Tradeshift Digital Business Commerce Platform

Tradeshift is an open digital platform that allows buyers and suppliers to connect, transact and collaborate. Tradeshift is a SaaS Business Commerce Platform and Network where all the documents and data produced in B2B buying and selling are digital - Creating Value in the Supply Chain, Increasing B2B Agility.


  • Open Platform with easy business commerce connectivity
  • Functions with global supplier network, easy to add business connections
  • Enables B2B suppliers/ buyers to connect and collaborate and transact
  • Free functionality for suppliers and buyers to connect and transact
  • Leverage multiple applications for all digital business transactions
  • Platform architecture is open api and applications free to develop
  • The platform and applications are legally compliant for document transfer
  • Digital means no paper required, no queries, no phone calls
  • Collaboration is made easy and can be fully audited
  • Removes silos in business, unites Sourcing, Procurement, Accounts, Treasury


  • Platform enables buyer/supplier businesses to connect and transact digitally
  • Open format allows for innovation of applications and futureproof
  • Intuitive, easy use interface means easy adoption by all users
  • Suppliers/buyers can connect, transact and collaborate with buyers for free
  • Buyers connect to a global network of suppliers to transact
  • Agility is improved by the platform with real-time data
  • Applications can be added or removed without cost implications
  • Helps the environment by removing paper waste completely
  • Cuts the cost of handling queries and business inefficiency
  • Brings huge value and speed to the supply chain functions


£0.01 per transaction

Service documents

G-Cloud 9



Simon Butterfield

07500 837 371

Service scope

Service scope
Service constraints All updates and planned maintenance is done live with no downtime. Requirements are a browser later than IE 8 - the platform works on mobile friendly browsers but is not an app.
System requirements
  • Web Browser IE9 or later
  • Edge, Firfox, Chrome, Safari, Opera
  • PC, Mac, Smartphone, Tablet

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Depends on severity of issue - 2-8 hours - business hours unless critical when 24hr support provided. Online support available 24hr.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support Web chat
Web chat support availability 24 hours, 7 days a week
Web chat support accessibility standard None or don’t know
How the web chat support is accessible Tradeshift makes an effort to develop its applications and network components in line with the W3C web accessibility initiative (WAI). User Interface design plays an important role at Tradeshift and we have industry experts in place to ensure that our applications conform to internal standards, which are focussed on making our capabilities accessible for all.
Web chat accessibility testing Fully tested and rolled out global support
Onsite support Yes, at extra cost
Support levels Self Service support is available.
Dependant on the level of support required above this a technical account manager can be provided at additional cost - large scale deployments only.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Everything is available online to get started
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction All data is held for the legally requirements but is accessible at anytime to move or download.
End-of-contract process The platform and services and applications on it are available via SaaS and as such are easily renewable for the future. Should and end be requested we will migrate what is required at no additional cost.

Using the service

Using the service
Web browser interface Yes
Using the web interface Users do everything via the web interface
Web interface accessibility standard WCAG 2.0 AAA
Web interface accessibility testing Full testing prior in sandbox
What users can and can't do using the API Tradeshift natively supports REST web services as a method of real-time integration, and our standard API specification for this is publically accessible via

Importantly, Tradeshift also provides an application on our platform called Tradeshift Integration Services (powered by Babelway) to support many other integration mechanisms, such as SOAP web services, AS2, etc.

These APIs can be used to send, receive documents and to integrate back-office ERP systems fully with our business commerce network.
API automation tools
  • Terraform
  • Puppet
API documentation Yes
API documentation formats
  • Open API (also known as Swagger)
  • HTML
Command line interface No


Scaling available Yes
Scaling type Automatic
Independence of resources True multi tenant with scalable resources at AWS - performance guarenteed
Usage notifications Yes
Usage reporting
  • API
  • Email


Infrastructure or application metrics Yes
Metrics types
  • HTTP request and response status
  • Network
  • Number of active instances
Reporting types
  • API access
  • Real-time dashboards


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations European Economic Area (EEA)
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least every 6 months
Penetration testing approach In-house
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process No
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

Backup and recovery
Backup and recovery Yes
What’s backed up Entire database
Backup controls The users don't, Tradeshift is hosted on AWS and backed up in 3 separate locations automatically
Datacentre setup Multiple datacentres with disaster recovery
Scheduling backups Supplier controls the whole backup schedule
Backup recovery Users can recover backups themselves, for example through a web interface

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)

Availability and resilience

Availability and resilience
Guaranteed availability Tradeshift provided SLA for service availability and service credits if not met.
Approach to resilience Tradeshift use AWS and a 3 data centre approach with mirrored instances in Ireland and Frankfurt
Outage reporting provides all services updates including outages. It is a public dashboard

Identity and authentication

Identity and authentication
User authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google apps)
  • Username or password
Access restrictions in management interfaces and support channels Tradeshift servers are only accessible remotely via encrypted VPN and SSH. Access is limited only to only authorized operations personnel and all access to the systems are logged.

