CloudBlue puts in a great deal of effort to ensure the security and reliability of all CloudBlue products. To bring security into our Software Development Life Cycle (SDLC), we follow the Software Assurance Maturity Model (SAMM) methodology. Our Secure SDLC ensures that security assurance activities such as penetration testing, code review, and architecture analysis are an integral part of the development effort.

Security Team

We have a dedicated team responsible for CloudBlue products security. From the very start of development, the security team participates in design reviews to define the security requirements alongside functional requirements and to perform architecture risk analysis.

The security team collaborates with developers on a daily basis and is constantly searching for any security issues in the CloudBlue codebase. The security team also builds the security infrastructure for Secure SDLC. To detect the most common issues, we use automatic scanning integrated into our software development pipelines:

  • Every time new code is pushed to a repository, an automatic Static Application Security Testing (SAST) scan is performed.
  • For the deployed instances of CloudBlue products, a Dynamic Application Security Testing (DAST) scan is performed to catch security issues in runtime.
  • Software Composition Analysis (SCA) execution is used to ensure we do not ship our product with vulnerable dependencies. It automatically tracks 3rd party dependencies and their licenses for every component. Every known vulnerability must be fixed before the release.

Additionally, when a new feature is developed, the security team manually reviews its source code and performs dynamic testing using different industry-standard tools.

Security Trainings

As a part of the SAMM Education & Guidance practice, every person participating in the software life cycle is instructed on how to develop and deploy secure software. Our developers are aware of the common security risks described in OWASP Top Ten, and our R&D teams undergo regular training to reinforce security topics using commercial training platforms as well as classes and materials developed in-house. Training is conducted annually and requested on demand.

We have also taken a step forward by adopting the Security Champions initiative. Security Champions are active members of a team with an interest in security and a desire to contribute to our product security. They act as a supportive element in the security assurance process and have the Single Point of Contact (SPOC) role within their teams.

Open Web Application Security Project (OWASP)

Open source is great! We believe that the use of community-driven open standards and tools is an essential part of secure software development, especially in the long-term. That is why we adopted several OWASP tools, made them a part of our Secure SDLC, and made OWASP SAMM the core of our Secure SDLC. Using open source, we aim to:

  • Benefit from open source by using community-driven standards and tools.
  • Contribute to open source by verifying that it fits enterprise solutions.

To make the security aspect of CloudBlue products more transparent, we follow Application Security Verification Standard (ASVS). ASVS is a community-driven framework of security requirements and controls that focuses on defining the functional and non-functional security controls required to design, develop, and test modern web applications and web services. We do not treat this standard as an immutable source of truth, but rather as a starting point for a discussion on a security topic.

External Penetration Testing

When shipped to customers, our products become a part of their infrastructure, increasing the potential attack surface. This is why our customers regularly request their own security teams or external ones to perform penetration tests on our products to ensure that overall security of their infrastructure is not affected. Reports of such tests give us a chance to see from the customer’s point of view and better understand their needs and requirements.


We take a set of measures to ensure that the data in our products is encrypted.


All values that are required to be random, such as randomly generated encryption keys and initialization vectors are generated using a cryptographically secure pseudo number generator.

In addition to the proper source of randomness, the following minimum size of random data is used:

PurposeMinimum Entropy (bits)
Cryptographic keys128+
IV vector128+
Session ID80+

Symmetric Crypto

CloudBlue Commerce uses the Advanced Encryption Standard (AES) algorithm to encrypt data as it is recommended by the National Institute of Standards and Technology (NIST) for long term storage use, and because it is often included as part of customer compliance requirements.

