- Generally. BigCommerce will maintain an information security management system (“ISMS”), maintain automated tools to identify attempts to exfiltrate data, use certificate-based security, and develop and maintain secure key management policies and procedures. BigCommerce will monitor, log, audit, and escalate threats after applicable risk assessments have been performed. BigCommerce will manage the secure lifecycle of systems and software.
Boundary Defense and Security Segmentation. BigCommerce will monitor, detect, and restrict the flow of information on a multilayered basis. BigCommerce will design and implement multilayered and secure network and system segmentation.
Physical Security. BigCommerce will maintain an access control system that enables BigCommerce to monitor and control physical access to BigCommerce facilities.
ISMS. BigCommerce operates a comprehensive ISMS. BigCommerce’s ISMS is audited and certified annually by an independent third-party to meet or exceed ISO/IEC 27001 technical standards. BigCommerce will use commercially reasonable efforts to maintain such certification during the Term, as well as controls consistent with or substantially similar to the following technical and organizational measures:
a) Encryption. Where applicable, BigCommerce encrypts Personal Data by default in-transit and at-rest.
b) Minimization. BigCommerce minimizes personal data on its platform by design, including through anonymization, pseudonymization, and deidentification where practicable.
c) Cybersecurity. Where applicable, BigCommerce infrastructure includes perimeter and host-based firewalls, file integrity monitoring, access control monitoring, intrusion detection, and application firewalls.
d) Integrity and Stability. BigCommerce infrastructure is logically segmented and replicated throughout multiple availability zones. Each store on the platform is protected by multiple layers of security and access control, including cloud security posture management and global cloud network protection.
e) Testing. BigCommerce conducts frequent vulnerability scans and engages third-party providers to conduct substantive vulnerability assessments.
f) Governance. As matter of policy and practice, BigCommerce takes organizational measures to promote:
i. commercially reasonable internal IT and IT security governance, management, and training;
ii. commercially reasonable business continuity planning and management;
iii. commercially reasonable ability to restore availability and access in the event of an incident;
iv. regular testing, assessment and evaluation of the effectiveness of BigCommerce’s organizational measures;
v. commercially reasonable user identification, authorization, and access control;
vi. commercially reasonable secure system configuration;
vii. assessment of Subprocessors in accordance with BigCommerce’s ISMS and obligations as a Processor, including with regard to security, privacy, and transfer impact;
viii. data deletion, where applicable, in accordance with BigCommerce’s contractual obligations, internal policies, obligations as a Processor, and Data Protection Laws; and
ix. re-evaluation of technical and organizational measures in light of relevant changes.