TRUST CENTER  Certificates, the SOC 2 report, our policy library and DPA are available at compliance.commerce.ai →
Security & Trust Center

Security, privacy and compliance, documented.

auto-AGENTS™ is built and operated by Commerce.AI. This page summarizes our certifications, the controls in our security program, how customer data is handled, and how to obtain our reports, policies and Data Processing Agreement. For live status and downloadable evidence, visit our Trust Center.

Operated by Commerce.AI · founded 2016 · program monitored continuously (Sprinto)
Independently certified & compliant
SOC 2
SOC 2 · AICPA
ISO27001
ISO/IEC 27001
HIPAA
HIPAA · BAA
PCIDSS
PCI DSS
GDPR
GDPR
EU AIACT
EU AI Act
Certifications & attestations

Independently assessed against the frameworks your risk team uses.

Our compliance status is maintained and monitored in our Trust Center. Certificates, the current SOC 2 report and framework mappings are available there on request.

FrameworkScopeStatus
SOC 2Trust-services criteria for security, availability & confidentiality. SOC 2 report (2025) available under NDA.Compliant
ISO/IEC 27001Information Security Management System (ISMS) certification.Compliant
HIPAASafeguards for Protected Health Information; Business Associate Agreements available.Compliant
PCI DSSPayment Card Industry Data Security Standard for handling cardholder data.Compliant
GDPREU General Data Protection Regulation; DPA and SCCs available.Compliant
EU AI ActEU regulation on artificial-intelligence systems.Compliant
Request reports & certificates in the Trust Center ↗
a team reviewing security and compliance work
Independently audited and continuously monitored, by a named team that is accountable for it.
Security program

The controls we operate, 31 across six domains.

These controls are implemented and continuously monitored as part of our compliance program. Each is evidenced in the Trust Center; the summaries below describe what each domain covers.

Data security 4

  • Identity validation, access to critical systems requires approval by authorized personnel per role or individual need
  • Termination of access, logical access is revoked promptly when no longer required
  • Encryption of data at rest, cryptographic protection for all production databases holding customer data
  • Data backups, regular, integrity-verified backups meeting recovery objectives (RTO/RPO)

Network security 2

  • Limit network connections, production databases and SSH access are shielded from the public internet
  • Transmission confidentiality, standard encryption (HTTPS with TLS) keeps data confidential in transit

Product security 1

  • Situational awareness for incidents, records of security incidents, investigation and executed response plans, per policy

Endpoint security 4

  • Malicious-code protection, anti-malware on endpoints accessing critical servers or data
  • Full-disk / container encryption for critical endpoints
  • Session lock, auto screen-lock after 15 minutes of inactivity
  • Endpoint encryption & asset inventory maintained

Application security 3

  • Conspicuous link to privacy notice, current service information published and accessible
  • Secure system modification, procedures govern changes to the operating environment
  • Approval of changes, changes to production require documented approval

Corporate security & governance 17

  • Code of business conduct
  • Defined organizational structure
  • Roles & responsibilities communicated to staff
  • Competency screening for security roles
  • Personnel (background) screening before access
  • New-hire policy acknowledgement
  • Security & privacy awareness training
  • Periodic policy acknowledgement
  • Automated internal incident reporting
  • Customer incident-reporting assistance
  • Assigned cybersecurity & privacy responsibilities (ISO)
  • Segregation of roles & duties
  • Asset ownership assignment
  • Data governance, legal/regulatory register
  • New-hire security & privacy training records
  • Periodic training records monitored & retained
  • Inventory of endpoint assets
Control descriptions above are summarized from our published Trust Center. The authoritative, continuously-monitored list, with evidence, lives at compliance.commerce.ai.
Data handling

Encrypted in transit and at rest, minimized before storage.

How customer conversations are protected across their lifecycle, from ingress to storage and deletion.

01 · Encryption

TLS in transit, AES-256 at rest.

All data is transmitted over HTTPS with TLS and encrypted at rest with AES-256 on production databases. Production databases and administrative (SSH) access are isolated from the public internet, and keys are managed under our KMS. Backups are taken regularly and integrity-verified.

TLS
in transit (HTTPS)
AES-256
at rest
Data flowingress → store
IngressHTTPS · TLS RedactPII · PCI EncryptAES-256 Store + KMSkeys managed
Encrypted in transit and at rest
02 · Data minimization

PII redaction & PCI masking before storage.

Sensitive identifiers, names, account and card numbers, are redacted or masked so reviewers and downstream systems work on minimized transcripts. Card (PAN) data is handled to PCI DSS requirements. Customer conversations are not used to train shared models; retention windows are configurable.

PCI DSS
cardholder data
No
training on your data
Transcript · secure viewredaction on
Customer
Hi, this is Maria Alvarez, my account is 4821 0093.PII redacted
auto-AGENTS™
Thanks. To verify the card on file, can you read the last four digits?
Customer
Sure, it ends in •••• 1142, expiry ••/••.PCI masked
Minimized identifiers redacted · PAN masked · stored encrypted
03 · Residency & deployment

Deploy where your data must live.

auto-AGENTS™ can run in our managed, monitored cloud, inside your own VPC, or on-premises, with data residency options for regulated workloads. The same security controls apply across deployment models. Specific residency and deployment commitments are confirmed per contract.

