This document provides a high-level overview of ClickTerm’s security posture and operational controls. It is intended for customer security reviews and procurement. It is not a contract; contractual commitments are set out in the Terms of Use and DPA.
ClickTerm is designed to minimize the number of third parties that may process end-user clickwrap flow data (Scope A), and to keep Scope A processing within a small, purpose-limited set of infrastructure and security providers.
Data minimization for end-user flows (Scope A). ClickTerm defines a narrow end-user scope that typically includes clickwrap event metadata (accept/decline/pending, timestamps), technical metadata (IP, browser/device/user agent), optional placeholders, clickwrap version IDs, and audit trail entries—only as configured by the customer.
Least-privilege access. Access to systems and data is designed around “need-to-know” and least privilege, with operational controls for administrative access.
Defense in depth. ClickTerm combines cloud infrastructure controls, edge protection, application security practices, and monitoring/response capabilities.
Core hosting (Scope A default). ClickTerm uses Amazon Web Services for hosting/storage of clickwrap versions, events, audit trails and related service data in Germany.
Edge security / traffic protection. ClickTerm uses Cloudflare for CDN/WAF/DDoS protection and may process IP/traffic metadata in connection with these protections.
Operational telemetry (configured to minimize personal data). ClickTerm uses monitoring and error/observability tooling and aims to avoid storing unnecessary personal data in these systems; depending on configuration, technical identifiers may appear.
Role-based access. ClickTerm uses role-based access patterns to limit administrative and operational access.
Credential hygiene. Customer accounts authenticate via the Service; customers are responsible for protecting credentials and API keys and ensuring Authorized Users follow internal security policies (also reflected in the Terms of Use).
Administrative access safeguards. Administrative access to production systems is limited to authorized personnel and protected by access controls and logging. Remote access is restricted and managed through controlled channels.
Encryption in transit. ClickTerm uses HTTPS/TLS for data transmitted between customers/end users and the Service.
Encryption at rest. ClickTerm leverages encryption-at-rest capabilities of underlying cloud infrastructure where supported and configured.
Segregation. ClickTerm applies tenant-aware isolation and access controls to prevent cross-customer access.
Security and operational logging. ClickTerm records service events and maintains operational logs designed to support troubleshooting, security monitoring, and incident investigation.
Audit trails for clickwrap evidence. ClickTerm maintains clickwrap event records and audit trail entries as part of its core evidence and compliance functionality, consistent with the product’s purpose.
Observability controls. Monitoring providers may process technical telemetry; ClickTerm configures observability to minimize personal data where feasible.
Secure development practices. ClickTerm applies secure engineering practices during development and deployment (e.g., code review, dependency management, and change controls).
Vulnerability handling. ClickTerm triages and remediates security vulnerabilities in a risk-based manner, prioritizing issues that affect confidentiality, integrity, and availability.
(If you want, you can add a public “Security Contact / Vulnerability Disclosure” mailbox and policy here later.)
Incident management. ClickTerm maintains incident response procedures to detect, contain, remediate, and review security incidents.
Breach notification support. Where ClickTerm acts as a processor, breach notification obligations and timelines are handled per the DPA.
Service resilience. ClickTerm uses cloud infrastructure capabilities to support availability and recovery.
Backups and recovery. ClickTerm employs backup/recovery practices appropriate for a hosted SaaS service. Customers remain responsible for exporting and retaining records they need outside the Service (e.g., for long-term retention), consistent with self-serve termination expectations in the Terms.
ClickTerm maintains a published Sub-Processors and Processors list, including a distinction between:
Scope A — End-user data (narrow scope), and
Scope B — Business/customer account data (broader scope).
For changes affecting Scope A, ClickTerm provides notice by publishing an updated version of the list in the Admin Console and requiring explicit re-acceptance, with changes effective no earlier than 30 days after publication (unless urgent security/fraud/legal needs require faster changes).
Current list:
https://api.clickterm.com/clickwrap/9ca82158-c7a6-4e1d-b803-d5f27b5a8164/2.3
Customers are responsible for:
controlling which data is included in clickwrap content and placeholders,
maintaining appropriate internal access controls for Authorized Users and API keys, and
configuring their end-user flows and retention/export practices to meet their legal and compliance obligations.
Security and privacy contact: [email protected]