Security image

Security, Privacy and Compliance

Working with Clerk means working with an enterprise-ready solution that considers security, privacy, and compliance an important responsibility and a top priority for every feature.

Clerk is SOC 2 type certified, GDPR & CCPA compliant, and conducts regular third-party audits and pen testing.

Security

Take the security burden off your shoulders

Account security is our most important responsibility and the top concern of every feature we build.

Pen tests & source code review

Clerk commissions third-party testing and assessment based on the OWASP Testing Guide, the OWASP Application Security Verification Standard, and the NIST Technical Guide to Information Security Testing and Assessment.

Explore now

XSS leak protection

Cross-Site Scripting (XSS) vulnerabilities are incredibly serious. Clerk works to minimize attack surface area by using HttpOnly cookies for authenticated requests to our Frontend API, so that credentials cannot be leaked during XSS attacks.

Explore now

CSRF protection

Most Cross Site Request Forgery (CSRF) attacks can be protected against by properly configuring the way session tokens are stored. Clerk handles the necessary configuration on your behalf by configuring cookies with the SameSite flag.

Explore now

Session fixation protection

Session fixation is a technique for hijacking a user session. Clerk protects against this by resetting the session token each time a user signs in or out of a browser. When the session is reset, the old session token is invalidated and can no longer be used for authentication.

Explore now

Password protection and rules

Clerk uses NIST guidelines to determine the character rules for passwords and contracts with Have I Been Pwned to review prospective passwords. Additionally, Clerk leverages bcrypt, the industry standard hashing algorithm for storage.

*passwords are not a requirement, Clerk can be configured to use a passwordless strategy

Explore now

Session leak protection

Instead of sharing cookies across subdomains, Clerk sets multiple independent cookies (one for the main domain and one for the subdomain), so that an attack on Clerk cannot be chained into an attack on your application.

Explore now

Privacy & Compliance

Keeping your users and YOU safe.

Clerk is committed to best-practices and standards around data privacy and compliance, because it's the right thing to do.

SOC 2, Type 2

Service Organization Control (SOC) requires that organizations create and follow strict information security policies and procedures that are based heavily in the Trust Services Principles. SOC2, Type 2 is currently the highest standard available.

HIPAA

Health Insurance Portability and Accountability Act (HIPAA) compliance requires the protection of sensitive patient health information from being disclosed without the patient's consent or knowledge.

CCPA & GDPR

California Consumer Privacy Act (CCPA) & General Data Protection Regulation (GDPR) are consumer data privacy regulations that enable more ownership, control, and security over personal information.

Start now, no strings attached

Start completely free for up to 500 monthly active users.
No credit card required.

Start building

Pricing

Learn more about our transparent per-user costs to estimate how much your company could save by implementing Clerk.

View pricing