When acting as a processor on behalf of merchants in providing ecommerce Services, BigCommerce and its affiliates[1]
may engage the following third-party subprocessors.[2] These subprocessors may process certain types of personally identifiable information (PII) associated with shoppers that interact with merchant storefronts.
Name
Processing Activity
Purpose of Processing
Default Location
Additional Information
Amazon
Analytics
Online store metrics
USA
Trace PII
Atlassian
Office productivity and communication
Process/project management and product support
USA, Australia
Trace PII[3]
Cloudflare
DDoS mitigation, threat detection, and CDN
DDoS protection, digital threats monitoring, and accelerated content delivery
USA, with globally decentralized CDN
Trace PII
Confluent
Analytics data pipeline
Infrastructure management, data piping between systems that lack native integrations
USA
Merchants can eliminate by turning off BC analytics
Hosting, platform functionality, and office productivity
Infrastructure hosting, document management, and communications
USA, Germany, or Australia
All platform PII, including all identifiers noted in the BigCommerce TOS
Sentry I/O by Functional Software
Performance improvement, error logging, and troubleshooting
Error monitoring for BigCommerce application and infrastructure Services
USA
Trace PII
Snowflake
Data warehouse
Internal analytics warehouse
USA
Trace PII
[1] All BigCommerce affiliates are bound by the BigCommerce DPA. Any PII processed by, or transferred between, BigCommerce affiliates is further subject to the internal protections of an intra-group data transfer agreement (IGA), which has been signed by all BigCommerce affiliates and requires substantially the same level of data protection as that provided to merchants under the BigCommerce DPA.
[2] As set forth in the BigCommerce DPA, BigCommerce does not transfer any PII to subprocessors without: (i) a security assessment, (ii) a privacy assessment, including an assessment of transfer impact; and (iii) a data protection agreement that requires substantially the same level of data protection as that provided to merchants under the BigCommerce DPA.
[3] Trace PII may include data such as a single transaction number or IP address that is not ordinarily processed in association with other identifiers. Although such data may not in itself constitute PII, BigCommerce generally treats such data as PII out of an abundance of caution unless or until it has been fully deleted, anonymized, or deidentified.