software to ensure security, we believe that software design should be open for review while remaining independent from its implementation.

Your Security is Our Priority

Authentication

Commerce Layer utilizes the OAuth 2.0 protocol, which is an industry-standard, to handle client authorization. All API requests require authentication. Access tokens can be obtained by executing an authorization flow using a valid application as the client. The specific authorization flow depends on the grant type. Access tokens have a lifespan of 2 hours, while refresh tokens expire after 2 weeks.

Roles management

Commerce Layer supports a granular access control system at the resource level. Each access token is assigned a specific set of permissions. The client and the authorization flow determine the allowed actions for each resource.

Vulnerability management

In addition to ongoing automated malicious dependency scanning and static code analysis, our services undergo Penetration Testing at least once a year. We also perform quarterly external vulnerability scans.

Any detected vulnerability is evaluated to determine if it is truly impacting our security. If that is the case, it is immediately assigned to the appropriate team and addressed with a Service Level Agreement (SLA) based on its severity. All relevant vulnerabilities are addressed within 90 days of discovery.