This guide provides an overview of the robust security measures implemented by VTEX. In the following sections, discover how our platform handles authentication, access control, logging, attack protection, and incident response. We also introduce our security certifications and VTEX Shield, an add-on solution designed to further enhance store protection.

VTEX regularly audits its information security controls through independent professionals to ensure transparency and excellence in its practices. This external validation aligns policies and procedures with security standards and strengthens trust with customers and partners.

At the application layer, VTEX has the following accreditations:

• ISO 27001 – Information Security Management System
• SOC 1 – Type 2: Reports covering internal controls over financial reporting systems
• SOC 2 – Type 2: Reports covering security, availability, integrity, confidentiality, and privacy
• PCI – Validation of controls around cardholder data to reduce credit card fraud

See our Certifications for more details.

At the data storage layer, AWS has several certifications for its data centers, including ISO 27001, FedRAMP authorization, PCI certification, and SOC reporting. For more information on AWS's commitment to data protection, go to Data Protection and Privacy at AWS.

To access information within a VTEX account, authentication is required, along with the necessary permissions. The authentication flow ensures verified and authorized access by requiring valid credentials in the following scenarios:

• Logging in to the VTEX Admin or to the store website
• Developing apps or integrations

By default, VTEX adopts logical segregation for each account's data, isolating it from other accounts. This means there is no integrated method for accessing data that crosses account boundaries, even for internal VTEX use. For more details, see the Logical separation section of our Cloud infrastructure guide.

Two-factor authentication (2FA) is mandatory for users to access the VTEX Admin with email and password. There are two options for two-factor authentication:

• Using a key generated by an authentication app.
• Using a key sent by SMS.

If an Admin user has not set up 2FA, when they try to access the Admin using their email and password, a prompt requiring 2FA configuration will be displayed.

This requirement only applies to email and password logins, not to other login methods such as Google, Facebook, or access code. Learn more in Enabling two-factor authentication login.

VTEX Admin and store passwords have the following requirements:

• Minimum length of 8 characters.
• 6-digit MFA (multi-factor authentication) token.
• Minimum of 1 uppercase character.
• Minimum of 1 digit.
• Minimum of 1 special character.
• Can’t repeat the last 4 passwords.

Merchants can choose to enforce password expiration after a specific period for Admin users, which can be 15, 30, or 90 days.

Merchants can also choose to integrate an external identity provider, allowing them to define their own customized password policies. See Login integrations for more information.

In the event of account lockout due to multiple incorrect password attempts, legitimate users can still log in using other methods, such as receiving a token via email or using an integrated social login (Google or Facebook), thus avoiding possible brute force exploits of weak passwords.

Native login integrations are available for Facebook (webstore) and Google (webstore and VTEX Admin). Learn more in the Configuring login with Facebook and Google documentation.

Single sign-on (SSO) is supported with integration options for external identity providers on both the Admin and store website.

The Admin uses the SAML 2.0 authentication protocol, enabling VTEX customers to integrate existing identity providers that support this standard. For the store website, integration with external identity providers is done using the OAuth 2.0 protocol.

VTEX efficiently manages logical access, ensuring precise control and monitoring of access permissions for systems and data. Our practices adhere to security policies, including measures like the principle of least privilege and segregation of duties. Users are granted access only to that which is strictly necessary for their roles, reducing the risk of exposing sensitive information and bolstering the security of systems and data.

Every interaction with our platform, whether it is accessing a page in the Admin or making an API call, involves a request to our infrastructure. License Manager is the system that ensures the security of these operations by verifying that a user or application key has the necessary permissions to perform actions on the platform. To simplify permission management, it is based on roles and resources.

A resource is an entity associated with an action or information within our infrastructure. For example, the View order resource allows a user to view the Order Details page in the Orders module. For details on each available resource, see License Manager resources.

A role determines the set of resources that a group of users can access on VTEX. Each administrative user can be associated with one or more roles. When creating a new role, you have the option of using one of the predefined roles provided by VTEX or creating a customized one by selecting each required resource.

See below an example access control structure:

Learn more about how to effectively manage user roles and permissions in Best practices for secure user management.

