Clerk.io

Information Security Policy

1. Policy Statement

Clerk.io ApS ("Clerk.io") is committed to protecting the confidentiality, integrity and availability of information, and to complying with all applicable legal, regulatory and contractual requirements, including ISO/IEC 27001:2022. This policy sets out the principles that govern how information security is managed across the organisation.

2. Objectives

  1. Safeguard customer and company information from unauthorised access, disclosure, alteration or destruction.
  2. Ensure that business-critical services maintain ≥99.9 % availability.
  3. Detect and respond to information-security incidents within 30 minutes of identification.
  4. Maintain compliance with GDPR, Data Privacy Framework and other relevant regulations.
  5. Continually improve the Information Security Management System (ISMS).

3. Scope

This policy applies to: * All employees, contractors, interns and third parties who access Clerk.io information assets.
All information assets—digital or physical—owned or processed by Clerk.io.
 All locations, including headquarters, remote offices and cloud environments.

4. Governance & Responsibilities

Role Responsibility
CEO Provides strategic direction and approves the ISMS.
Information Security Manager Operates and maintains the ISMS, reports KPIs, coordinates audits.
CTO & Engineering Leads Implement technical controls, secure SDLC and infrastructure.
Data Protection Officer Oversees privacy compliance and data-subject rights.
All Staff Follow security policies & report incidents promptly.

5. Policy Principles

  1. Risk-based approach – Security controls are selected based on formal risk assessment and the Statement of Applicability.
  2. Least privilege – Access is granted on a need-to-know basis and reviewed bi-monthly (every 2 months).
  3. Defense in depth – Multiple complementary controls are implemented to mitigate risk.
  4. Privacy by design & default – Personal data processing follows GDPR principles and uses cookieless technology where practicable.
  5. Continuous improvement – The ISMS is reviewed and improved using audit findings, metrics and lessons learned.

6. Compliance

Failure to comply with this policy may result in disciplinary action, up to and including termination of employment or contract. Violations may also lead to civil or criminal liability.

7. Review & Maintenance

This policy is reviewed at least annually, or upon significant changes to business, legal or technological conditions.

Version Date Author Changes
1.0 2025-07-01 Information Security Manager Initial issue