Skip to content
Independently verified · Quarterly re-audit
EU VETTED

Saleor Commerce

VERIFIED
E-commerce · Poland
Founded 2018 · saleor.io ↗

Polish headless GraphQL commerce platform; open-source BSD-3; cloud hosted on AWS EU (Ireland) with SOC 2 Type 2.

Why this score?

Saleor Commerce (PL-founded, EU team) achieves SOC 2 Type 2 and offers EU data residency on AWS eu-west-1 (Ireland), but Saleor Cloud runs on AWS — a US-controlled infrastructure — giving material CLOUD Act exposure; no public DPA or sub-processors list caps the score at 3/5.

SCORE
3.0/5
CLOUD ACT
OWNERSHIP
SUB-PROCS
not disclosed
JUMP TO
OVERVIEW

About Saleor Commerce

**Saleor Commerce** (founded 2018, Polish team) is a headless, API-first e-commerce platform built around a **GraphQL-native architecture** with 22,900+ GitHub stars and BSD-3-Clause licence. It handles 1B+ API requests and 400k+ orders monthly across its cloud customer base. **Saleor Cloud** offers a fully-managed SaaS with EU data residency on **AWS eu-west-1 (Ireland)** as the primary EU region; data is strictly isolated between regions. Certifications: **SOC 2 Type 2**, GDPR compliant, PCI-DSS compliant. The self-hosted path (self-deploy on EU VPS/PaaS) gives merchants full infrastructure control with zero US-cloud dependency. Saleor targets developers and agencies building composable commerce stacks — it is not an out-of-the-box hosted shop like Shopify, but rather an API layer that any EU-hosted frontend can consume. Best fit for digital agencies, D2C brands, and B2B operators who need deep API customisation with EU data residency. No public DPA or sub-processors list found; request via sales for enterprise contracts.
SUB-PROCESSORS

Sub-processor map · not disclosed

Vendor does not publish a sub-processors list. Schrems II compliance and CLOUD Act exposure cannot be independently verified without it.
CERTIFICATIONS

Frameworks & certifications

SOC 2
ACTIVE
Informational · US framework
FEATURES

Capability matrix

INTEGRATION & ACCESS
REST API Yes
SSO (SAML / OIDC) Yes
COMPLIANCE & GOVERNANCE
Audit log No
Self-host / on-prem option Yes
PRICING

Pricing & tiers

FREEMIUM
Custom pricing

Contact vendor for tier or volume pricing.

View pricing page ↗
PUBLIC DOCUMENTS

Public documents

Vendor does not publish a public DPA. Without a publicly accessible Data Processing Addendum, small EU customers cannot self-serve the processor agreement — this caps the compliance score (see How we score).
Vendor does not publish a sub-processors list. Schrems II compliance and CLOUD Act exposure cannot be independently verified without it.
  • Data Processing Addendum (DPA)
    — missing
    missing
  • Sub-processors list
    — missing
    missing
  • Terms of Service
    saleor.io/legal…
    Open ↗
ALTERNATIVES

Alternatives in this category

MyCashflow
Finland

Finnish all-in-one e-commerce SaaS with own Helsinki hosting and 0% commission across plans.
PrestaShop
France

French open-source e-commerce with hosted SaaS option; parent group Fortidia is an Oaktree Capital portfolio company.
Shopware
Germany

German mid-market commerce platform (Schöppingen, est. 2000); Cloud entry €600/mo. PayPal owns ~41% as of Oct 2025.
See all e-commerce alternatives →