Legal

Security policy

Last updated: 26 May 2026

Clerkfolio is committed to protecting the security of the service and the personal data of our users. We welcome good-faith security research and responsible disclosure.

Report a vulnerability

Email admin@clerkfolio.co.uk with details of the issue. Please include steps to reproduce and any supporting evidence. We will acknowledge your report within 3 business days.

Vulnerability disclosure policy

We operate a coordinated vulnerability disclosure programme. If you discover a security vulnerability in Clerkfolio, we ask that you report it to us privately before disclosing it publicly, giving us a reasonable opportunity to investigate and address the issue.

Scope

The following are in scope for security research:

  • clerkfolio.co.uk and all subdomains
  • The Clerkfolio web application (portfolio, case diary, sharing, exports, authentication)
  • Clerkfolio application API routes that back the web app

Out of scope

The following are explicitly out of scope. Reports in these categories will not be acted upon and may void safe-harbour protections:

  • Denial of service or resource exhaustion attacks of any kind (including volumetric, application-layer, or slowloris-style)
  • Social engineering, phishing, or other attacks targeting Clerkfolio staff or users
  • Physical attacks on infrastructure
  • Issues in third-party services or infrastructure outside our reasonable control (Supabase, Vercel, Stripe, Resend, Upstash)
  • Automated scanning of production systems without prior written permission
  • Attacks against systems, accounts, or data belonging to other users without their consent
  • Non-exploitable information disclosures with no realistic attack path (e.g. version banners, missing optional headers)
  • Clickjacking on pages with no sensitive actions
  • Missing DNSSEC, CAA records, or similar hardening that is not exploitable in context

Safe harbour

Clerkfolio will not pursue civil or criminal action against researchers who:

  • Report vulnerabilities to us privately at admin@clerkfolio.co.uk before any public disclosure.
  • Do not access, modify, or exfiltrate data beyond what is necessary to demonstrate the vulnerability.
  • Do not disrupt or degrade the service for other users.
  • Stay within the scope defined above.
  • Act in good faith throughout the disclosure process.

Good-faith research that complies with these guidelines is authorised. We will work with you to understand and address the issue quickly.

Response SLA

  • Acknowledgement: within 3 business days of receiving your report.
  • Initial triage: within 10 business days.
  • Critical or high severity fix: we aim to deploy a fix within 30 calendar days of confirming the issue. We will keep you updated on progress.
  • Medium and low severity: addressed on a risk-based schedule; typically within 90 calendar days.

We will co-ordinate a disclosure timeline with you and aim to allow public disclosure after a fix is deployed or after 90 days from the date of your report, whichever is sooner, unless we agree a different timeline in writing.

Bug bounty and recognition

Clerkfolio does not operate a paid bug bounty programme at this time. We may offer public credit (in a security acknowledgements page, if you consent) or a small token of appreciation at our discretion for valid, in-scope reports. We appreciate the time and skill of independent security researchers.

Security measures overview

Clerkfolio implements defence-in-depth across the application stack:

  • Encryption at rest (Supabase managed encryption, eu-west-2) and in transit (HTTPS/TLS 1.2+)
  • Row-level security (RLS) on all Supabase database tables
  • Supabase Auth with PKCE flow; session management with expiry and revocation
  • CSRF origin validation on all state-changing API routes
  • Rate limiting via Upstash Redis on public and sensitive endpoints
  • Hashed IP addresses and hashed PINs for share-link access control
  • Server-side MIME type and file-format validation for evidence uploads; antivirus scanning is not currently provided
  • Content Security Policy, X-Frame-Options, HSTS, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy headers
  • Soft-delete only across all user data; no immediate hard deletes
  • Session fingerprint tracking to detect and revoke suspicious sessions

More detail is available in our Data Processing Agreement. Third-party security posture is governed by each provider's own controls and certifications - see the subprocessors page.

Contact