All platform access, whether successful or not, is captured to an audit log that ensures full traceability of all data access and mutation. This includes access attempts to the audit log itself. Every transaction on the Tradeshift platform is monitored, logged, time stamped and archived along with user specific information. Audit logs are retained for a minimum of 10 years. System event logs are viewable by the operations team.
Access restriction testing frequency At least once a year
Management access authentication Dedicated link (for example VPN)
Devices users manage the service through Dedicated device over multiple services or networks

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 Kirkpatrick Price
ISO/IEC 27001 accreditation date 31/12/2015
What the ISO/IEC 27001 doesn’t cover .
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security accreditations Yes
Any other security accreditations
  • Type II Service Organisation Control Report (ISAE 3402)
  • Type II Service Organisation Control Report (SSAE No. 16)
  • Type II Service Organisation Control Report (SOC 2)
  • Privacy Shield (

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance accreditation Yes
Security governance standards ISO/IEC 27001
Information security policies and processes We have put in place a formal Information Security Program (InfoSec SP). Information Security Policies are reviewed on a quarterly basis. A Risk Management program is in place which includes key activities such as Risk Assessments and Risk Mitigation processes. We have a dedicated information security team of 4 members, consisting of dedicated resources for infrastructure security, application security, and information security & compliance, all report to the CISO who is responsible for the policy its controls.

The process for this is covered by our ISAE 3402, and the ISAE 3402 also includes security policy related controls such as for Restricted customer and employee access to data and functions, change management, archiving, authenticity of origin, processing integrity, and compliance with regulations and legislation.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach Tradeshift utilizes Puppet and a Hardening Checklist for configuration management. The hardening checklist also includes the needed audit steps to ensure that configurations stay up-to-date. If any changes are implemented, GitHub sends an alert to the Tradeshift Operations team to let them know that a change has been made. Tradeshift utilizes the following for configuration management: Puppet, GitHub, Terraform, Hardening Checklist.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach Antivirus/malware protection has been implemented on all employee workstations, and Tradeshift monitors outside vendors for security patch notifications. All critical new security patches are required to be installed within one month of release. The company uses a risk assessment process as well as the following resources to identify and manage security vulnerabilities/risks: CERT & Vendor notifications, Bug Bounty Program, Acunetix and Nessus vulnerability scanning.

Annual penetration and application security testing is performed by NCC Group. Weekly vulnerability scans are performed by Acunetix and weekly internal vulnerability scans via Nessus. Tradeshift also has an ongoing bug bounty program hosted on HackerOne.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach Network scanning and testing is performed on a regular basis. OSSEC is used as a HIDS on all of Tradeshift’s hosts, and Personal firewalls are loaded on all employee computers and managed via Casper Suite. Tradeshift has also implemented tools to monitor and log activity on the company’s network. Pingdom is used to monitor external reachability, and Datadog is used to monitor internal systems. Tradeshift monitors all aspects of the systems, including the following: CPU, Disk, Memory, Swap, Network IO, Application layer stats.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach Whenever a Customer raises a fault via telephone or email with Tradeshift, its priority level is determined and it is responded to as defined in the table below:

- Critical Loss of Service: Responded to within 2 hours
- Major Partial loss of Service or Service impairment: 85% of requests responded to within 4 hours
- Minor Potentially Service affecting or non-Service affecting information request: 75% of requests responded to within 8 hours

Critical platform incidents are reported automatically to our operations team and an engineer will be working on problem resolution within 10 minutes, on a 24/7/365 schedule.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

Separation between users
Virtualisation technology used to keep applications and users sharing the same infrastructure apart Yes
Who implements virtualisation Third-party
Third-party virtualisation provider Amazon Web Services (AWS)
How shared infrastructure is kept separate Amazon AWS is the provider of virtualized services are under several certifications such as SAS 70 type II, FISMA moderate, PCI DSS Level 1, and ISO 27001.

Each company on Tradeshift corresponds to a 'tenant' and is a separate administrative unit, with its own users, storage, localizations, and API access controls. Each customer on the platform is provided with their own isolated data store to ensure confidentiality and integrity. There is strong isolation between the message stores of individual tenants. Accounts on Tradeshift are logically isolated using a security group mechanism, with no sharing of account data.

Energy efficiency

Energy efficiency
Energy-efficient datacentres Yes


Price £0.01 per transaction
Discount for educational organisations Yes
Free trial available Yes
Description of free trial Available to register your business entity on for no cost. Many features and functionality are available
Link to free trial


Pricing document View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