👨‍⚖️ Legal Information

Security Policy

Last updated: May 28, 2026.

Hello Clerk, Inc. is committed to protecting the confidentiality, integrity, and availability of its services and the data entrusted to it. This Security Policy describes the technical and organisational measures Hello Clerk implements to safeguard its systems and customer data.

This Security Policy is supplemental to, and should be read together with, our https://helloclerk.io/legal/data-processing-agreement/ and our https://helloclerk.io/legal/privacy-policy/.

1. Scope

This Security Policy covers the production environment in which Hello Clerk provides its services (the “Services”), including hosting infrastructure, application code, customer data, and the personnel and tools involved in operating the Services.

2. Hosting and Infrastructure

Hello Clerk’s Services are hosted entirely within the European Union, in data centres operated by Hetzner Online GmbH in Germany. Hetzner is independently certified under recognised security standards, including ISO/IEC 27001 and the BSI C5 (Cloud Computing Compliance Criteria Catalogue). Physical access controls at the data centres include 24/7 monitoring, video surveillance, and access restricted to authorised personnel.

Hello Clerk does not operate its own physical data centres and relies on Hetzner to provide physical and environmental security for the underlying infrastructure.

3. Network and Transport Security

All network communication between users and the Services is encrypted in transit using industry-standard Transport Layer Security (TLS) protocols. TLS certificates are issued and managed through Let’s Encrypt, with automatic renewal to prevent certificate expiry.

Production systems are accessible only over encrypted channels, and unencrypted traffic to production endpoints is rejected.

4. Access Control

Access to production systems, infrastructure, and customer data is strictly limited to authorised personnel of Hello Clerk on a need-to-know basis. Hello Clerk operates as a small organisation, and the number of individuals with administrative access to production is kept to the minimum necessary for operations.

Multi-factor authentication (MFA) is enforced for all administrative access to production systems and supporting tools (including hosting infrastructure, source code repositories, and configuration management systems).

Access rights are reviewed and revoked promptly when no longer required.

5. Secrets Management

Application secrets, API keys, database credentials, and similar sensitive configuration values are stored exclusively in encrypted environment configuration provided by Hello Clerk’s infrastructure management platform. No secrets are committed to source code repositories or stored in plain-text files within the production environment.

6. Endpoint Security

All devices used by Hello Clerk personnel to access production systems or sensitive data have full-disk encryption enabled (e.g., FileVault on macOS) and are protected by strong authentication.

7. Data Security

7.1. Data in transit

Customer Data is encrypted in transit over public networks using TLS.

7.2. Data segregation

Customer Data is logically segregated within Hello Clerk’s systems such that each customer’s data is accessible only in the context of that customer’s use of the Services.

7.3. Backups

Hello Clerk maintains regular automated backups of customer data and infrastructure state. Backups are stored in Cloudflare R2 object storage within the European Union, separate from the primary production environment, providing geographic and operational redundancy. Restoration procedures have been verified.

8. Application Security

Hello Clerk follows secure software development practices, including:

  • Code review of changes to production code, supported by automated tooling and AI-assisted review;
  • Use of established, maintained dependencies, with monitoring for known vulnerabilities in third-party packages;
  • Standard input validation, parameterised database queries, and output encoding to mitigate common application-level risks;
  • Production deployments through a controlled, versioned configuration management workflow.

9. Email Security

Hello Clerk’s domains are configured with industry-standard email authentication mechanisms, including Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting and Conformance (DMARC), to reduce the risk of email spoofing and phishing impersonating Hello Clerk.

10. Logging and Monitoring

Hello Clerk maintains a self-hosted log aggregation and monitoring system covering production application events, infrastructure access, and material changes to production environments. Alerts on significant operational and security events are routed to a real-time notification channel for prompt review.

11. Incident Response

Hello Clerk treats security incidents and suspected security incidents as a priority. When a security incident is identified, Hello Clerk:

  • Investigates the nature and scope of the incident;
  • Takes reasonable steps to contain and mitigate the incident;
  • Where the incident affects Customer Data, notifies affected customers in accordance with the timelines and procedures set out in the Data Processing Agreement;
  • Conducts a post-incident review to identify and implement improvements.

Hello Clerk leverages advanced reasoning tools, including modern AI-assisted analysis, to support incident assessment and response planning.

12. Responsible Disclosure

Hello Clerk welcomes reports of potential security vulnerabilities from security researchers and the public. To report a suspected vulnerability or security concern, please contact security@helloclerk.io.

Hello Clerk asks that reporters:

  • Provide a clear description of the issue, including steps to reproduce it where possible;
  • Allow Hello Clerk a reasonable period of time to investigate and address the issue before any public disclosure;
  • Avoid accessing, modifying, or destroying data that does not belong to the reporter;
  • Avoid actions that may degrade the availability of the Services.

Hello Clerk does not currently operate a paid bug bounty programme.

13. Sub-processors and Third Parties

Hello Clerk relies on a limited number of third-party service providers (sub-processors) to operate the Services. The current list of sub-processors is published at https://helloclerk.io/legal/sub-processors/. Hello Clerk imposes contractual obligations on each sub-processor consistent with the requirements of applicable data protection law.

14. Certifications

Hello Clerk does not currently hold independent security certifications such as SOC 2 or ISO/IEC 27001. The Services rely on the security posture of independently certified infrastructure providers (including Hetzner) and on the technical and organisational measures described in this Security Policy.

15. Changes to this Security Policy

Hello Clerk may update this Security Policy from time to time to reflect changes in our practices, infrastructure, or applicable requirements. The “Last updated” date at the top of this Security Policy indicates when it was most recently revised. Material changes will be communicated by updating the version published at https://helloclerk.io/legal/security-policy/.

16. Contact

For general questions about this Security Policy, please contact legal@helloclerk.io. For suspected security vulnerabilities, please use security@helloclerk.io.

Have question? ✉️ Contact us. We are ❤️ happy to talk!

Hello Clerk, Inc.
651 N Broad St, Suite 206, Middletown, DE 19709, USA