Trust Report

Database replication utilized

The company's databases are replicated to a secondary data center in real-time. Alerts are configured to notify administrators if replication fails.

Production database access restricted

The company restricts privileged access to databases to authorized users with a business need.

Production network access restricted

The company restricts privileged access to the production network to authorized users with a business need.

Remote access encrypted enforced

The company's production systems can only be remotely accessed by authorized employees via an approved encrypted connection.

Encryption key access restricted

The company restricts privileged access to encryption keys to authorized users with a business need.

Production data segmented

The company prohibits confidential or sensitive customer data, by policy, from being used or stored in non-production systems/environments.

Access control procedures established

The company's access control policy documents the requirements for the following access control functions: adding new users, modifying users, and/or removing an existing user's access.

Network segmentation implemented

The company's network is segmented to prevent unauthorized access to customer data.

Unique network system authentication enforced

The company requires authentication to the "production network" to use unique usernames and passwords or authorized Secure Socket Shell (SSH) keys.

Portable media encrypted

The company encrypts portable and removable media devices when used.

Employee background checks performed

The company performs background checks on new employees.

MDM system utilized

The company has a mobile device management (MDM) system in place to centrally manage mobile devices supporting the service.

Password policy enforced

The company requires passwords for in-scope system components to be configured according to the company's policy.

Confidentiality Agreement acknowledged by contractors

The company requires contractors to sign a confidentiality agreement at the time of engagement.

Asset disposal procedures utilized

The company has electronic media containing confidential information purged or destroyed in accordance with best practices, and certificates of destruction are issued for each device destroyed.

Penetration testing performed

The company's penetration testing is performed annually. A remediation plan is developed and changes are implemented to remediate vulnerabilities in accordance with SLAs.

Data encryption utilized

The company's datastores housing sensitive customer data are encrypted at rest.

Data transmission encrypted

The company uses secure data transmission protocols to encrypt confidential and sensitive data when transmitted over public networks.

Vulnerability and system monitoring procedures established

The company's formal policies outline the requirements for the following functions related to IT / Engineering: vulnerability management, system monitoring.

Continuity and disaster recovery plans tested

The company has a documented business continuity/disaster recovery (BC/DR) plan and tests it at least annually.

Incident response plan tested

The company tests their incident response plan at least annually.

Access requests required

The company ensures that user access to in-scope system components is based on job role and function or requires a documented access request form and manager approval prior to access being provisioned.

Backup processes established

The company's data backup policy documents requirements for backup and recovery of customer data.

Incident response policies established

The company has security and privacy incident response policies and procedures that are documented and communicated to authorized users.

Configuration management system established

The company has a configuration management procedure in place to ensure that system configurations are deployed consistently throughout the environment.

Management roles and responsibilities defined

The company management has established defined roles and responsibilities to oversee the design and implementation of information security controls.

Security policies established and reviewed

The company's information security policies and procedures are documented and reviewed at least annually.

Data center access reviewed

The company reviews access to the data centers at least annually.

Physical access processes established

The company has processes in place for granting, changing, and terminating physical access to company data centers based on an authorization from control owners.

Development lifecycle established

The company has a formal systems development life cycle (SDLC) methodology in place that governs the development, acquisition, implementation, changes (including emergency changes), and maintenance of information systems and related technology requirements.

Continuity and Disaster Recovery plans established

The company has Business Continuity and Disaster Recovery Plans in place that outline communication plans in order to maintain information security continuity in the event of the unavailability of key personnel.

Customer data deleted upon leave

The company purges or removes customer data containing confidential information from the application environment, in accordance with best practices, when customers leave the service.

Data retention procedures established

The company has formal retention and disposal procedures in place to guide the secure retention and disposal of company and customer data.

Customer data retained

The company retains customer transaction data for the life of a customer account. No historic transaction data is purged until the customer account is deleted.

Data classification policy established

The company has a data classification policy in place to help ensure that confidential data is properly secured and restricted to authorized personnel.

Where is Clerk headquartered?

Clerk is registered in Lewes, DE with main headquarters located in San Francisco, CA. The team is fully remote.

Do you have a teleworking policy?

Our entire staff is fully remote, and leverages a zero trust model for login to the corporate environment.

Do you allow wireless access in your office locations?

We do not have a physical office.

Are guest wireless networks segregated from corporate wireless networks?

We do not have a physical office or guest wireless networks.

Do you have controls in place to prevent unauthorized access to the building(s) that provide services?

We do not have a physical office.

Are workforce members required to have photo IDs?

N/A

Do you always require visitors to wear ID badges and be escorted?

N/A

Do you use CCTV?

N/A

What is Clerk’s Competitive advantage?

Clerk is natively built into Microsoft Teams and Slack ecosystems and offers key advantages when it comes to both support and sales flows via SMS and other communication channels. We support SMS and MMS natively, as well as WhatsApp. Our team is building out additional channels such as iMessage, RCS and  capabilities on the same phone number. We pride ourselves in providing top level support and fast feature development. For more information refer to our website for a full breakdown.

Where does Clerk store data?

Clerk leverages AWS (us-west2) region for processing and storage of data.

Do you have a formal encryption policy?

All services must communicate via the latest version of TLS.

Is data encrypted at rest and in transit ?

Yes

Is data at rest and in storage encrypted?

Our data is encrypted by AWS’ managed encryption service

Do you have an access management policy?

Yes, we leverage AWS Identity Access Management(IAM) controls.

Do you have password length requirements in place?

Yes, and also enforce multi-factor

Do you have password character requirements in place?

Yes

Do you have password history requirements in place?

Yes

Are default passwords required to be changed upon initial login?

Yes

Do you have audit logging capabilities?

Yes, via AWS Cloud Watch

Could we see a sample of a data extraction so that we know what it looks like?

You can find a sample of the export here.

Do you segment your network?

Yes the network is fully segmented within an AWS VPC. In particular, we are splitting between public and private subnets. The private subnets contain the RDS databases, public subnet contain public facing endpoints from the application.

Do you have an Intrusion Detection System/Intrusion Prevention System in place?

Yes, we leverage AWS built in services such as Cloud Trail and Guard Duty to proactively monitor security risks within our environment.

Do you have a diagram of your security architecture?

Yes, on hand by specific request

Do you have a diagram of your data flows?

Yes, on hand by specific request

Are development, test, and production environments logically and physically segregated?

Yes. They are logically separated in AWS, and physically separated in AWS Data Centers

Are system and security patches applied to workstations on a regular basis?

Yes, we run security patches routinely across all workstations and application nodes.

Have you implemented firewalls?

We leverage AWS security groups for access control into our environment and AWS WAF in front of our applications.

Do you have hardening controls in place?

Multiple internal and external controls offered by AWS are implemented internally within the organization. In particular Guard Duty is used as a pro-active mechanism in finding and mitigating potential security risks within our environment.