General Data Protection Regulation (GDPR)

On 25 May 2018, the European data protection legislation came into force. The EU General Data Protection Regulation (GDPR) replaces the 1995 EU Data Protection Directive. The GDPR strengthens the rights that individuals have regarding personal data relating to them and seeks to unify data protection laws across Europe, regardless of where that data is processed.

Storm Commerce is committed to GDPR compliance across our services. We are also committed to helping our customers with their GDPR compliance journey by providing robust privacy and security protections built into our services and contracts over the years. In connection with the introduction of GDPR, we will introduce some new tools in Storm Admin intended to help our customers comply with GDPR.

What are your responsibilities as a customer?

Storm Commerce customers will act as the data controller for any personal data they provide to Storm in connection with their use of our services. The data controller determines the purposes and means of processing personal data, while the data processor processes data on behalf of the data controller. Storm Commerce is a data processor and processes personal data on behalf of the data controller when the controller is using Storm.

Data controllers are responsible for implementing appropriate technical and organizational measures to ensure and demonstrate that any data processing is performed in compliance with the GDPR. Controllers’ obligations relate to principles such as lawfulness, fairness and transparency, purpose limitation, data minimization, and accuracy, as well as fulfilling data subjects’ rights with respect to their data.

Storm Commerce’s Commitments to the GDPR

Among other things, data controllers are required to only use data processors that provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of the GDPR. Here are some aspects you may want to consider when conducting your assessment of the Storm services.

Data Protection Commitments

Data Processing Agreements

Our data processing agreements for Storm Commerce clearly articulate our privacy commitments to customers. The agreements are based on an Industry standard from Swedish Software, an Industry Association, and they now reflect the GDPR.

Processing According to Instructions

Any data that a customer and its users put into our systems will only be processed in accordance with the customer’s instructions.

Personnel Confidentiality Commitments

All Storm Commerce employees are required to sign a confidentiality agreement and complete mandatory confidentiality and privacy trainings, as well as our Code of Conduct training. Storm Commerce Code of Conduct specifically addresses responsibilities and expected behavior with respect to the protection of information.

Privacy sensitive information

Highly sensitive information from a privacy perspective is not allowed to be stored in Storm systems. This could be, but not limited to, medical data, sexual preference, political views or ethnical origin.

Use of Subprocessors

Storm Commerce directly conduct the majority of data processing activities required to provide the Storm services. However, we do engage some third-party vendors to assist in supporting these services. Each vendor goes through a rigorous selection process to ensure it has the required technical expertise and can deliver the appropriate level of security and privacy. We make information available about Storm Commerces´ subprocessors supporting Storm services, as well as third-party subprocessors involved in those services, and we include commitments relating to subprocessors in our current and updated data processing agreements.

Security of the Services

According to the GDPR, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. Storm operates global infrastructure designed to provide state-of-the-art security through the entire information processing lifecycle. This infrastructure is built to provide secure deployment of services, secure storage of data with end-user privacy safeguards, secure communications between services, secure and private communication with customers over the Internet, and safe operation by administrators.

Availability, Integrity, and Resilience

Storm Commerce design the components of our platform to be highly redundant. In the event of hardware, software, or network failure, services are automatically and instantly shifted from one facility to another so that operations can continue without interruption. Our highly redundant infrastructure helps customers protect themselves from data loss.

Storm Commerce conducts disaster recovery testing on a regular basis to provide a coordinated venue for infrastructure and application teams to test communication plans, fail-over scenarios, operational transition, and other emergency responses. All teams that participate in the disaster recovery exercise develop testing plans and post mortems which document the results and lessons learned from the tests.

Storm uses encryption to protect data in transit and at rest. Data in transit to Storm is protected using HTTPS, which is activated by default for all users. Storm services encrypt customer content stored at rest, without any action required from customers, using one or more encryption mechanisms.

Access Controls

For Storm Commerce employees, access rights and levels are based on job function and role, using the concepts of least-privilege and need-to-know to match access privileges to defined responsibilities. Requests for additional access follow a formal process that involves a request and an approval from a data or system owner, manager, or other executives, as dictated by Storm’s security policies.

Data Return and Deletion

Administrators can export customer data, via the functionality in Storm Admin, at any time during the term of the agreement. When Storm services receives a complete deletion instruction from you, Storm services will delete the relevant customer data from its systems unless retention obligations apply. It is upon the Data Controllers responsibility to ensure that no integration services will regenerate the data that the deletion instruction will remove. This is usually achieved by formulating a process policy which deletes the information in the right sequence.

Assistance to the Controller

Data Subject’s Rights Data controllers can use Storm services functionality to help access, rectify, restrict the processing of, or delete any data that they and their users put into our systems. This functionality will help them fulfill their obligations to respond to requests from data subjects to exercise their rights under the GDPR.

Data Protection Team

Storm Commerce customers have a dedicated team where data protection related enquiries can be directed.


Storm Commerce have provided contractual commitments around incident notification. We will continue to promptly inform you of incidents involving your customer data in line with the data incident terms in our current agreements and the updated terms that will apply from 25 May 2018, when the GDPR comes into force.