| Category | Criterion | Control Summary | Evidence |
| Security | CC1.1 – Control Environment | Policies approved by Exec; ISO 27001 governance structure | Board minutes, policy documents |
| Security | CC6.1 – Logical Access | MFA via Google Workspace SSO; RBAC; bi-monthly reviews | Access reports, Jira tickets |
| Security | CC7.1 – Change Management | GitHub PRs with peer review; automatic CI security scans | PR logs, Snyk reports |
| Security | CC7.2 – Incident Detection | Centralised logging & SIEM with Better Stack alerts | Alert configs, SIEM screenshots |
| Security | CC8.1 – Network Security | AWS WAF, VPC Service Controls | Terraform manifests, AWS WAF rules |
| Availability | A1.1 – Infrastructure Capacity | Autoscaling EC2 & Application Auto Scaling; 75% headroom target | CloudWatch metrics, capacity review docs |
| Availability | A1.2 – Data Backup | Point-in-time DB backups & hourly S3 snapshots | Backup configs, restore test records |
| Availability | A1.2 – Data Backup | MySQL dumps + hourly S3 snapshots (replicated to eu-west-1) | Backup configs, restore test records |
| Confidentiality | C1.1 – Encryption in Transit | TLS 1.3 enforced edge & internal | SSL scan reports |
| Confidentiality | C1.2 – Encryption at Rest | AWS KMS CMK for MySQL volumes & S3 | KMS configs, CloudTrail logs |
| Processing Integrity | PI1.1 – Data Processing Accuracy | Automated unit & integration tests; CRC checks on batch jobs | Test coverage reports, Redshift checks |
| Processing Integrity | PI1.2 – System Input Validation | API gateway & schema validation; CI tests for input models | API logs, test suites |
| Processing Integrity | PI1.3 – Data Processing Completeness | Kafka stream checksums & Redshift reconciliations | Redshift audit queries |
| Processing Integrity | PI1.4 – Output Accuracy & Timeliness | Webhook retries & SLA monitoring | Webhook logs, SLA reports |
| Privacy | P1.1 – Privacy Notice | https://www.clerk.io/privacy published & reviewed annually | Website capture, review log |
| Privacy | P6.1 – Data Subject Rights | Ticket workflow for DSARs; 30-day SLA | Jira workflow, sample response |
| Security | CC2.2 – Communication of Objectives | Security awareness training & bi-monthly All-hands updates | Training records, slide decks |
| Security | CC3.1 – Risk Assessment Process | Formal ISO 27005-style risk assessment with bi-monthly committee review | Risk Assessment Report, committee minutes |
| Security | CC3.2 – Risk Identification | Formal Risk Assessment per ISO 27001 | Risk Assessment Report |
| Security | CC3.3 – Identify Potential Business Impacts | Business Impact Analysis feeds BC/DR Plan & risk register | BIA docs, BC/DR plan |
| Security | CC3.4 – Risk Mitigation | Risk Treatment Plan tracked by internal AI agents; controls mapped in SoA | Risk Treatment Plan, SoA |
| Security | CC4.1 – Control Monitoring | Continuous control monitoring via internal AI agents & weekly review | Governance dashboards |
| Security | CC5.1 – Control Design & Implementation | Secure SDLC policy, IaC baselines, peer review gates | SDLC policy, GitHub PR logs |
| Security | CC5.2 – Control Operation | Continuous control monitoring via internal AI agents & weekly dashboard review | Governance dashboards, review minutes |
| Security | CC5.3 – Vendor Management | Due-diligence questionnaires & annual reviews | Vendor register, questionnaires |
| Confidentiality | C1.3 – Disposal | Automated object lifecycle rules + secure wipe | S3 lifecycle policies |
| Privacy | P2.1 – Choice & Consent | SDK opt-in/out flags; UI toggle in Dashboard | SDK code, UI screenshots |
| Privacy | P3.1 – Choice & Consent | SDK opt-in/out flags; UI toggle in Dashboard | SDK code, UI screenshots |
| Privacy | P4.1 – Collection Limitation | Data minimisation enforced at SDK & API layer; no unnecessary PII | SDK docs, DPIA |
| Privacy | P5.1 – Use, Retention & Disposal | Retention schedules & crypto-shredding per policy | Retention policy, S3 lifecycle logs |
| Privacy | P7.1 – Access | DSAR workflow & DPO oversight | Jira tickets, response logs |
| Privacy | P8.1 – Consent Management | Customer SDK supports opt-in/opt-out flags | API docs, code samples |