Security, Privacy and Compliance

Working with Clerk means working with an enterprise-ready solution that considers security, privacy, and compliance an important responsibility and a top priority for every feature.

Clerk is SOC 2 type certified, GDPR & CCPA compliant, and conducts regular third-party audits and pen testing.


Take the security burden off your shoulders

Account security is our most important responsibility and the top concern of every feature we build.

Pen tests & source code review

Clerk commissions third-party testing and assessment based on the OWASP Testing Guide, the OWASP Application Security Verification Standard, and the NIST Technical Guide to Information Security Testing and Assessment.

Learn more

XSS leak protection

Cross-Site Scripting (XSS) vulnerabilities are incredibly serious. Clerk works to minimize attack surface area by using HttpOnly cookies for authenticated requests to our Frontend API, so that credentials cannot be leaked during XSS attacks.

Learn more

CSRF protection

Most Cross Site Request Forgery (CSRF) attacks can be protected against by properly configuring the way session tokens are stored. Clerk handles the necessary configuration on your behalf by configuring cookies with the SameSite flag.

Learn more

Session fixation protection

Session fixation is a technique for hijacking a user session. Clerk protects against this by resetting the session token each time a user signs in or out of a browser. When the session is reset, the old session token is invalidated and can no longer be used for authentication.

Learn more

Password protection and rules

Clerk uses NIST guidelines to determine the character rules for passwords and contracts with Have I Been Pwned to review prospective passwords. Additionally, Clerk leverages bcrypt, the industry standard hashing algorithm for storage.

*passwords are not a requirement, Clerk can be configured to use a passwordless strategy

Learn more

Session leak protection

Instead of sharing cookies across subdomains, Clerk sets multiple independent cookies (one for the main domain and one for the subdomain), so that an attack on Clerk cannot be chained into an attack on your application.

Learn more

Privacy & Compliance

Keeping your users and YOU safe.

Clerk is committed to best-practices and standards around data privacy and compliance, because it's the right thing to do.

SOC 2, Type 2

Service Organization Control (SOC) requires that organizations create and follow strict information security policies and procedures that are based heavily in the Trust Services Principles. SOC2, Type 2 is currently the highest standard available.


Health Insurance Portability and Accountability Act (HIPAA) compliance requires the protection of sensitive patient health information from being disclosed without the patient's consent or knowledge.


California Consumer Privacy Act (CCPA) & General Data Protection Regulation (GDPR) are consumer data privacy regulations that enable more ownership, control, and security over personal information.

Ready to see what Clerk can do for you?Start your free trial today

Start completely free with up to 500 monthly active users. No credit card required.

Start building now