We use the following AES modes:

  • AES in Galois/Counter Mode (GCM) mode
  • AES in Cipher Block Chaining (CBC) mode with a hashed message authentication code (HMAC)

CipherPurposeStorage Format
AES-128-CBC with random IVStore sensitive data$AES-128-CBC${IV}${Encrypted data in BASE64}
AES-128-GCM with random unique NonceStore and send sensitive data$AES-128-GCM${Nonce}${Encrypted data in BASE64}
AES-128-CBC-HMAC with random IVStore and send sensitive data$AES-128-CBC${IV}${Encrypted data in BASE64}${HMAC BASE64}

Transport security

To provide secure data transfer over the network, CloudBlue Commerce uses TLS 1.2 with the following cipher suites:



We are constantly working on expanding compliance coverage. Currently, we are certified by ISO27001:2013.

CloudBlue has policies and procedures in place to demonstrate GDPR compliance and the terms of the Cloud Security Alliance GDPR Code of Conduct by CloudBlue and our sub-processors. To exhibit compliance, CloudBlue is able to provide evidence listed below:

  • STAR self-assessment available on the Cloud Security Alliance website
  • Public version of Information Security Policy and supporting Policies
  • ISO 27001 certificate (requires an NDA)
  • Privacy Statement:

Data Privacy & Data Protection

CloudBlue being a globally operated organization comply with different data privacy laws and regulations, including the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA) and the Cloud Security Alliance GDPR Code of Conduct.  We incorporate the required technical and organizational security measures and safeguard the protection of the rights of the data subject.

By using the Services, you agree that we may use Data in accordance with our Privacy Statement, available here.

Each party acknowledges and agrees to comply with the data protection and privacy legislation applicable to their fulfillment of these Terms (“Data Protection Laws”), such as without limitation, as applicable, the California Consumer Privacy Act (“CCPA”) and the European Union General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), including when using, handling, disclosing, transferring, sharing or processing in any way and for any purpose, any information that relates to an identified or identifiable individual (“Personal Data”) received from or on behalf of the other party, for the duration of the term of these Terms. All Personal Data disclosed by one party and processed by the other party as part of these Terms is confidential information of the disclosing party and is subject to the confidentiality obligations set out under clause 9 of these Terms.

You acknowledge that you may leverage certain feature functionalities of the Platform to generate end-user information and data for required business operations. If any end-user data is requested and made available or accessible to you, your employees, agents or contractors, you will comply fully with all applicable laws, regulations, and government orders including those relating to Personal Data and/or personally identifiable information (“PII”) and data privacy with respect to any such data that you receive or have access to under these Terms or in connection with the performance of any other services you or a customer receive. You will otherwise protect PII and will not use, disclose, or transfer across borders such PII unless authorized by the data subject or in accordance with applicable laws. To the extent that you receive PII related to the performance of these Terms, you will protect the privacy and legal rights of any such third party.

Notwithstanding anything to the contrary in these Terms, CloudBlue may copy, modify, distribute, and otherwise use Personal Data received from or on your behalf to the extent necessary for the purpose of providing the Platform and the Services. You warrant and represent that you already have in place or will obtain, as applicable, and maintain in effect all permissions, consents, and authorizations that are required by applicable laws for you to provide, or to arrange for the provision of, Personal Data to CloudBlue. You represent and warrant that you have the full ability and legal right to provide and make available Personal Data to CloudBlue as contemplated by these Terms. You will not by any act or omission put CloudBlue in breach of its legal obligations under the applicable data protection and privacy legislation and in connection with these Terms.

To the extent the CCPA applies to parties’ performance of these Terms, Personal Data as used in these Terms includes all “personal information” as that term is defined in the CCPA. Each party acknowledges and agrees that, with respect to the sharing of such Personal Data with CloudBlue under these Terms, CloudBlue is a “service provider” as that term is defined in the CCPA. With respect to Personal Data consisting of “personal information” as that term is defined in the CCPA, CloudBlue hereby certifies that it understands that it is prohibited from (a) selling that Personal Data (as “sell” is defined in the CCPA), (b) retaining, using, or disclosing that Personal Data for any purpose other than for the specific purpose of performing the Services or as otherwise permitted by the CCPA, including retaining, using, or disclosing the Personal Data for a commercial purpose other than providing the Services, and (c) retaining, using, or disclosing the Personal Data outside of its direct business relationship with you.

CloudBlue uses the Advanced Encryption Standard (AES) algorithm to encrypt data at rest. All data at the storage level is encrypted with AES256 by default. Traffic is encrypted in transit using Transport Layer Security 1.2 (TLS) with an industry-standard AES-256 cipher. TLS is a set of industry-standard cryptographic protocols used for encrypting information that is exchanged over the network.

Availability is guaranteed by leveraging our infrastructure on Azure premium tier, which offers high availability through regional redundancy.

GDPR & Personal Data Processing

For purposes of processing Personal Data originating from the European Economic Area, which is subject to the GDPR, CloudBlue agrees to hereby incorporate under this clause 11.2 a data processing agreement (hereafter “DPA”), the terms of which are an integral part of these Terms and applies only if and to the extent CloudBlue is processing Personal Data as part of the provision of the Platform and the Services (collectively “Cloud Services”).

Terms used in this DPA, but not defined herein (if any) have the meanings set forth in these Terms, the GDPR or the CCPA as applicable respectively.

Each party acknowledges and agrees that, to the extent that Personal Data is subject to the GDPR, the customer is the “data controller” of that Personal Data which CloudBlue processes on its behalf and CloudBlue is the “data processor.”

To the extent that CloudBlue “processes” (as that term is defined in the GDPR) Personal Data subject to the GDPR on behalf of the customer, CloudBlue shall:

  • Only process the Personal Data provided by the customer in accordance with its instructions, for no other purposes other than those determined by the customer, as is necessary to perform its obligations set forth under these Terms and in order to comply with a legal obligation.

If, however, at any time during the execution of this DPA and these Terms, CloudBlue establishes that the customer’s instructions appear in any way to be unlawful or non-compliant with the applicable legislation, CloudBlue shall without undue delay notify the customer and wait for further instructions.

Take reasonable steps to ensure the reliability of staff who have access to the Personal Data processed as part of performing the obligations under these Terms and that all staff to whom CloudBlue discloses Personal Data are made aware that the Personal Data is confidential information and subject to the obligations set out in this DPA and these Terms.

  • Taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of processing and the nature of Personal Data as well as the risk and severity for the rights and freedoms of natural persons, take and maintain during the execution of this DPA appropriate technical and organisational measures against unauthorised or unlawful processing of that Personal Data and against accidental loss or destruction of, or damage to the Personal Data. Additional information on the security measures implemented by CloudBlue is available under clause 10 here above of these Terms, and upon written request to CloudBlue. By accepting these Terms and this DPA, the customer agrees to the security measures taken and implemented by CloudBlue.
  • Inform as soon as possible the customer of any request from a data subject to exercise its rights of access, rectification, amendment, restriction of processing or deletion (“right to be forgotten’), data portability, objection to the processing of that person’s Personal Data or any other data subject request, third-party notices, personal data breaches or loss of customer’s Personal Data and assist and cooperate with the customer in order to impede any consequences thereof and ensure compliance with the applicable Data Protection Laws. The customer will bear the unreasonable cost incurred by CloudBlue related to such assistance and cooperation.
  • Provide reasonable assistance to the customer in order to allow it to comply with its obligations under the Data Protection Laws including, but not limited to data subject requests, to the extent the customer does not otherwise have access to the relevant information and to the extent such information is available to CloudBlue. CloudBlue shall provide reasonable assistance to the customer in the cooperation or prior consultation with the supervisory authority in relation to the performance of its tasks under this DPA, to the extent required under the Data Protection Laws. The customer will bear the cost related to such assistance.
  • Upon termination of these Terms, cease all processing of customer’s Personal Data and shall delete or, upon customer’s request, return all files containing the Personal Data, unless the retention of the Personal Data is required by law. The customer will bear the cost related to such return or deletion of data. CloudBlue provides Termination Assistance during the Permitted Post Termination Period to customers (as applicable)
  • Any changes concerning relevant cloud services will be communicated to clients through email or technical account managers
  • CloudBlue remains liable to our customers for the performance of our sub-processor’s obligations.
  • CloudBlue will share the agreements entered with our sub-processors, in part, upon customer request, where needed to demonstrate compliance.
  • CloudBlue customers are able to directly receive a copy of the personal data they have provided, in connection with their provided service, in a structured, commonly used, machine-readable and interoperable format
  • Authorized users can request through the customer portal that CloudBlue delete all customer records via a database delete. CloudBlue will only delete customer data under explicit instruction from customers in accordance with our standard terms CloudBlue will return data in a standard format to the customer (data controller) upon request at no additional cost.

