Third-Party Subprocessors

Date of Last Revision: May 8, 2024

When acting as a processor on behalf of merchants in providing ecommerce Services, BigCommerce and its affiliates[1]

may engage the following third-party subprocessors.[2] These subprocessors may process certain types of personally identifiable information (PII) associated with shoppers that interact with merchant storefronts.

Name

Processing Activity

Purpose of Processing

Default Location

Additional Information

Amazon

Analytics

Online store metrics

USA

Trace PII

Atlassian

Office productivity and communication

Process/project management and product support

USA, Australia

Trace PII[3]

Cloudflare

DDoS mitigation, threat detection, and CDN

DDoS protection, digital threats monitoring, and accelerated content delivery

USA, with globally decentralized CDN

Trace PII

Confluent

Analytics data pipeline

Infrastructure management, data piping between systems that lack native integrations

USA

Merchants can eliminate by turning off BC analytics

Google

Hosting, platform functionality, and office productivity

Infrastructure hosting, document management, and communications

USA, Germany, or Australia

All platform PII, including all identifiers noted in the BigCommerce TOS

Sentry I/O by Functional Software

Performance improvement, error logging, and troubleshooting

Error monitoring for BigCommerce application and infrastructure Services

USA

Trace PII





Snowflake

Data warehouse

Internal analytics warehouse

USA

Trace PII



[1] All BigCommerce affiliates are bound by the BigCommerce DPA. Any PII processed by, or transferred between, BigCommerce affiliates is further subject to the internal protections of an intra-group data transfer agreement (IGA), which has been signed by all BigCommerce affiliates and requires substantially the same level of data protection as that provided to merchants under the BigCommerce DPA.

[2] As set forth in the BigCommerce DPA, BigCommerce does not transfer any PII to subprocessors without: (i) a security assessment, (ii) a privacy assessment, including an assessment of transfer impact; and (iii) a data protection agreement that requires substantially the same level of data protection as that provided to merchants under the BigCommerce DPA.

[3] Trace PII may include data such as a single transaction number or IP address that is not ordinarily processed in association with other identifiers. Although such data may not in itself constitute PII, BigCommerce generally treats such data as PII out of an abundance of caution unless or until it has been fully deleted, anonymized, or deidentified.