This Security Overview describes ClickTerm’s security approach at a high level. It is intended to support customer due diligence, procurement review, and security questionnaires.
Important: This Security Overview is informational only and does not create binding contractual commitments. Binding security and data protection obligations (including breach notification and security measures) are set out in ClickTerm’s agreement with you (including the ClickTerm Terms of Use and Data Processing Addendum (DPA)).
This Security Overview covers ClickTerm’s approach to security for:
the ClickTerm web application (Admin Console),
ClickTerm APIs and SDK integration endpoints,
Clickwrap workflow data and evidence artifacts (such as logs and certificates),
operational processes used to maintain the Service.
ClickTerm is a platform for managing clickwrap agreements and recording evidence of End User interactions. Core concepts like Clickwrap Events, Audit Logs, and Certificates of Acceptance are designed to help customers demonstrate what was presented, what action was taken, and when it occurred.
Security in a SaaS environment is a shared responsibility:
ClickTerm is responsible for (high level):
security of the ClickTerm platform and supporting infrastructure,
access controls to ClickTerm internal systems,
monitoring, incident response, and platform-level security safeguards,
maintaining reasonable technical and organizational measures for the Service.
You (the customer) are responsible for:
configuration and secure use of the Service (including access permissions and API keys),
your End User identity and authentication, unless you enable ClickTerm-provided mechanisms,
the content of your clickwraps and the data you choose to include in templates/placeholders,
obtaining required notices/consents from End Users and complying with your own legal obligations.
ClickTerm’s security program is designed to support the confidentiality, integrity, and availability of the Service. Key elements typically include:
documented security policies and operational procedures,
access control and least-privilege practices,
vendor and sub-processor review and contractual controls,
change management practices intended to reduce operational risk,
security incident response planning and internal escalation.
ClickTerm implements access controls intended to reduce the risk of unauthorized access.
For ClickTerm customers (Admin Console and APIs):
role-based access concepts and tenant isolation (Organization-level separation),
authentication controls in the Admin Console (with security logging of key account activities),
API authentication via credentials/keys issued for your Organization (you are responsible for key storage and rotation on your side).
For ClickTerm internal access:
restricted access to production systems based on job function and operational necessity,
administrative actions and system access may be logged and monitored.
ClickTerm supports customers operating globally and is designed to work with common privacy frameworks. Where ClickTerm acts as a processor for Customer Personal Data, obligations are governed by the DPA, including requirements relating to:
processing on documented instructions,
security measures,
sub-processors,
international transfer mechanisms (where applicable),
deletion/return of data at end of service.
ClickTerm also publishes a Sub-Processors and Processors transparency list:
ClickTerm is designed to protect data as it moves through and is stored within the Service. Security controls typically include:
encryption in transit for communications between clients (browser/SDK/API consumers) and ClickTerm endpoints,
encryption at rest where supported by underlying storage systems and infrastructure configurations,
access controls and segmentation to prevent cross-tenant access.
Because infrastructure and configurations may evolve over time, detailed cryptographic parameters are not listed in this overview; customers with specific requirements may request additional technical details under NDA where appropriate.
ClickTerm applies layered controls intended to reduce risk across the application and its supporting infrastructure. Measures may include:
secure software development practices (including code review and testing practices appropriate to the Service),
input validation and protection against common web threats,
environment segregation (e.g., development vs production) where appropriate,
controlled deployment processes and change logging.
ClickTerm generates logs and records intended to support security monitoring, troubleshooting, and auditability.
Examples include:
authentication and security-relevant account events,
platform operational logs for availability and error diagnostics,
clickwrap-related records such as Clickwrap Events and Audit Logs, used to provide evidence of an End User action and associated metadata.
Logging and retention are designed to balance operational needs with data minimization principles and applicable legal requirements.
ClickTerm maintains incident response processes intended to support:
detection, triage, containment, remediation, and post-incident review,
customer communications where required,
legally required breach notifications under applicable data protection laws.
Where ClickTerm processes Customer Personal Data as a processor, breach notification obligations and timelines are described in the DPA.
ClickTerm is designed to maintain service availability and integrity through operational practices such as:
infrastructure redundancy and availability-oriented design choices (where appropriate),
backups and recovery procedures suitable for the Service,
capacity management and operational monitoring.
Specific uptime commitments, if any, are defined in the ClickTerm SLA (only for eligible paid plans).
ClickTerm is designed to support reliable evidence capture for clickwrap acceptance flows.
Depending on plan and configuration, ClickTerm may generate evidence artifacts such as a Certificate of Acceptance, which is intended to record that a specific End User accepted a specific Clickwrap Version at a specific time, and may be produced as a digitally signed PDF (PAdES-compatible where supported).
Note: Customers remain responsible for ensuring their clickwrap workflows and identity verification meet their legal and evidentiary requirements in each jurisdiction.
We welcome responsible security reports.
Security contact: support@clickterm.com
Please include: a description of the issue, steps to reproduce, affected endpoints/components, and any supporting screenshots/logs (avoid sending sensitive personal data where possible).
We will review reports and respond as appropriate. We ask that you do not publicly disclose potential vulnerabilities until we have had a reasonable opportunity to investigate and remediate.
We may update this Security Overview from time to time to reflect changes in the Service or security practices. The “Published on” date and version above indicate the most recent update. If there is any conflict between this overview and the Agreement, the Agreement controls.