Data Privacy Framework (DPF) certification


The DPF bridges the gap between US businesses and GDPR compliance.

If you're one of the many businesses that have contacted us about GDPR compliance, you may be pleased with our latest announcement...

Clerk is now self-certified under the Data Privacy Framework (DPF).

What does that mean? Well, I thought you'd never ask... The DPF website describes it as:

Participating organizations are deemed to provide “adequate” data protection (i.e., privacy protection), a requirement (subject to limited derogations) for the transfer of personal data outside of the European Union under the EU General Data Protection Regulation (GDPR), outside of the United Kingdom under the UK Data Protection Act 2018 and UK General Data Protection Regulation (UK GDPR), and outside of Switzerland under the Swiss Federal Act on Data Protection (FADP)

If that's too many acronyms for you, you're not alone. Compliance is complicated. In plainer terms, certification under the DPF is a way for a US business like Clerk to transfer and store an EU citizen's personal data in a way that is in accordance with GDPR.

At Clerk, we're on a mission to make compliance more accessible for you and your customers. And while the governing regulations are continually shifting under our feet; by self-certifying under the DPF, we're following the path of some of many other leading US-based SaaS businesses (like Stripe, Github, and Auth0). We look at this as an important milestone in our compliance story, and we expect to continue to make more strides in this area as Clerk continues to grow.

If you're the type, have a peek at our updated Privacy Policy and the associated Data Privacy Framework Notice.

In the past, it had been popular to display a user's full name and profile picture while signing in as a means to help drive better conversion. However, this practice is no longer recommended due to the rise of privacy regulations like GDPR and CCPA. Going forward we've made a change to our API to limit the amount of data we return before a user is signed in. While limiting this data will be default going forward, pre-existing instances have the ability to opt-in to this recommended security measure by heading to our Attack Protection page in the Clerk Dashboard.