Defence in depth, least privilege, encryption everywhere. Here's how we protect your data — and how to reach us responsibly if you think something isn't right.
Kommercio holds distributor operational data — customers, suppliers, orders, invoices, and payment records. We treat that data as the kind of thing we would want protected on our own behalf, because we run our own distribution business on this platform every day.
Our approach rests on three principles: defence in depth (multiple independent layers of control so a single failure doesn't compromise your data), least privilege (nobody, internal or external, gets access they don't operationally need), and encryption everywhere (at rest, in transit, in backup, no exceptions).
We host in EU and US datacentres operated by providers holding current ISO 27001 and SOC 2 Type II certifications. Physical access to the underlying hardware is managed and audited by the datacentre operator under those certification regimes.
All public traffic is served over TLS 1.3 with modern cipher suites. We avoid TLS 1.2 fallback wherever the browser landscape permits. HSTS is enforced on all Kommercio-operated domains. Automated patching applies security fixes within 24 hours of a vendor advisory; critical vulnerabilities are triaged and patched faster where the risk profile demands it.
Network segmentation isolates database, application, and admin tiers. Inbound traffic is filtered at the edge and again at each tier. Outbound traffic from application workloads is restricted to the specific endpoints required for operation.
Authentication for the admin panel is passkey / WebAuthn — fully passwordless, phishing-resistant, tied to a device you physically hold. Where legacy password auth remains in the migration path, passwords are hashed using a modern memory-hard algorithm with per-user salts and are never logged.
Multi-tenant isolation is enforced at the database layer with row-level security (RLS) on every tenant table. Cross-tenant access is architecturally impossible at the query layer, not merely prevented at the application layer — meaning a bug in application code cannot leak data from one tenant to another.
We test against the OWASP Top 10 on every release. A strict Content Security Policy is enforced on admin panels and storefronts. CSRF tokens protect every state-changing action. Rate limiting and anomaly detection sit on authentication endpoints, with automatic lockout and notification on suspicious patterns. All admin actions are logged to an append-only audit trail.
Customer data is encrypted at rest with AES-256. All data in transit uses TLS 1.3. Backups are encrypted with separate keys from the primary data encryption keys. Key management is automated with scheduled rotation.
Automated backups run daily with 30-day retention. Backup integrity is verified continuously, and full restore tests are performed quarterly against a separate environment. This is tested, not theoretical — if we needed to recover from complete loss today, we have rehearsed it this quarter.
Engineer access to production data is least-privilege and break-glass: day-to-day operations require no access to customer data. Break-glass access for incident response is logged, auditable, and time-limited, with a second-person approval requirement for sensitive operations.
Kommercio is UK GDPR and EU GDPR compliant. Our Privacy Policy and GDPR page set out the full detail, including the list of sub-processors and the transfer mechanisms where data leaves the UK/EEA.
Vulnerability disclosure follows a 90-day coordinated disclosure model. Report findings to security@kommercio.io; we respond within one working day and commit to a fix timeline appropriate to severity.
An independent CREST-accredited penetration test is planned for Q3 2026 to provide third-party assurance. Findings and remediation status will be summarised in this page as the programme matures.
All staff with access to production infrastructure complete background checks and ongoing security training. Access is tied to identity and multi-factor authentication, with least-privilege IAM applied across all cloud environments.
If you have found a security issue, please report it to security@kommercio.io. Include the details needed to reproduce and an indication of the impact.
We ask researchers to:
In return, we commit to: