Security, Privacy and Compliance
Working with Clerk means working with an enterprise-ready solution that considers security, privacy, and compliance an important responsibility and a top priority for every feature.
Clerk is SOC 2 type certified, GDPR & CCPA compliant, and conducts regular third-party audits and pen testing.
Security
Take the security burden off your shoulders
Account security is our most important responsibility and the top concern of every feature we build.
Pen tests & source code review
Clerk commissions third-party testing and assessment based on the OWASP Testing Guide, the OWASP Application Security Verification Standard, and the NIST Technical Guide to Information Security Testing and Assessment.
XSS leak protection
Cross-Site Scripting (XSS) vulnerabilities are incredibly serious. Clerk works to minimize attack surface area by using HttpOnly cookies for authenticated requests to our Frontend API, so that credentials cannot be leaked during XSS attacks.
CSRF protection
Most Cross Site Request Forgery (CSRF) attacks can be protected against by properly configuring the way session tokens are stored. Clerk handles the necessary configuration on your behalf by configuring cookies with the SameSite flag.
Session fixation protection
Session fixation is a technique for hijacking a user session. Clerk protects against this by resetting the session token each time a user signs in or out of a browser. When the session is reset, the old session token is invalidated and can no longer be used for authentication.
Password protection and rules
Clerk uses NIST guidelines to determine the character rules for passwords and contracts with Have I Been Pwned to review prospective passwords. Additionally, Clerk leverages bcrypt, the industry standard hashing algorithm for storage.
*passwords are not a requirement, Clerk can be configured to use a passwordless strategy
Session leak protection
Instead of sharing cookies across subdomains, Clerk sets multiple independent cookies (one for the main domain and one for the subdomain), so that an attack on Clerk cannot be chained into an attack on your application.
Privacy & Compliance
Keeping your users and YOU safe.
Clerk is committed to best-practices and standards around data privacy and compliance, because it's the right thing to do.
SOC 2, Type 2
Service Organization Control (SOC) requires that organizations create and follow strict information security policies and procedures that are based heavily in the Trust Services Principles. SOC2, Type 2 is currently the highest standard available.
HIPAA
Health Insurance Portability and Accountability Act (HIPAA) compliance requires the protection of sensitive patient health information from being disclosed without the patient's consent or knowledge.
CCPA & GDPR
California Consumer Privacy Act (CCPA) & General Data Protection Regulation (GDPR) are consumer data privacy regulations that enable more ownership, control, and security over personal information.
Start now,
no strings attached
Start completely free for up to 10,000 monthly active users and up to 100 monthly active orgs. No credit card required.
Pricing built forbusinesses of all sizes.
Learn more about our transparent per-user costs to estimate how much your company could save by implementing Clerk.
Newsletter!
The latest news and updates from Clerk, sent to your inbox.