VTEX follows the highest international standards for information security and data privacy. To reinforce this commitment, we maintain globally recognized certifications that confirm our processes comply with international standards and requirements. This article outlines the certifications held by VTEX and how to access them.

ISO 27001 is an international standard that defines the requirements for an Information Security Management System (ISMS).

VTEX certification was issued in Brazil, but covers global data and transactions, as all platform data is processed in Brazil. The certificate is for the VTEX platform and is valid globally.

The certificate is available at the VTEX Trust Center.

PCI-DSS (Payment Card Industry Data Security Standard) is a required certification for companies that process, store, or transmit credit and debit card data.

VTEX complies with the latest version of the certification, PCI-DSS v4.0. This certification is valid for 12 months from the audit date and is renewed annually.

The certificate is available at the VTEX Trust Center.

The PCI-DSS certificate indicates the issue date as the Assessment End Date. The Publication Date field refers to the date the PCI standard was officially published, not to the certificate's validity.

SOC (System and Organization Controls) reports evaluate internal controls related to security, availability, processing integrity, and confidentiality.

VTEX holds SOC 1 Type 2 and SOC 2 Type 2 reports, which attest to the effectiveness of these controls over a 12-month period from the audit date.

The report evaluates the controls applied during the previous year. For example, if the report covers the period from January 1, 2024, to December 31, 2024, it will remain valid throughout 2025.

Certificates are usually issued at the end of the first quarter or the beginning of the second quarter following the year under review. If there's a gap between the validity of the last available SOC report and the next audit, VTEX can issue a Bridge Letter (or Gap Letter) to cover the period.

You can request access to the SOC certificates via the VTEX Trust Center.

The Data Privacy Framework is an EU-approved program that facilitates the secure international transfer of personal data.

VTEX is certified under the three primary DPF frameworks, which regulate data transfers from the European Union, the United Kingdom, and Switzerland to the United States.

The VTEX certification can be accessed directly on the program's official website. To check if the certification is active for each framework, search for VTEX in the website search bar and look at the Status column. It will display Active for the frameworks where the certification is valid.