Third-Party Subprocessors
Date of Last Revision: July 31, 2025
When acting as a processor on behalf of merchants in providing ecommerce Services, Commerce.com and its affiliates1 may engage the following third-party subprocessors.2 These subprocessors may process certain types of personally identifiable information (PII) associated with shoppers that interact with merchant storefronts.
Name
Processing Activity
Purpose of Processing
Corp HQ
Additional Information
Amazon
Analytics
Online store metrics
USA
Trace PII
Atlassian
Office productivity and communication
Process/project management and product support
USA, Australia
Trace PII3
Cloudflare
DDoS mitigation, threat detection, and CDN
DDoS protection, digital threats monitoring, and accelerated content delivery
USA, with globally decentralized CDN
Trace PII
Confluent
Analytics data pipeline
Infrastructure management, data piping between systems that lack native integrations
USA
Merchants can eliminate by turning off analytics
Hosting, platform functionality, and office productivity
Infrastructure hosting, document management, and communications
USA, Germany, or Australia
All platform PII, including all identifiers noted in the Commerce Master Services Agreement
Sentry I/O by Functional Software
Performance improvement, error logging, and troubleshooting
Error monitoring for Commerce.com application and infrastructure Services
USA
Trace PII
Snowflake
Data warehouse
Internal analytics warehouse
USA
Trace PII
The Functionary
Support
Technical support for merchants who are having issues with the Commerce.com application
El Salvador
Platform PII, as needed based on support needs
Sysdig
Security
Environment and log monitoring for Commerce.com application and infrastructure
North America
Trace PII
Sumo Logic
Security
Log collection, alerting, and monitoring for security alerts concerning Commerce.com, Commerce.com applications and infrastructure
North America
Trace PII
Relyance AI
Privacy
Automated Personal Data Mapping and generation of privacy documentation
North America
Trace PII
ServiceNow Cloud Observability
Platform observability, Security
Telemetry and log collection for monitoring platform services
USA
Trace PII
Teleport (Gravitational Inc)
Platform observability, Security
Platform administration and access management
USA
Trace PII
EPAM
Development
Infrastructure development resources
Mexico, Brazil, Georgia, Poland, Spain, Columbia, USA
Trace PII
1 Each Commerce Entity is bound by theCommerce.com DPA.Any PII processed by, or transferred between, Commerce affiliates is further subject to the internal protections of an intra-group data transfer agreement (IGA), which has been signed by all Commerce.com affiliates and requires substantially the same level of data protection as that provided to merchants under the Commerce.com DPA.
2As set forth in theCommerce.com DPA,a Commerce Entity does not transfer any PII to subprocessors without: (i) a security assessment, (ii) a privacy assessment, including an assessment of transfer impact; and (iii) a data protection agreement that requires substantially the same level of data protection as that provided to merchants under the Commerce.com DPA.
3‘Trace PII’ may include data such as a single transaction number or IP address that is not ordinarily processed in association with any other identifiers. Although such data may not in itself constitute PII, each Commerce Entity ordinarily treats such data as PII out of an abundance of caution unless or until it has been fully deleted, anonymized, or deidentified.
© 2025 Commerce LLC. All rights reserved.