Name in Digital
Trust is the foundation of our relationship with hundreds of thousands of merchants around the world. We value the confidence you’ve put in us and take the responsibility of protecting your information seriously. To be worthy of your trust, we built and will continue to grow Magento with an emphasis on security, compliance, and privacy.
Shared responsibility security model
Magento Commerce Cloud relies on a shared responsibility security model where customers and Magento have different areas of responsibility for maintaining the security of the commerce experience. Magento provides secure managed services on top of Amazon’s industry leading cloud services. Customers have the ability to manage the Magento application to their heart’s extent. This approach is intended to provide the greatest flexibility for customization and innovation while reducing the operational responsibilities of the merchant.
The customer is responsible for the security of their customized instance of the Magento Commerce application running on the Magento Commerce cloud environment.
AWS is responsible for security of the network including routing, switching, and perimeter network security via firewall systems and intrusion detection systems (IDS).
Magento is responsible for the security and availability of the Magento Commerce Cloud environment, the core Magento Commerce application code, and internal Magento systems.
Secure commerce experiences with control and visibility
Magento Commerce Cloud is designed to provide multiple layers of protection starting from the end-user's browser to the content delivery network, the payment integration, the cloud environment, and to the core Magento Commerce application. We work behind the scenes to help protect your stores and empower IT administrators with tools that help provide control and visibility. Our robust information security management framework is designed to help assess risks and to help build a culture of security at Magento.
Consumer traffic can be better secured using HTTPS for all pages on the website (using either a shared SSL certification or the customers own SSL certificate for an additional fee).
Content Delivery Network (CDN) & DDoS Protection
The Fastly DDOS solution protects against highly disruptive Layer 3 and Layer 4 attacks, and more complex Layer 7 attacks.
Virtual Private Cloud
The Magento Commerce Cloud Pro production environment is configured as a virtual private cloud (VPC) so that all 3 production servers are isolated and have limited ability to connect in and out of the cloud environment.
Magento Commerce requires payment gateway integrations where credit card data is passed directly from the consumer’s browser to the payment gateway.
Magento regularly tests the core application code for security vulnerabilities. Patches for defects and security issues are provided to customers.
Read-Only File System
All the executable code is deployed into a read-only file system image, which dramatically reduces the surfaces that are available for attack.
Compliant processes and technology architecture
Verifying compliance with generally accepted security practices can be an effective tool to assess a service provider’s dependability and reliability. Our security practices comply with the most widely accepted standards and regulations in the commerce technology industry such as PCI and SOC 2. Our independent third-party auditors test our controls and provide their reports and opinions — which we share with you whenever possible upon request.
Data privacy and protection
Whether you're concerned about your data as a merchant or your end-user's data, we’re committed to help with protecting your data.
Using our service, customers may use or store either personally-identifiable information (PII) on consumers or confidential data from Magento customers. Protection of customer and consumer data is a critical obligation for Magento.
Magento is Privacy Shield self-certified, which is a European Commission-approved mechanism that enables the transfer of personal data from the European Union and Switzerland to the United States.
GDPR and CCPA
Customer success is our top priority. This includes helping to support our customers’ compliance with the General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA).