Privacy and Security

Since Catalyst is optimized for production ecommerce sites utilizing BigCommerce, it benefits from the privacy and security standards of BigCommerce’s platform in addition to the implementation of strong best practices for the Next.js framework.

BigCommerce certifications

All commerce operations and checkout functionality by default utilize BigCommerce’s GraphQL APIs and hosted checkout experience, which are backed by a robust set of data privacy and security certifications:

• CCPA
• CSA STAR
• EU-US DPF
• FIPS 140-2
• GDPR
• ISO 22301
• ISO 27001 SoA
• ISO 27001:2022
• ISO 27017
• ISO 27018
• ISO 27701
• PCI DSS
• Privacy Shield
• RH-ISAC
• SOC 1, SOC 2, SOC 3
• TX-RAMP
• Visa Service Provider

You can learn more about these certifications and request a security review at security.bigcommerce.com .

Security vulnerability monitoring

Catalyst is a part of BigCommerce’s bug bounty program and the security team actively monitors and responds to reports, in addition to automatically scanning and manually accessing this codebase internally. Learn more within SECURITY.md here .

Best practices implemented

Limited data access

By default, Catalyst is 100% powered by a GraphQL Storefront API that has zero access to admin functionality. It’s scoped only to the storefront and either anonymous or authenticated shoppers.

Content Security Policy (CSP)

Catalyst implements a default Content Security Policy (CSP), which can be extended to meet your organization’s specific security standards. This enables you to specify the sources of content that are allowed to be loaded on your site, which helps to prevent Cross-Site Scripting (XSS) and data injection attacks.

You can customize your CSP policy in the codebase here .

Consent Management

Catalyst utilizes the c15t.com  consent management library under the hood to manage shopper privacy preferences when it comes to cookies and data collection. This provides a comprehensive solution for General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other privacy regulation compliance.

The consent manager is fully integrated with BigCommerce’s Script Manager, ensuring that all analytics and marketing scripts respect shopper consent preferences. When cookie consent is enabled in your channel storefront settings, Catalyst will automatically manage which scripts load based on the shopper’s selections—essential and unknown scripts always load, while analytics, functional, and targeting scripts only run once consent is granted. This integration ensures a consistent privacy experience across Catalyst and Stencil storefronts, maintaining feature parity in how consent-aware scripts are loaded and categorized.

BigCommerce’s consent categories are automatically mapped to c15t’s standardized ones, so existing Storefront Script configurations continue to work without modification.

Enabling Cookie Consent Tracking

To enable cookie consent tracking in your Catalyst storefront:

1. Navigate to your BigCommerce Store Security Settings .
2. Scroll down to Your customers’ privacy and enable Cookie consent tracking.

Once enabled, shoppers will see a consent banner that allows them to manage their privacy preferences for different types of cookies and data collection activities. You can learn more about how BigCommerce handles consent tracking here .

Framework benefits

Next.js security record

The Next.js framework used by Catalyst has a solid track record of security, aided by hundreds of active contributors, including a consistently high package health score  as reported by Snyk.

Industry adoption

You’re in good company! Next.js is trusted by many companies handling millions of users and sensitive data across various sectors, including commerce, ticketing, and media. Explore some of these use cases here .