Separate your product catalog from commerce.

Security at Commerce Layer

Security is one of the biggest considerations in everything we do. To accomplish security at all levels, we make use of best-in-class tools and guidelines.


  • Least privileges
    In accordance with the least privilege principle, access should be granted only to those with a legitimate business need.
  • K.I.S.S.
    In this context, we can assign a slightly different meaning to this acronym, such as "Keep Information Security Simple". By simplifying the software design and implementation details, the attack surface or vulnerability of the software is reduced.
  • Separation of duties
    Separation of duties helps prevent unauthorized access to sensitive information, data breaches, and other security incidents. It does this by ensuring that no single individual has complete control over a process or system.
  • Open design
    Instead of relying on security by obscurity, which hides the design of the software to ensure security, we believe that software design should be open for review while remaining independent from its implementation.


Commerce Layer is certified as a PCI DSS Level I, SOC 2 Type 2, and ISO 27001 service provider. Our customers can take advantage of our certification to simplify their own compliance certification processes.

PCI DSS SOC2 TYPE2 ISO 27001 compliant

Product security


Commerce Layer utilizes the OAuth 2.0 protocol, which is an industry-standard, to handle client authorization. All API requests require authentication. Access tokens can be obtained by executing an authorization flow using a valid application as the client. The specific authorization flow depends on the grant type. Access tokens have a lifespan of 2 hours, while refresh tokens expire after 2 weeks.

Roles management

Commerce Layer supports a granular access control system at the resource level. Each access token is assigned a specific set of permissions. The client and the authorization flow determine the allowed actions for each resource.

Vulnerability management

In addition to ongoing automated malicious dependency scanning and static code analysis, our services undergo Penetration Testing at least once a year. We also perform quarterly external vulnerability scans.

Any detected vulnerability is evaluated to determine if it is truly impacting our security. If that is the case, it is immediately assigned to the appropriate team and addressed with a Service Level Agreement (SLA) based on its severity. All relevant vulnerabilities are addressed within 90 days of discovery.

Data security


In transit

Commerce Layer utilizes TLS 1.2 or higher for all data transmission over potentially insecure networks. We also enforce security features like HSTS (HTTP Strict Transport Security) to enhance the security of our data during transit. Our cloud infrastructure providers handle the management and deployment of server TLS Keys and certificates at the origin, while our CDN provider handles them at the origin.

At rest

All datastores, including databases, caches, storage buckets and filesystems, are encrypted at rest using industry-standard algorithms implemented by our cloud providers.

Encryption keys are managed using the providers' key management systems. Application secrets are encrypted and securely stored using the providers' secrets and parameters management tool. Access to these values is strictly limited.

Data retention and removal

All data is removed or anonymized as soon as possible after deletion or service cancellation. Users can also contact us to have their data removed.

System security

System configuration

System configuration and consistency are maintained by using standard, up-to-date images and infrastructure-as-code tools. This is done by replacing systems with updated deployments.

When systems are deployed, they utilize up-to-date images that have been updated with configuration changes and security updates. After deployment, existing systems are decommissioned and replaced with up-to-date systems.

Access management

Commerce Layer employees are only granted access to applications they need based on their role, and automatically deprovisioned upon termination of their employment. Employee computers are secured with encrypted hard drives and firewalls, and access to central resources and third-party services are always encrypted and protected with two-factor authentication.

Commerce Layer employees do not have physical access to data centers, nor access to the underlying cloud infrastructure.

Business continuity

Commerce Layer's services are built using leading cloud infrastructure providers. These providers offer fully redundant and distributed systems that run across multiple regions and availability zones. This means that even if a single component fails, there will be no significant service disruptions. Regular maintenance is performed on components without affecting availability.

The providers' load balancers and Content Delivery Networks (CDNs) are capable of mitigating various types of Distributed Denial of Service (DDoS) attacks. Additionally, our backend systems can automatically scale to handle increased load.

In the event of a disaster, our services and processes are designed to enable recovery within a few hours, with minimal to no data loss.

Corporate security

Employee screening and policies

All of our employees undergo relevant background checks and security training. Additionally, they are required to sign confidentiality agreements.

Access to customer data is limited to a small group of employees based on the principle of least privilege, meaning they only have access if it is necessary for their work. Furthermore, all access is monitored through dedicated audit controls.

Secure development practices

Commerce Layer provides comprehensive security training to all employees during onboarding and annually. In addition, engineers are required to attend an annual training session specifically focused on secure coding principles and practices.

As part of our Secure Development Lifecycle, we conduct code peer reviews prior to deployment. Additionally, we make use of CI/CD tools to enable efficient and systematic development, testing, and deployment of our product. This approach ensures prompt and effective resolution of potential bugs and security issues, while minimizing the risk of human error.