The customer acknowledges and agrees that CloudBlue may need to subcontract any of its processing operations regarding the customer’s Personal Data to its affiliates or third parties sub-contractors located in different countries. For this purpose, by accepting the terms and conditions in this DPA and these Terms, the customer hereby grants CloudBlue a general authorization to use sub-contractors if necessary to ensure performance of the Cloud Services, CloudBlue’s obligations under these Terms or to ensure compliance with legal obligations. For the avoidance of doubt, CloudBlue shall only sub-contract its processing operations under this DPA and these Terms in accordance with the requirements under the applicable Data Protection Laws. Upon written request by the customer, CloudBlue shall provide to the customer a list of the sub-contractors involved in the processing of Personal Data hereunder. The customer acknowledges and agrees that CloudBlue may need to transfer, disclose or otherwise permit access to Personal Data processed as part of the provision of the Cloud Services to its affiliates or sub-contractors located in different countries including outside the European Economic Area (“EEA”) for the purpose of ensuring the performance of the Cloud Services and CloudBlue’s obligations under this DPA and these Terms or to ensure compliance with a legal obligation. By accepting the terms and conditions in this DPA and these Terms, the customer agrees to such transfers of data. A list of the data transfer locations can be provided to the customer upon written request to CloudBlue. For the avoidance of doubt, CloudBlue agrees that any disclosure, access or transfer outside the EEA of customer’s Personal Data processed hereunder will be performed in compliance with the applicable Data Protection Laws.

The customer shall not provide for processing, transfer or grant access to CloudBlue any Personal Data unless, where needed, the data subject has given its consent to the processing of its Personal Data under the Data Protection Laws. The customer acknowledges and agrees that it has the sole responsibility of providing necessary transparency information and obtaining all necessary consents by data subjects for the processing of Personal Data under this DPA and these Terms. The customer thereby warrants and represents that where such transparency of information and consent are needed, the customer has provided such information and obtained the data subject’s consent, and upon written request copies of such consents will be provided to CloudBlue prior to transferring the Personal Data for processing.

CloudBlue agrees to submit to audits or have an independent third-party auditor, inspector, regulator, and other representative, designated in writing by the customer to perform an audit on the customer’s behalf in order to validate CloudBlue’s compliance with its obligations under this DPA, however such an audit maybe only be requested with prior written notice of thirty (30) business days and executed during the following months (July, August and September) and only once every twelve (12) months. Such a third-party auditor, inspector, regulator, or other representative designated by the customer shall be subject to a confidentiality agreement provided to CloudBlue prior to the audit. CloudBlue shall provide the customer, for the purpose of the audit and upon written request, with reasonable information necessary to demonstrate compliance with CloudBlue’s obligations under this DPA, excluding any information, documents or records relating to the business relations of CloudBlue with any third party or the documents or records already audited by the customer during the previous twelve (12) months. The customer shall carry out any inspection at a mutually agreeable date, during normal working hours and without interfering with the course of CloudBlue’s business operations. All such audits shall be at the customer’s sole cost and expense.

