Every day, merchants trust Magento with their most important commerce data and we seek to maintain that trust through our commitment to privacy.
Using our service, customers may use or store either personally-identifiable information (PII) on consumers or confidential data from Magento customers. Protection of customer and consumer data is a critical obligation for Magento broadly and in the context of Magento Commerce specifically. Both Magento and our customers have legal obligations around personally identifiable information. In addition to the security features of the architecture, there are other controls to limit the distribution of and access to personal and/or confidential data.
Customers own their data and have control over where that data will be located. The customer specifies the location where their production and development instances reside. They also specify which location will be used for the Magento Business Intelligence (MBI) environment used in conjunction with Magento Commerce Cloud and if that MBI application has access to personally identifiable information or not. Production instances can be located in most AWS Regions while development and MBI environments can be located in either the United States or in the European Union at this time. Customer web content such as static images, media files and web pages may pass through the Fastly CDN server network but is not stored in the Fastly network. All partners included in the Magento Commerce offering have contractual obligations to ensure the protection of customer and/or consumer data. Magento will not move customer or consumer personal data from the locations specified by the customer.
As part of providing the services included in Magento Commerce Cloud, Magento staff need to access the production systems that contain important data. These employees are trained to securely handle and protect customer and consumer data. Access to these systems is limited to employees that require access to perform their job functions. These employees only have access to the data for the time needed to deliver these services that are required to provide the Magento Commerce Cloud offering.
GDPR and CCPA
Customer success is our top priority. This includes helping to support our customers’ compliance with the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA). Magento has published our data processing agreement (“DPA”), affirming Magento’s commitment to privacy, GDPR and CCPA compliance and to customers. In connection with providing Services to our customers, the DPA amends all existing commercial agreements with customers and sets forth our obligations around the handling of EU and CA individual personal data. All future commercial agreements with customers will also carry these same Magento obligations. One of these obligations includes sharing the identity of the third party subprocessors who assist the Company with providing Services to customers. The current list of these subprocessors is available here.
To assist merchants with their GDPR and CCPA compliance efforts, Magento has made data mappings available for the Magento software, so you are able to identify the locations of where information is stored in our application. These mappings are available for Magento 1.x and Magento 2.x and cover Magento Commerce cloud, on-premise as well as Magento Open Source.