Deployment modelssame controls
  • Managed cloud, multi-tenant isolation, monitored operations
  • Your VPC, single-tenant, deployed in your cloud account
  • On-premises, runs on your infrastructure
  • Region options, residency for regulated data (e.g. US / EU), confirmed per contract
Access · monitoring · accountability

Least-privilege access and documented accountability.

Identity, monitoring and record-keeping controls that keep access appropriate and actions attributable.

Identity & access

Approved, least-privilege access

Access to critical systems is granted by approval, per role or individual need, and revoked promptly on termination.

  • Role-based access with approval workflows
  • Timely deprovisioning on role change / exit
  • Segregation of duties across the organization
  • Endpoints encrypted with 15-minute session lock
Monitoring & response

Incident management

Security incidents are recorded, investigated and responded to under a defined policy, with reporting paths for staff and customers.

  • Documented incident-response procedure
  • Anti-malware on critical endpoints
  • Internal & customer incident-reporting channels
  • Continuous control monitoring (Sprinto)
People & governance

Trained, screened personnel

Staff are screened, acknowledge policies, and complete security & privacy training on hire and periodically.

  • Background & competency screening
  • New-hire & periodic security training records
  • Assigned cybersecurity & privacy ownership
  • Code of business conduct
colleagues working together in an office
Screened, trained people run the program, with least-privilege access and clear ownership.
AI governance

Governing the AI, not just the infrastructure.

Because auto-AGENTS™ operates AI agents on customer conversations, our program addresses AI-specific risk. Our AI systems are governed in line with the EU AI Act, with transparency, human oversight and risk-management practices built into how agents are deployed.

EU AI Act alignment

Our AI systems are governed in line with the EU AI Act, including transparency and risk-management practices for automated interactions.

Human oversight

Agents operate with configurable guardrails and escalation to a person; sensitive actions can require human approval.

No training on customer data

Customer conversations are not used to train shared models. Sensitive data is minimized before storage and retention is configurable.

Data governance

We maintain a register of legal, statutory and regulatory requirements relevant to information security and privacy, and assign asset ownership.

Privacy & data rights

Privacy commitments and processing terms.

How we act as a processor of customer data, and the documents available to support your own compliance.

Data Processing Agreement

A DPA, with EU Standard Contractual Clauses where applicable, is available to customers to govern processing of personal data.

Data-subject requests

We support customers in fulfilling GDPR / privacy rights, including access, correction and deletion of personal data.

Subprocessors

We maintain a current list of subprocessors used to deliver the service; it is available on request through the Trust Center / DPA.

Retention & deletion

Retention windows are configurable per customer, and data is deleted on request or at contract end per the DPA.

Privacy notice

Our current privacy practices are published and kept accessible. See the Privacy Policy.

Terms of service

Service terms govern use of auto-AGENTS™. See the Terms of Service.

Documentation

Reports & policy library.

Our internal policies and audit evidence are catalogued in the Trust Center. A sample is listed below; the full library (40+ policies) and the SOC 2 report are available to prospects and customers on request.

Report SOC 2 Report (2025)
Policy Acceptable Usage Policy
Policy Access Control Policy
Procedure Access Control Procedure
Policy Asset Management Policy
Procedure Asset Management Procedure
Policy Information Security Policy
Policy Incident Response Policy
Policy Business Continuity & Backup
Policy Data Governance & Retention
Policy Human Resources Security
Policy Change Management
Policy titles reflect our published Trust Center catalogue. Exact document set is provided under NDA. Request access at compliance.commerce.ai.
Regulated environments

Used by enterprises in regulated industries.

Commerce.AI has operated since 2016 across sectors including healthcare, retail and finance.

WalmartCoca-ColaMVP HealthcareUnileverPepsiCoSuzuki
HIPAA

Healthcare

BAAs, PHI minimization and encryption support patient intake, scheduling and member-service workflows within HIPAA boundaries.

PCI

Financial services

PCI DSS handling and live PAN masking keep card data out of transcripts during billing, collections and verification.

GDPR

EU & cross-border

GDPR compliance, a DPA with SCCs and EU AI Act alignment support European and cross-border deployments.

FAQ

Common questions.

Commerce.AI is compliant with SOC 2, ISO/IEC 27001, HIPAA, PCI DSS, GDPR and the EU AI Act. Certificates and the SOC 2 report are available through the Trust Center at compliance.commerce.ai.

Data is encrypted in transit over HTTPS/TLS and at rest with AES-256 on production databases. Production databases and SSH access are isolated from the public internet, and keys are managed under our KMS.

No. Customer conversations are not used to train shared models. Sensitive identifiers are redacted or masked before storage, and retention windows are configurable.

Yes. A HIPAA Business Associate Agreement and a GDPR Data Processing Agreement (with Standard Contractual Clauses where applicable) are available to customers.

Request access through the Trust Center at compliance.commerce.ai for the SOC 2 report, certificates, policies and subprocessor list. Send security questionnaires to your account contact and we will respond with documented evidence.

auto-AGENTS™ can be deployed in our managed cloud, your VPC or on-premises, with regional data-residency options for regulated workloads. Specific residency and deployment terms are confirmed per contract.

Trust Center

Reports, certificates, policies and our DPA, in one place.

Request access to evidence for your security review, or send us your questionnaire.