Fluent Order Management named a Leader in The Forrester Wave™: Order Management Systems, Q1 2025

Access report

Building and Validating Trust in Every Transaction. Your Data. Our Priority.

Fluent Commerce Trust Center: Security, Compliance, and Assurance

Trust Center Portal

Our Foundational Commitment to Trust

Protecting your data across Confidentiality, Integrity, Privacy, and Availability, validated by continuous third-party assurance.

At Fluent Commerce, trust is our priority. The cloud-native, enterprise-grade Fluent Order Management System (OMS) is built to meet and exceed global security standards. Our comprehensive Information Security Program is based on a risk-based framework and a dedicated Information Security Management System (ISMS) to protect the Confidentiality, Integrity, Privacy and Availability of your data. We maintain a layered approach to security controls, validated through continuous third-party audits like SOC 2 Type 2, SOC 3, EU’s NIS2.0 and embed security into every stage of our operations.

Independent Attestation and Global Compliance Assurance

Our security posture is validated through rigorous, independent third-party audits and continuous testing against recognized global frameworks.

  • Certifications & Attestations
    • SOC 2® Type 2: Our commitment to trust is validated by a rigorous, attested SOC 2 Type 2 report. This 12-month audit was conducted by Coalfire, a highly respected independent third-party assurance provider, confirming our controls across the key domains of Security, Availability, Privacy, and Confidentiality.
      The full report is available to clients under a non-disclosure agreement (NDA) via the Trust Center Portal.
    • SOC 3®: A publicly available general-use report, aligned with SOC 2 requirements, is available here. This report offers public transparency into Fluent Commerce’s control environment .
  • Regulatory Compliance
    • GDPR Compliance: We are fully aligned with the EU’s General Data Protection Regulation(GDPR) and have data protection controls in place to support customer compliance with major privacy laws. Fluent Commerce acts as a data processor(including under GDPR), processing Client Data in accordance with the Data Privacy Addendum (or any other similar DPA entered into with a client).
    • EU’s NIS 2.0: We are currently undergoing a readiness assessment for compliance with the EU’s NIS 2.0 directive, with a target for compliance by June 2026. A summary report of this assessment is available under an NDA via the Trust Center Portal.
  • Continuous Assurance
    • Penetration Testing: Fluent Commerce partners with Rapid 7, independent third-party Pen Testing industry experts to conduct annual penetration tests, identify and remediate potential vulnerabilities in our platform and network. Rapid7 examines web applications using the OWASP Testing Methodology. A summary report of this assessment is available under an NDA via the Trust Center Portal.

Platform Security: From Code to Cloud

Security is Built-In: Our secure-by-design approach is embedded in every part of our platform, from code to deployment.

  • Secure Development Lifecycle (SDLC): We implement security-by-design practices throughout our development process, which includes peer-reviewed code, automated testing, and integrating security controls into our CI/CD pipelines.
  • Vulnerability Management: Fluent Commerce has a robust vulnerability management program, which includes vulnerability management embedded in our SDLC. We also continuously scan production containers and code, with remediation via a well-defined patch management cycle with defined SLAs based on severity. We also use static application security testing (SAST) tools to detect vulnerabilities and enforce secure coding practices.
  • Change Management: All changes to our production environment are managed through a formal change control process to minimize risk.
  • GraphQL & REST APIs: Fluent Commerce provides a flexible API landscape with support for both GraphQL and REST APIs. Our robust REST APIs are ideal for traditional integrations, while our GraphQL API gives you the flexibility to query exactly the data you need. This dual-API approach enables seamless, efficient integrations and gives you granular control over your platform data.
  • Incident Response: We regularly test our Business Continuity Plans (BCP), Disaster Recovery Plans (DRP), and Incident Response Plans (IRP). Our dedicated Security Incident Response Team (SIRT) is prepared to respond to any security events with a focus on containment, eradication, and recovery.

Data Protection and Access Controls

We prioritize the protection of your data and provide robust controls to manage access to your environments.

Data Encryption

All customer data(including backups) is encrypted both in-transit (TLS 1.2+) and at-rest(AES-256 or higher) using industry-standard protocols to ensure its confidentiality and integrity.

Data Protection

We provide both multi-tenant and dedicated single-tenant environments, with isolated production environments to ensure data is not shared across customers. Each client operates within isolated databases and environments to prevent data leakage

Access Control

We apply the principle of least privilege through Role-Based Access Control (RBAC), ensuring that access to production environments is strictly limited and granted based on business need.

Single Sign-On (SSO) Support

We support SSO to provide a streamlined, secure authentication experience. By integrating with your corporate identity provider, SSO enables users to access the Fluent Commerce platform with their existing credentials, enhancing convenience and strengthening security.

Architecture & Scalability

Our platform is built on a flexible and resilient architecture that offers you choice and control over data and infrastructure.

  • Data Sovereignty and Multiple Cloud Providers: Fluent Commerce offers flexible data storage, supporting a region of your choice to meet your data sovereignty and residency requirements. Our platform provides hosting across two of the biggest global cloud providers, Amazon Web Services (AWS) and Google Cloud, giving you flexibility.
  • Multi and Single-Tenancy: We offer both multi-tenant and single-tenant environments to suit a variety of customer needs. Both options are fully supported with our SSO capabilities for a secure and streamlined user experience.

Operational Resilience & Disaster Recovery

We guarantee platform reliability through a fully redundant, multi-regional architecture and continuously tested recovery plans.

Resilient BCP and DRP practices: Our Business Continuity Plans (BCP) and Disaster Recovery Plans (DRP) are comprehensive and designed to ensure operational resilience. We have a clearly defined and customisable Recovery Point Objective (RPO) and Recovery Time Objective (RTO) as per customer requirements in the event of a full regional cloud outage. Our backups are encrypted and tested at least annually.

Multiple Regional Data Centers: Our Infrastructure is hosted on resilient cloud infrastructure across multiple availability zones (at least 3 Data Centres) to ensure elastic scalability and fault tolerance, allowing us to provide industry leading RTOs, RPOs, and an Uptime SLA of >99.95%.

 

Cloud Availability Zones - DR

Ready to view our full documentation?

For a detailed overview of our security controls and compliance posture, please visit our Security Trust Center Portal.

Access Our Trust Center Portal
This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.