Third-Party Subprocessors

Date of Last Revision: May 8, 2024

When acting as a processor on behalf of merchants in providing ecommerce Services, BigCommerce and its affiliates[1]

may engage the following third-party subprocessors.[2] These subprocessors may process certain types of personally identifiable information (PII) associated with shoppers that interact with merchant storefronts.


Processing Activity

Purpose of Processing

Default Location

Additional Information



Online store metrics


Trace PII


Office productivity and communication

Process/project management and product support

USA, Australia

Trace PII[3]


DDoS mitigation, threat detection, and CDN

DDoS protection, digital threats monitoring, and accelerated content delivery

USA, with globally decentralized CDN

Trace PII


Analytics data pipeline

Infrastructure management, data piping between systems that lack native integrations


Merchants can eliminate by turning off BC analytics


Hosting, platform functionality, and office productivity

Infrastructure hosting, document management, and communications

USA, Germany, or Australia

All platform PII, including all identifiers noted in the BigCommerce TOS

Sentry I/O by Functional Software

Performance improvement, error logging, and troubleshooting

Error monitoring

for BigCommerce application and infrastructure Services


Trace PII


Data warehouse

Internal analytics warehouse


Trace PII

[1] All BigCommerce affiliates are bound by the BigCommerce DPA. Any PII processed by, or transferred between, BigCommerce affiliates is further subject to the internal protections of an intra-group data transfer agreement (IGA), which has been signed by all BigCommerce affiliates and requires substantially the same level of data protection as that provided to merchants under the BigCommerce DPA.

[2] As set forth in the BigCommerce DPA, BigCommerce does not transfer any PII to subprocessors without: (i) a security assessment, (ii) a privacy assessment, including an assessment of transfer impact; and (iii) a data protection agreement that requires substantially the same level of data protection as that provided to merchants under the BigCommerce DPA.

[3] Trace PII may include data such as a single transaction number or IP address that is not ordinarily processed in association with other identifiers. Although such data may not in itself constitute PII, BigCommerce generally treats such data as PII out of an abundance of caution unless or until it has been fully deleted, anonymized, or deidentified.