All operations on the platform are automatically logged. Platform errors are logged in SIEM (Security Information and Event Management) software, accessible to the VTEX team for product analysis and improvement purposes.

VTEX actively monitors application and infrastructure logs for patterns indicative of potential security risks, issuing alerts and implementing countermeasures upon detection. To maintain the privacy and security of our customers and ensure compliance with regulations, VTEX does not grant access to its internal systems.

For merchant access, our services record various operations, including their authors and timestamps, in Audit, a tool available in the VTEX Admin for searching and investigating store history using filters.

Explore the list of events available in Audit. If necessary, merchants can also request specific event logs from Support.

VTEX uses a comprehensive approach to mitigate ransomware attacks, employing measures such as advanced antivirus, firewalls, and content filters to block malware. Our platform includes protection against DDoS (Distributed Denial of Service) attacks and other threats. Learn more in our Security FAQ.

We maintain regular backups of critical data, ensuring the ability to restore information without having to accept criminal demands. Security updates and awareness training for employees are priorities, along with constant monitoring of activities for suspicious behavior. These measures combined form a robust defense against the growing threat of ransomware.

In addition to the standard protection measures implemented by VTEX, clients have the option of reinforcing the security of their stores by adding a Web Application Firewall (WAF) through VTEX Shield. The WAF offers an additional layer of protection, helping to filter and block malicious traffic before it reaches the store.

Secure Sockets Layer (SSL) is a protocol designed to increase the security of data transmitted over the internet. SSL connections are particularly recommended for sending information such as credit card numbers, passwords, and any other sensitive information over the internet.

VTEX generates an SSL certificate for your store and guarantees its automatic renewal – there is no need to request the purchase of an SSL certificate for the store. The certificate is issued via Let's Encrypt and its creation is VTEX's responsibility at the time of the store's go-live. Learn more in Security certificate (SSL).

Our Security team regularly performs vulnerability checks, including recurring scans and penetration tests. Merchants interested in conducting penetration tests on their stores must acquire VTEX Shield and follow the procedures outlined in the Penetration tests and vulnerability notifications guide.

Merchants are encouraged to share the pentest reports and vulnerability notifications with VTEX, allowing our Security team to promptly address any potential issues identified.

While VTEX Shield is mandatory for conducting penetration tests and sharing the results with our Security team, reporting vulnerabilities does not require VTEX Shield. Vulnerabilities will be assessed as long as they are reported in accordance with the procedures outlined in Reporting vulnerabilities.

VTEX has a formal protocol for security incident response that covers the essential stages of the process: preparation, incident identification, containment, eradication, recovery and post-incident. This procedure also includes an integrated communication plan that is applied at all stages of the response. Learn more in our Security Practices document.

VTEX has a disaster recovery plan focused on ensuring operational continuity and the availability of critical resources in emergency situations. This plan is tested at least once a year to ensure its effectiveness. It covers detailed guidelines on how to act in the face of unplanned incidents, characterized as crises, which can arise from natural disasters, cyber attacks, or any other disruptive events.

We incorporate crucial recovery steps, including defining our standard RPO (Recovery Point Objective) and RTO (Recovery Time Objective) objectives, as well as carrying out backup tests, ensuring the plan's effectiveness and readiness in real scenarios.

Learn more about our standard RPO and RTO in the Security FAQ – you must have access to an account’s Admin to view this information.

With a business continuity plan, we address challenges arising from emergencies, ensuring a smooth transition and minimizing impacts. This plan establishes a solid foundation for resuming normal operations quickly and effectively, regardless of the nature of the emergency. Learn more in our Security Practices document.

VTEX Shield is an add-on product that offers supplementary, customizable protection layers for stores that prioritize platform resilience and the security standards guaranteed by VTEX's existing security certifications and practices.

When requesting VTEX Shield, you can choose from the following features:

• Security Monitor
• Penetration tests
• Web Application Firewall (WAF)

If you are an existing VTEX client and want to get VTEX Shield for your business, please contact Commercial Support. Additional fees may apply. If you are not a VTEX client but are interested in this solution, please complete our contact form.