// Trust & Security Report

    Clerk.io ApS logo

    Clerk.io ApS

    AI-powered e-commerce personalization platform (Search, Recommendations, Chat, Audience, Email)

    Certifications held

    1

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    GDPR
    HELD

    These Contractual Clauses set out the rights and obligations of the data controller and the data processor, when processing personal data on behalf of the data controller. The Clauses have been designed to ensure the parties' compliance with Article 28(3) of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data.

    Verify on trust.clerk.io
    > Show 4 unconfirmed / not-held certifications
    ISO/IEC 27001
    NOT CONFIRMED

    We are compliant with the standards and frameworks listed above, but we are not yet certified by a third-party auditor. We have the intention to seek such certification in 2026.

    source: trust.clerk.io
    SOC 2 Type II
    NOT CONFIRMED

    Formal attestation is pending and we do not yet hold an external SOC 2 report.

    source: trust.clerk.io
    EU AI Act
    NOT CONFIRMED

    We are compliant with the standards and frameworks listed above, but we are not yet certified by a third-party auditor. We have the intention to seek such certification in 2026.

    source: trust.clerk.io
    HIPAA
    NOT CONFIRMED

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    EU only. Primary servers in Germany, backup in Ireland. Danish company (Clerk.io ApS, Copenhagen, VAT: DK33952848) governed by Danish law.

    Clerk.io does not train on individual customer data. Optional AI features (Chat assistance, AI-generated email drafts) send conversation transcripts or message content to OpenAI for LLM processing only; if these features are not enabled, no data is shared with OpenAI. Clerk.io may use data in anonymous or aggregated form for industry trends and statistics. Privacy policy also states each account is stored in separated data store containers.

    // Security controls

    Encryption in transit

    Yes, TLS 1.3 confirmed in Trust Services Criteria Mapping

    trust.clerk.io

    Encryption at rest

    Yes, self-reported

    trust.clerk.io

    Access controls

    Least-privilege; MFA via Google Workspace SSO

    trust.clerk.io

    Monitoring

    24/7 SIEM monitoring

    trust.clerk.io

    Penetration testing

    Regular penetration testing claimed (self-reported); frequency and third-party tester not publicly disclosed

    trust.clerk.io

    CI security scanning

    Automated SAST and SCA scans in CI pipeline

    trust.clerk.io

    Bug bounty

    Referenced internally in incident response plan (detection via bug bounty channel); no public HackerOne or Bugcrowd program found

    trust.clerk.io

    Data isolation

    Each customer account stored in separated data store containers

    trust.clerk.io

    Breach notification

    72-hour regulatory notification; customer notification within 24 hours for major incidents affecting over 5% of customers or involving PII

    trust.clerk.io

    Data Subject Rights API

    Privacy Information API and Privacy Forget API available; 30-day SLA for DSAR requests

    help.clerk.io

    // Products & data scope

    SearchE-commerce AI Search

    data: Visitor behavior (page views, clicks, queries), product catalog, sales data. No PII required unless customer is identified.

    Personalized search using behavioral and purchase intent data. No AI model training on individual customer data.

    RecommendationsProduct Recommendation Engine

    data: Customer behavioral data, order history, product catalog.

    Upsell and cross-sell engine; uses Clerk.io's proprietary AI trained on 15 years of e-commerce data. Customer data used for personalization within their own account, not shared across clients.

    ChatAI Chatbot

    data: Conversation transcripts shared with OpenAI for LLM processing when feature is enabled.

    Powered by OpenAI. Customer must opt in. Conversation content leaves Clerk.io infrastructure and is processed by OpenAI solely for the requested AI functionality. Disable in account settings to prevent data sharing with OpenAI.

    AudienceCustomer Segmentation

    data: Purchase intent signals, behavioral segments, email addresses. Segments exportable to Meta and Google Ads as Lookalike Audiences.

    Third-party ad platform integration means audience segment data may be shared with Meta/Google when Lookalike Audience export is used.

    EmailAI Email Personalization

    data: Subscriber list, behavioral data, product catalog. Optional AI email drafts send message content (which may include customer data) to OpenAI.

    AI-generated email drafts use OpenAI (optional); if not used, no data is shared. Dynamic email content is updated at open-time using behavioral signals.

    // What to watch

    • ISO 27001 and SOC 2 Type II are self-declared only: no third-party auditor has issued a certificate or attestation report as of June 2026. Clerk.io states formal certification is planned for 2026.
    • Privacy policy references EU-US Privacy Shield (invalidated in 2020 by Schrems II ruling); this is an outdated legal basis for US data transfers and should be flagged for review.
    • Optional AI Chat and AI Email features route conversation transcripts and message content to OpenAI. Customers must actively disable these features if OpenAI data sharing is prohibited under their own compliance requirements.
    • Audience product exports segments to Meta and Google Ads. Customers using Lookalike Audience export should verify their own DPA and consent obligations with those ad platforms.
    • Bug bounty program exists internally per incident response documentation but no public platform (HackerOne or Bugcrowd) listing was found. Scope and rewards are not publicly disclosed.

    // At a glance

    Pricing model

    Subscription, prepaid and billed periodically (monthly, quarterly, half-yearly, or yearly). Free trial available. Excess usage billed automatically. Business entities only.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Clerk.io ApS's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.clerk.io

    > Browse all vendor trust reports