Working with Clerk means working with an enterprise-ready solution that considers security, privacy, and compliance an important responsibility and a top priority for every feature.
Clerk is SOC 2 type certified, GDPR & CCPA compliant, and conducts regular third-party audits and pen testing.
Take the security burden off your shoulders
Account security is our most important responsibility and the top concern of every feature we build.
Clerk commissions third-party testing and assessment based on the OWASP Testing Guide, the OWASP Application Security Verification Standard, and the NIST Technical Guide to Information Security Testing and Assessment.
Cross-Site Scripting (XSS) vulnerabilities are incredibly serious. Clerk works to minimize attack surface area by using HttpOnly cookies for authenticated requests to our Frontend API, so that credentials cannot be leaked during XSS attacks.
Most Cross Site Request Forgery (CSRF) attacks can be protected against by properly configuring the way session tokens are stored. Clerk handles the necessary configuration on your behalf by configuring cookies with the SameSite flag.
Session fixation is a technique for hijacking a user session. Clerk protects against this by resetting the session token each time a user signs in or out of a browser. When the session is reset, the old session token is invalidated and can no longer be used for authentication.
Clerk uses NIST guidelines to determine the character rules for passwords and contracts with Have I Been Pwned to review prospective passwords. Additionally, Clerk leverages bcrypt, the industry standard hashing algorithm for storage.
*passwords are not a requirement, Clerk can be configured to use a passwordless strategy
Instead of sharing cookies across subdomains, Clerk sets multiple independent cookies (one for the main domain and one for the subdomain), so that an attack on Clerk cannot be chained into an attack on your application.
Keeping your users and YOU safe.
Clerk is committed to best-practices and standards around data privacy and compliance, because it's the right thing to do.
Service Organization Control (SOC) requires that organizations create and follow strict information security policies and procedures that are based heavily in the Trust Services Principles. SOC2, Type 2 is currently the highest standard available.
Health Insurance Portability and Accountability Act (HIPAA) compliance requires the protection of sensitive patient health information from being disclosed without the patient's consent or knowledge.
California Consumer Privacy Act (CCPA) & General Data Protection Regulation (GDPR) are consumer data privacy regulations that enable more ownership, control, and security over personal information.