Research & Intelligence
Technology Risk Assessment
Technology Risk Assessment helps teams pressure-test a platform, vendor, or architectural decision before it becomes expensive to reverse. It frames the major risks clearly, documents likely consequences, and outlines mitigations in language stakeholders can use. It is a strong fit for advisory work, internal architecture reviews, procurement discussions, and transformation projects. Leaders who need a balanced view of tradeoffs can use it to move from intuition to a documented recommendation. The production-grade value is the format: summarized risk posture, structured registers, actionable mitigations, and a final recommendation. That makes the output usable in governance conversations, not just technical debate.
One-Time Purchase
$19.99
Technology Risk Assessment: Migrating Auth from Auth0 to Clerk
Decision scope: Replace incumbent identity provider on a B2B SaaS application (~180K MAU, 22 enterprise tenants, US-only today with EU expansion planned). Technology under review: Clerk (clerk.com), SaaS deployment, Next.js SDK path. Audience: CTO, Head of Platform, security owner, and the engineering lead sponsoring the migration.
Executive Summary
Headline
Migrating from Auth0 to Clerk is viable with conditions. Clerk wins on developer experience, integration time, and per-MAU economics at the current scale. The two concerns that gate the decision are a missing HIPAA BAA path (load-bearing if the planned health-data partnership closes) and a shorter production track record than Auth0. Net recommendation: Accept with conditions — sign migration intent contingent on a written BAA commitment, build a thin abstraction layer to keep the exit option, and run both providers in parallel for at least one full billing cycle.
Overall risk posture: Accept with conditions Critical: 0 · High: 1 · Medium: 3 · Low: 2
Risk Register
| ID | Category | Risk | Likelihood | Impact | Severity | Owner |
|---|---|---|---|---|---|---|
| R-001 | Compliance | No HIPAA BAA available today; PHI may enter auth metadata via the planned health-data partnership | 4 | 4 | High (16) | Security + Legal |
| R-002 | Operations | Clerk publishes 99.95% SLA vs. Auth0's 99.99%; 3 customer-visible incidents in the last 6 months on status.clerk.com | 3 | 4 | Medium (12) | Platform |
| R-003 | Lock-in | Proprietary session model; no documented standards-based export (SCIM out, OIDC discovery only) | 3 | 3 | Medium (9) | Architecture |
| R-004 | Security | SOC 2 Type II first issued Dec 2025; Auth0 has 8+ years of audit history under Okta | 2 | 4 | Medium (8) | Security |
| R-005 | Data residency | EU data residency available but Asia-Pacific is US-routed; matters once APAC expansion lands | 2 | 3 | Low (6) | Platform |
| R-006 | Vendor concentration | Clerk owns both the IdP and the session UI surfaces; outage hits both | 2 | 3 | Low (6) | Platform |
Stay vs. Migrate
Stay on Auth0
Known-good incumbent
Renew current Enterprise contract on existing terms
Migrate to Clerk
Better DX, lower run-rate
Cutover over a single quarter with parallel run
Migration Effort Snapshot
Where the engineering hours go
Mitigations
R-001 — HIPAA BAA is the gating item
Do not start the cutover until Clerk provides a written BAA commitment with a delivery date inside the migration window. If the health-data partnership is still firm and the BAA is not, two options remain: (a) keep PHI fully out of the auth layer by routing it through a separate HIPAA-eligible service, or (b) defer the migration by one quarter and revisit. Going live without a path here is the one scenario that turns this into a critical risk.
R-002 — Treat the SLA gap as real
The 0.04-point SLA delta is a few extra outage minutes per year on paper, but the recent incident pattern matters more than the headline number. Mitigations: cache session tokens locally with a 15-minute soft-fail window, surface a maintenance banner on auth failures, and rehearse the "Clerk is down" runbook before cutover — not after.
R-003 — Keep the exit cheap
Wrap every auth call in a repository-pattern abstraction (AuthProvider interface) so swapping providers is a single implementation change rather than a codebase-wide refactor. The added abstraction is one or two days of work and is the single highest-leverage mitigation in this register.
R-004 — Compensating controls
Request Clerk's most recent penetration test results, incident response runbook, and a copy of the SOC 2 Type II report under NDA. A short security questionnaire reviewed by the security owner closes most of the gap left by the shorter audit history.
Decision Criteria
| Criterion | Threshold to proceed | Status |
|---|---|---|
| Written HIPAA BAA commitment with date | Required before cutover | Open |
| Abstraction layer merged behind feature flag | Required before parallel run | In progress |
| Rollback runbook rehearsed end-to-end | Required before traffic shift | Not started |
| Parallel-run delta <0.1% session mismatch over 7 days | Required before 100% cutover | Not started |
| Per-MAU economics validated against current MAU mix | Confirmed before commitment | Done |
Recommendation
Proceed with the migration conditional on R-001 closing. Sequence the work so the abstraction layer lands first, parallel-run runs through one full billing cycle, and the 22 enterprise tenants cut over last after a short customer notice window. If the BAA commitment slips, renew Auth0 for one year and re-open the decision next cycle — the per-MAU savings do not justify a compliance gap.
This sample illustrates the skill's output format. Verify all vendor claims against the current published documentation and contracts before any procurement decision. Analysis based on publicly available information; ClearPoint Nexus is not affiliated with the companies named.
View full sample →
All sales final. No refunds on digital products.
Includes support for Claude Code, Codex, OpenClaw, and Google Antigravity in the same license.
Also in Business Intelligence Suite
Bundle price: $55. Compare this skill with the full workflow bundle or Pro access.
Best for
Architects framing a build-vs-buy decision, procurement leads stress-testing a vendor selection, and engineering managers preparing the risk section of a project charter. Strongest when the decision will go to a steering committee or governance review and a structured risk register is required to move forward.
Not ideal for
Highly specialized regulated domains (FedRAMP authorization boundaries, FDA SaMD risk class) where the assessment must be authored by a qualified specialist. Also a poor fit for low-stakes reversible decisions — the structured register is overhead when the cost of being wrong is a one-day rollback.
Included in this purchase
- Claude Code, Codex, OpenClaw, and Google Antigravity skill files.
- Setup guidance for the right adapter in your workspace.
- One-time license for the purchased skill version.
Setup
Plan for a short copy-and-configure setup in your preferred agent workspace. No custom integration is required for the skill file itself.
Related Skills
$19.99
One-time license
$19.99
One-time license
$19.99
One-time license
Future Updates
This purchase includes the current version of the skill. If you want future adapter updates — meaning compatibility and packaging updates as supported platforms evolve — plus new catalog additions included automatically, upgrade to Pro.