How It WorksPricingBlogStart Free Trial
All answers

How do I handle SOC 2 evidence when I use Clerk or Auth0 for authentication?

March 6, 20262 min readSOC 2 for Specific Tech Stacks

How Third-Party Auth Affects SOC 2

Using Clerk or Auth0 simplifies SOC 2 because these services handle the hardest auth security concerns (password storage, session management, brute force protection) and have their own SOC 2 reports. Your responsibility is configuring them correctly and integrating them securely.

Evidence Structure

LayerResponsibilityEvidence
Auth service infrastructureClerk/Auth0 (inherited)Their SOC 2 report
ConfigurationYouScreenshots of your MFA, session, and security settings
IntegrationYouCode showing how your app uses their APIs for authorization
User managementYouUser list, role assignments, offboarding process

Configuration Evidence to Capture

From Clerk or Auth0 Dashboard

  1. MFA settings: Is MFA required, optional, or disabled?
  2. Session policies: Session timeout duration, token lifetime
  3. Password policies: Minimum length, complexity requirements
  4. Allowed auth methods: Email/password, social login, SSO
  5. Brute force protection: Lockout settings after failed attempts
  6. User list: All active users with roles

From Your Application Code

  1. Middleware/guards: How your app checks authentication on protected routes
  2. Role-based access: How you use Clerk/Auth0 roles or permissions in your app
  3. API protection: How API routes verify tokens

Referencing Their SOC 2 Report

Request the vendor's SOC 2 report and include it in your vendor management evidence. In your system description, write something like:

"User authentication is managed through Clerk, which maintains a SOC 2 Type II report. [Company] configures Clerk with MFA enforcement, 30-minute session timeouts, and role-based access control through Clerk Organizations."

Common Gaps

  • MFA not enforced: Clerk and Auth0 make MFA optional by default. Enable enforcement.
  • No session timeout: Configure session expiration (30-60 minutes for sensitive apps).
  • Missing offboarding: When an employee leaves, disable their Clerk/Auth0 account — don't just revoke SSO access.
  • Authorization in the app: Having Clerk/Auth0 handle authentication doesn't mean your app has authorization. You still need to check permissions in your API routes.

Related Questions

SOC 2 for Specific Tech Stacks

How do I document SOC 2 evidence for GitHub access controls?

Document GitHub access controls by capturing organization member lists with roles, team-level repository permissions, branch protection settings, 2FA enforcement, and audit logs. Map GitHub's permission model (Owner, Member, Outside Collaborator) to your SOC 2 access control policy.

SOC 2 for Specific Tech Stacks

How do I get SOC 2 for a Next.js app deployed on Vercel?

Getting SOC 2 for a Next.js app on Vercel means documenting your deployment pipeline (Git-based deploys), access controls (Vercel team roles, GitHub branch protection), and data handling (API routes, database connections). Vercel's built-in security features cover many infrastructure controls. You need to prove application-level controls.

SOC 2 for Specific Tech Stacks

How do I handle SOC 2 evidence for apps without SSO?

You can pass SOC 2 without SSO by implementing compensating controls: enforced MFA, strong password policies, manual access reviews, and documented onboarding/offboarding checklists. SSO is a best practice but not a SOC 2 requirement. Document why your current approach is sufficient for your risk profile.

Ready to Automate Your Compliance?

Join 50+ companies automating their compliance evidence with Screenata.

Start Free Trial →

© 2025 Screenata. All rights reserved.