Notwithstanding anything to the contrary in these Terms, the customer shall indemnify and hold CloudBlue blameless from any liability, losses, claims, penalties, damages, costs and expenses of whatever nature, including if imposed by the supervisory authority on CloudBlue and arising out of any claims, actions, proceedings or settlements, resulting from the breach or non-compliance of the customer with the terms and conditions of this DPA, these Terms and/or with the applicable Data Protection Laws.

This DPA will be effective as of the date of the execution of these Terms and shall remain in full force and effect during the term of these Terms. This DPA will terminate automatically with the termination or expiry of the Terms.

Data processing information

A. Categories of data subjects whose Personal Data may be processed hereunder include but are not limited to:

  1. employees of the customer who have accounts in the Platform
  2. resellers, sub-resellers and the end user

B. The type of Personal Data processed may include: First Name, Last Name, Address, E-Mail, Phone Number, and any other information which may be required and made available to CloudBlue by the customer for the purposes of providing the Service.

C. The Personal Data will in any event be processed for the purposes of performing the Services.

D. Personal Data will be processed during the term of the Terms and as required by Data Protection Laws.

E. The contact person of CloudBlue regarding this Section eleven (11) is:

Name: Aaron Mendelsohn Ingram Micro Data Protection Officer

E-mail address:

How to Report a Security Concern

About the Policy

Providing a high level of product security is a top priority of CloudBlue. We believe, that the transparency of the security assessment will help us, external security teams, and our customers to be on the same wavelength when it comes to security in CloudBlue. We are ready to work with anyone who submits vulnerability reports in good faith as described in this section. This is why we formalized the process for handling security vulnerabilities.


We urge everyone to follow these rules while researching:

  • Comply with the applicable laws and all applicable software license requirements.
  • Make every effort to avoid privacy violations, disruption to production systems, performance degradation and loss of data during security testing.
  • Use the identified communication channels to report vulnerability information to us.
  • Keep the information about any vulnerabilities you have discovered confidential between yourself and CloudBlue until we have had 90 days to resolve the issue.

Vulnerability criteria

Exploitability is our general criteria to start treating an issue as a vulnerability. In other words, we consider a bug as a vulnerability if the bug may cause an impact to the confidentiality, integrity or availability of our product. In any other case we treat it as a regular bug and the time frames provided in the Analysis section are not applicable.

By the term “attacker”, we mean a malicious actor who attempts to negatively impact the confidentiality, integrity or availability of our product. We assume that an attacker is a highly skilled expert with in-depth knowledge of our product and its internal architecture, and that security measures that fall under the security-through-obscurity principle will not have any effect.

Every bug must be fixed. However, the procedure to fix a bug is different to fixing a vulnerability. In the Exclusions section below, you can find the most frequently reported issues that are not vulnerabilities from our point of view and are subsequently treated as regular bugs.


  • Stack trace exposure.
  • Internal IP addresses exposure.
  • Statements that software is out of date or vulnerable without proof-of-concept exploit code.
  • Vulnerabilities that cannot be used without involving CloudBlue Commerce users, for example, self-xss or having a user paste JavaScript code into the browser console.
  • Unvalidated reports from automated web vulnerability scanners, such as Acunetix, Owasp Zap, and Burp Suite.
  • Protocol mismatches.
  • Exposed login panels.
  • Missing cookie flags on non-authentication cookies.
  • Issues that affect only outdated user agents or app versions. We only consider exploits in the latest browser versions for Safari, Mozilla Firefox, Google Chrome, Microsoft Edge, and Internet Explorer.
  • Issues that require physical access to the victim’s computer or device.
  • Path disclosure.
  • Banner grabbing issues: figuring out what web server we use, what version is in use, and so on.
  • Highly speculative reports about theoretical damage.

Reporting Procedure


To report a security vulnerability affecting CloudBlue products, please contact the CloudBlue Application Security team. We respond to such reports within three business days.

