Legal

Security policy

Last updated: 15 May 2026

Clerkfolio is committed to protecting the security of the service and the personal data of our users. We welcome good-faith security research and responsible disclosure.

Report a vulnerability

Email security@clerkfolio.co.uk with details of the issue. Please include steps to reproduce and any supporting evidence. We will acknowledge your report within 3 business days.

Vulnerability disclosure policy

We operate a coordinated vulnerability disclosure programme. If you discover a security vulnerability in Clerkfolio, we ask that you report it to us privately before disclosing it publicly, giving us a reasonable opportunity to investigate and address the issue.

Scope

The following are in scope for security research:

  • clerkfolio.co.uk and all subdomains
  • The Clerkfolio web application (portfolio, case diary, sharing, exports, authentication)
  • Clerkfolio public API endpoints

Out of scope

The following are explicitly out of scope. Reports in these categories will not be acted upon and may void safe-harbour protections:

  • Denial of service or resource exhaustion attacks of any kind (including volumetric, application-layer, or slowloris-style)
  • Social engineering, phishing, or other attacks targeting Clerkfolio staff or users
  • Physical attacks on infrastructure
  • Issues in third-party services or infrastructure outside our reasonable control (Supabase, Vercel, Stripe, Resend, Upstash)
  • Automated scanning of production systems without prior written permission
  • Attacks against systems, accounts, or data belonging to other users without their consent
  • Non-exploitable information disclosures with no realistic attack path (e.g. version banners, missing optional headers)
  • Clickjacking on pages with no sensitive actions
  • Missing DNSSEC, CAA records, or similar hardening that is not exploitable in context

Safe harbour

Clerkfolio will not pursue civil or criminal action against researchers who:

  • Report vulnerabilities to us privately at security@clerkfolio.co.uk before any public disclosure.
  • Do not access, modify, or exfiltrate data beyond what is necessary to demonstrate the vulnerability.
  • Do not disrupt or degrade the service for other users.
  • Stay within the scope defined above.
  • Act in good faith throughout the disclosure process.

Good-faith research that complies with these guidelines is authorised. We will work with you to understand and address the issue quickly.

Response SLA

  • Acknowledgement: within 3 business days of receiving your report.
  • Initial triage: within 10 business days.
  • Critical or high severity fix: we aim to deploy a fix within 30 calendar days of confirming the issue. We will keep you updated on progress.
  • Medium and low severity: addressed on a risk-based schedule; typically within 90 calendar days.

We will co-ordinate a disclosure timeline with you and aim to allow public disclosure after a fix is deployed or after 90 days from the date of your report, whichever is sooner, unless we agree a different timeline in writing.

Bug bounty and recognition

Clerkfolio does not operate a paid bug bounty programme at this time. We may offer public credit (in a security acknowledgements page, if you consent) or a small token of appreciation at our discretion for valid, in-scope reports. We appreciate the time and skill of independent security researchers.

Security measures overview

Clerkfolio implements defence-in-depth across the application stack:

  • Encryption at rest (Supabase managed encryption, eu-west-2) and in transit (HTTPS/TLS 1.2+)
  • Row-level security (RLS) on all Supabase database tables
  • Supabase Auth with PKCE flow; session management with expiry and revocation
  • CSRF origin validation on all state-changing API routes
  • Rate limiting via Upstash Redis on public and sensitive endpoints
  • Hashed IP addresses and hashed PINs for share-link access control
  • Server-side MIME type validation and malware scan tracking for evidence uploads
  • Content Security Policy, X-Frame-Options, HSTS, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy headers
  • Soft-delete only across all user data; no immediate hard deletes
  • Session fingerprint tracking to detect and revoke suspicious sessions

More detail is available in our Data Processing Agreement. Third-party security posture is governed by each provider's own controls and certifications - see the subprocessors page.

Contact