// Trust & Security Report
Clerk.io ApS
AI-powered e-commerce personalization platform (Search, Recommendations, Chat, Audience, Email)
Certifications held
1
Maturity
Growth
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.clerk.io“These Contractual Clauses set out the rights and obligations of the data controller and the data processor, when processing personal data on behalf of the data controller. The Clauses have been designed to ensure the parties' compliance with Article 28(3) of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data.”
> Show 4 unconfirmed / not-held certifications
source: trust.clerk.ioWe are compliant with the standards and frameworks listed above, but we are not yet certified by a third-party auditor. We have the intention to seek such certification in 2026.
source: trust.clerk.ioFormal attestation is pending and we do not yet hold an external SOC 2 report.
source: trust.clerk.ioWe are compliant with the standards and frameworks listed above, but we are not yet certified by a third-party auditor. We have the intention to seek such certification in 2026.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
EU only. Primary servers in Germany, backup in Ireland. Danish company (Clerk.io ApS, Copenhagen, VAT: DK33952848) governed by Danish law.
Clerk.io does not train on individual customer data. Optional AI features (Chat assistance, AI-generated email drafts) send conversation transcripts or message content to OpenAI for LLM processing only; if these features are not enabled, no data is shared with OpenAI. Clerk.io may use data in anonymous or aggregated form for industry trends and statistics. Privacy policy also states each account is stored in separated data store containers.
// Security controls
Penetration testing
Regular penetration testing claimed (self-reported); frequency and third-party tester not publicly disclosed
trust.clerk.ioBug bounty
Referenced internally in incident response plan (detection via bug bounty channel); no public HackerOne or Bugcrowd program found
trust.clerk.ioBreach notification
72-hour regulatory notification; customer notification within 24 hours for major incidents affecting over 5% of customers or involving PII
trust.clerk.ioData Subject Rights API
Privacy Information API and Privacy Forget API available; 30-day SLA for DSAR requests
help.clerk.io// Products & data scope
data: Visitor behavior (page views, clicks, queries), product catalog, sales data. No PII required unless customer is identified.
Personalized search using behavioral and purchase intent data. No AI model training on individual customer data.
data: Customer behavioral data, order history, product catalog.
Upsell and cross-sell engine; uses Clerk.io's proprietary AI trained on 15 years of e-commerce data. Customer data used for personalization within their own account, not shared across clients.
data: Conversation transcripts shared with OpenAI for LLM processing when feature is enabled.
Powered by OpenAI. Customer must opt in. Conversation content leaves Clerk.io infrastructure and is processed by OpenAI solely for the requested AI functionality. Disable in account settings to prevent data sharing with OpenAI.
data: Purchase intent signals, behavioral segments, email addresses. Segments exportable to Meta and Google Ads as Lookalike Audiences.
Third-party ad platform integration means audience segment data may be shared with Meta/Google when Lookalike Audience export is used.
data: Subscriber list, behavioral data, product catalog. Optional AI email drafts send message content (which may include customer data) to OpenAI.
AI-generated email drafts use OpenAI (optional); if not used, no data is shared. Dynamic email content is updated at open-time using behavioral signals.
// What to watch
- ISO 27001 and SOC 2 Type II are self-declared only: no third-party auditor has issued a certificate or attestation report as of June 2026. Clerk.io states formal certification is planned for 2026.
- Privacy policy references EU-US Privacy Shield (invalidated in 2020 by Schrems II ruling); this is an outdated legal basis for US data transfers and should be flagged for review.
- Optional AI Chat and AI Email features route conversation transcripts and message content to OpenAI. Customers must actively disable these features if OpenAI data sharing is prohibited under their own compliance requirements.
- Audience product exports segments to Meta and Google Ads. Customers using Lookalike Audience export should verify their own DPA and consent obligations with those ad platforms.
- Bug bounty program exists internally per incident response documentation but no public platform (HackerOne or Bugcrowd) listing was found. Scope and rewards are not publicly disclosed.
// At a glance
Pricing model
Subscription, prepaid and billed periodically (monthly, quarterly, half-yearly, or yearly). Free trial available. Excess usage billed automatically. Business entities only.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Clerk.io ApS's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.clerk.io