Please report the following information:

  • A description of the vulnerability, including the proof-of-concept exploit code or network traces (if available).
  • Details of the affected product, including the version of the product and the affected component.
  • Publicity of vulnerability, or whether it has already been publicly disclosed.

Everyone is encouraged to report discovered vulnerabilities, regardless of service contracts or product life cycle status. CloudBlue welcomes vulnerability reports from researchers, industry groups, CERTs, partners, and any other source as CloudBlue does not require a non-disclosure agreement as a prerequisite for receiving reports. CloudBlue respects the interests of the reporting party (reports can be made anonymous on request) and agrees to handle any vulnerability that is reasonably believed to be related to CloudBlue products in the Scope section. CloudBlue follows Coordinated Vulnerability Disclosure (CVD) practices and to protect the ecosystem we request that those reporting to us do the same.

For more information on CVD, please refer to the following document: The CERT Guide to Coordinated Vulnerability Disclosure.


First, the CloudBlue Application Security Team investigates and reproduces the vulnerability. If needed, CloudBlue will request more information from the reporter.

During this stage, the CloudBlue Application Security Team performs the following actions:

  • Analyzes the impact based on the existing security requirements, the scope, and context of the vulnerability.
  • Performs the exploitation stage of the vulnerability.
  • Calculates the severity of the vulnerability using the CVSS v3.1 score.

Based on the results, the Application Security team then assigns one of the following severity levels to the vulnerability:

  • Critical: Vulnerabilities that cannot be mitigated by security solutions and require a hotfix release within one week.
  • Medium: Vulnerabilities that can be mitigated by existing security solutions, for example, WAF, but require a hotfix release within three weeks.
  • Low: Vulnerabilities and issues that may be addressed in the nearest release of our product. The hotfix release may be released in more than three weeks.


CloudBlue performs internal vulnerability handling in collaboration with the responsible development groups. During this time, regular communication is maintained between CloudBlue and the reporting party to inform each other about the current status and to ensure that the reporting party understands CloudBlue’s position. If available, a pre-released software fix may be provided to the reporting party for verification.


After the issue has been successfully analyzed and if a fix is necessary, the corresponding fixes will be developed and prepared for distribution. CloudBlue will use existing customer notification processes to manage the release of patches, which may include direct customer notification or public release of a security advisory containing all necessary information.

An CloudBlue Security Advisory note usually contains the following information:

  • The description of the vulnerability and its CVSS v.3.1 score.
  • The impact description.
  • The list of known affected products and software or hardware versions.
  • Information on mitigating factors and workarounds.
  • The location of available fixes.


  • CloudBlue CommercePlatform
  • CloudBlue Connect Platform

Out of scope

Infrastructure environments with components related to product operations:

  • Operating System misconfiguration and vulnerabilities.
  • Any 3rd party services or services hosted by 3rd party providers.
  • Findings for applications or systems not listed in the ‘Scope’ section.
  • UI and UX bugs and spelling mistakes.
  • Network-level Denial of Service (DoS/DDoS) vulnerabilities.
  • Findings from physical testing such as office access, for example, open doors or tailgating.
  • Findings derived primarily from social engineering, for example, phishing.

To protect your privacy, please, never pass CloudBlue any information that we could recognize as:

  • Personally identifiable information (PII);
  • Credit cardholder data.

Contact Information

If you believe you have found a security vulnerability in one of our products, please send us an email to

Please include the following details in your report:

  • The description of the location and potential impact of the vulnerability.
  • A detailed description of the steps required to reproduce the vulnerability. Proof-of-concept exploit code, screenshots, and compressed screen captures are all helpful to us.
  • Your name or handle and a link for recognition in our Hall of Fame or a request for anonymity.

Please use our PGP-key when possible to encrypt your report:


CloudBlue, an Ingram Micro Business uses Cookies to improve the usability of our site. By continuing to use this site and/or log-in you are accepting the use of these cookies. For more information, visit our Privacy Policy.