Data Security

This article is an overview of Commerce7's data security including data we store and how we store it.

At Commerce7, we place a high importance on data security. We understand that protecting your information is crucial. Below, you will find the answers to your data security questions, providing you with the assurance you need.

Where is Commerce7’s data stored?

All of Commerce7’s data is stored in Amazon Web Services (AWS)

What specific pieces of customer information is Commerce7 storing?

The following customer data is stored by Commerce7;

  • Name
  • Birthdate
  • Address
  • Phone Number
  • IP Address
  • User Agent
  • Purchase History
  • Credit Card Tokens

Commerce7 does NOT store credit card information (we only store the token).

    How is customer data stored?

    Commerce7 uses Amazon’s Aurora Database and DynamoDB. All data is encrypted at Rest.

    What protection measures do we have in place around these databases?

    Only 3 individuals in Commerce7 have access to these databases. Database keys are stored in an AWS vault. We have a large test suite that runs on deploy, we do regular security scans. Aurora Databases are with-in a virtual private network (VPC) in AWS, only accessible over VPN for 3 individuals, VPN logging, Aurora Insights Logging, and AWS Cloud Trail record all activity.

    What other privacy measures have been put in place? 

    Security is talked about with all staff members.  It's part of onboarding and part of regular training and staff meetings.  Everything is logged. Last 20 edits are stored.  Items deleted are stored in trash. No shared username/passwords. Our security within the platform requires only admin/owners to invite additional users (Accounts), and all admin/owners receive notification upon new invites. Commerce7 staff can't send account invites on your behalf.

    With GDPR & CCPA compliance laws, what additional measures is Commerce7 taking for customers that have CA or EU addresses? 

    We treat all customer data the same.  Customers have the right to know what we store (and we make it easy to retrieve that data) and customers have a right to be deleted (we make that easy).  We are the first wine platform to allow for things like the canceling of membership online.


    1. How often does Commerce7 conduct site security audits?
      Commerce7 does this quarterly.
    2. Is Commerce7 PCI compliant?
      Yes. Commerce7 is Level 1 PCI compliant (which is the highest possible level).
    3. Does Commerce7 set limits to Order quantity/value?
      We allow for quantity limit but not Order limit. We'd suggest to wineries to review this.
    4. Does Commerce7 manually review Orders over a certain quantity/value? 
      No. This action would be the responsibility of the winery.
    5. Does Commerce7 use IP fraud scoring tools?
      We are actively building in NoFraud tools which will come at a cost to the winery.
    6. Does Commerce7 detect IP addresses linked to past fraud?
      Yes. Commerce7 does this.
    7. Does Commerce7 use Hypertext Transfer Protocol Secure (HTTPS)?
      Yes. Commerce7 does this.
    8. Does Commerce7 encrypt data such as credit card numbers?
      Yes. Commerce7 encrypts database data and does not store credit cards (just tokens).
    9. Does Commerce7 use open source databases to help verify information provided by Customers?
      No. Commerce7 does not do this.
    10. Does Commerce7 use a "blocklist" to block previously ID'd fraud info? 
      While Commerce7 does not provide one to wineries, we do block people internally.
    11. Does Commerce7 use an Address Verification System (AVS) - (Require matching billing/shipping addresses or at least manually review these orders)?
      Wine is so heavily gifted (over 40% of shipping Orders on Commerce7 have shipping address not matching credit card) that AVS would have a huge negative impact on sales. Instead we require CW (see below).
    12. Does Commerce7 require the Card Verification Value (CW) for purchases?
      Yes. Commerce7 does this.
    13. Does Commerce7 contribute info to the "Wine Fraud Group"?
      No. Commerce7 is not part of this.