ISO 27001 ISMS Scope
1. Purpose
This document defines the scope and boundaries of the Information Security Management System (ISMS) implemented by Clerk.io ApS in accordance with ISO/IEC 27001:2022.
2. Organizational Context
- Company name: Clerk.io ApS
- Headquarters: Kigkurren 8G, 2300 Copenhagen, Denmark
- Founded: 2011
- Employees: ~51–200 across >25 nationalities
- Business: Cloud-based AI platform delivering e-commerce personalisation (Search, Recommendations, Chat, Audience, Email).
Clerk.io provides services to more than 2 500 online stores in 75+ countries (public figure). The ISMS therefore encompasses multi-jurisdictional data, including personal data governed by the GDPR and other regional privacy laws.
3. Scope Statement
The ISMS covers all information assets, business processes, infrastructure and personnel involved in the design, development, delivery, support and continual improvement of Clerk.io's SaaS platform and related corporate functions.
Included locations
- Copenhagen HQ (corporate-office).
- Remote employees world-wide using company-owned or approved devices.
- Primary production systems hosted in Amazon Web Services (AWS) — public information.
Included activities
- Software engineering, QA and DevOps for the Clerk.io platform.
- Customer success, technical support and professional services.
- Sales, marketing and finance operations that handle customer data.
- Legal, compliance and HR processes related to information security.
Included assets
- Production & staging environments, CI/CD pipelines, source code repositories, customer and company data stores, laptops, mobile devices, documentation, and intellectual property.
Interfaces & dependencies
- Key suppliers: Amazon Web Services (AWS), Mail/SMS delivery vendors, payment processors.
- Customers integrate via REST APIs, SDKs and dashboards.
4. Exclusions
The following are explicitly excluded from the current ISMS scope: * Personal devices not approved for company work.
Third-party systems where Clerk.io has no management control (e.g. customer-owned e-commerce platforms).
Non-production hobby or experimental projects hosted by employees outside sanctioned environments.
5. Assumptions & Constraints
- The ISMS relies on cloud service providers' compliance certifications (ISO 27001, SOC 2) for physical security controls.
- All remote work must comply with Clerk.io's Remote Working Policy (see separate document).
6. Stakeholders
| Role | Name / Function | Responsibility |
| CEO | Hans-Kristian Bjerregaard | Executive sponsorship |
| Head of Product | Casper Nielsen | Technical ownership of platform security |
| Information Security Manager | TODO | ISMS implementation & maintenance | | DPO | Hans-Kristian Bjerregaard | Data-protection compliance | | All Employees & Contractors | — | Adhere to security policies | |
7. Document Control
- Version: 1.0
- Owner: Information Security Manager
- Approved by: CEO
- Effective date: 2025-07-01
- Next review: Within 12 months or upon significant change.