SaaS Security White Paper

    Information Security Management

    Management of Data Security in ChemAxon SaaS

    This document gives an overview of ChemAxon’s security practices employed by ChemAxon to ensure the security of information when resident within, or being actioned by, the technical infrastructure of ChemAxon SaaS and associated Subscription Services that is how we maintain Customer’s data safe, accessible and available.

    As the basis of provision of the Subscription Services to Customer, ChemAxon makes available the ChemAxon Software, running in the e-business Hosting Environment made available by the Hosting Party. This Overview identifies the set of measures that comprise the information security system at ChemAxon relevant to Subscription Services.

    Security related to the Subscription Services

    As indicated above, ChemAxon provides the Subscription Services through making the ChemAxon Software available, running in the e-business Hosting Environment made available by the Hosting Party. ChemAxon carefully selects the Hosting Party based on principles as follows:

    • Reliable information security and operation control of the electronic information resource that is under the control the Hosting Party

    • Full aware of sensitivity of Customer Data residing in or accessible through the relevant Subscription Service

    • Cost of preventive measures and controls designed to detect any errors or irregularities of the e-business Hosting Environment

    • Amount of responsibility that the ChemAxon is willing to absorb

    Security-related services by the Hosting Party including process security management, physical security, and network security are specified in separate documents made available by the Hosting Party. ChemAxon does not control the transfer of data over telecommunication facilities, including the Internet except the use of secure connections all of which are supported by ChemAxon and/or the Hosting Party. Customer is advised to review the security features e-business Hosting Environment and responsibilities of the Hosting Party and to determine that they meet Customer’s security needs.

    Furthermore, ChemAxon cannot prevent third party disruptions of the e-business Hosting Environment or in connection with Customer Data although it has taken all reasonable commercial and technical measures to avoid this eventuality. Customer is advised to determine the appropriate procedures and controls regarding security of Customer Data and for the implementation of any such procedures and controls.

    ChemAxon shall assume no liability whatsoever for the security-related services by the Hosting Party and/or telecommunication facilities and/or third party disruptions of the e-business Hosting Environment or in connection with Customer Data.

    ChemAxon recognizes that the absolute security of Subscription Services against all threats is an unrealistic expectation that would require the commitment of a prohibitively high level of resource. Therefore our goals for achieving successful information security that requires management planning to ensure the preparedness of the environment to meet the challenges associated with the detection of, response to and recovery from any information security breach. To be successful, determination of appropriate security measures must be a part of the design and management of all systems on the part of ChemAxon and the Hosting Party regarding the Subscription Services.

    Process security management

    Process security management addresses threats from human factors, technology, and procedures that may cause harm to any data or system. Key elements to our process security management related to the Subscription Services are security policies and procedures, and personnel security.

    Security policies and procedures

    ChemAxon is responsible for developing, implementing, enforcing and maintaining appropriate security policies to ensure the security of all ChemAxon Subscription Services and for controlling any breach that may occur. All relevant policies and any associated procedures, documents and records are proactively maintained to ensure that they remain effective and fit for purpose.

    Collectively, these policies specify the information security procedures for ensuring confidentiality, integrity and availability of information assets. Formal processes are in place reviewed and approved by the Compliance Officer; once approved, the appropriate audience is trained.

    Personnel security

    Personnel security control addresses ChemAxon’s ability to mitigate risk inherent in human interactions, including:

    • Security responsibilities: All ChemAxon employees are required to follow specific guidelines on their information security responsibilities. These include a formal commitment to follow the practice of Information Security Management System which is part of their Terms and Conditions of employment, and an Information Classification and Handling policy detailing the identification, labeling, handling and exchange of all information assets. All customer specific information is treated as confidential at all times and is only passed to third parties when express permission is granted. Only ChemAxon’s authorized personnel have access to the ChemAxon Hosted Services and Customer Data.

    • Training and Awareness: It is mandatory that all new ChemAxon employees receive information security awareness training as part of their induction process to the organization. In addition, this training is regularly reinforced with follow up designed to maintain and enhance information security understanding.

    • User access rights: Access to all systems and data is managed on a need to access basis. For ChemAxon information systems, this is managed through the use of managed user rights which are tailored to the role that the ChemAxon employee undertakes. These user roles are regularly reviewed to ensure that they remain current. In addition, all such users are authenticated to their role when they sign in to a system by the use of a combination of unique user name and personal password which is required to be changed on a regular basis.

    • Moving role and leaving the company: When moving roles within ChemAxon, the access rights are reviewed and if necessary changed to reflect the requirements of their new role. When an individual decides to leave the ChemAxon organization all their access rights are removed from all systems and they are obliged to return all ChemAxon owned information.

    Network security

    When any electronic information resource manages or contains restricted data, appropriate measures must be in place to safeguard against unauthorized access to the data. This includes not only the primary operational copy of the information but also data extracts and backup copies. It is important to consider access to data from viruses and other electronic forms of attack.

    ChemAxon provides the Subscription Services throughout the following particular measures:

    Network segmentation, data access and connectivity

    ChemAxon operates its network on the principle of Defense in Depth approach to security. The strategy behind this is to protect all assets that are managed, hosted or co-located in multiple layers of defense, such that should one layer fail, another layer will provide the necessary protection. Secure lines: ChemAxon provides the Subscription Services running in the e-business Hosting Environment via a secure connection.

    • Separate network: network used is distributed into subnets that are completely independent of each other.

    • Strict access rights to Accounts: end users can access to Account information and Subscription Service on a need to access basis.

    • Secure storage of access information: Access codes and other authentication parameters are stored in strict confidence.

    • No hidden backdoors are used except as stated in ChemAxon Privacy Policy.

    Data backup

    ChemAxon’s backups protect the availability of Customer’s information assets and ensure that Customer Data is retrievable. The strategy employed to achieve this is the recurring saving of data before it is lost due to malfunctions of the Subscription Services or e-business Hosting Environment.

    • Data backup satisfactory for potential disaster recovery requirements: ChemAxon retains backup copies of all its critical data related to Customer Data, the Subscription Services or e-business Hosting Environment.

    • Recovery points: An electronic backup practice is used which allows the identification and recovery of both individual files and complete folders.

    • Off-site backups: in order to maximize security data backups are stored on geographically/physically separated server.

    • Access to backups: retrievable data can only be available by the Customer’s and ChemAxon’s authorized personnel.

    Data retention

    Upon the termination of the EUSA and/or the Subscription Services, ChemAxon ensures that any residual data security issues are removed by ensuring that the relevant data and ChemAxon Software used are destroyed in a defined and controlled manner. This involves after termination of the EUSA or the Subscription Services:

    • Deleting all Customer Data; only backup of such data will be stored for a designated period of time

    • Deleting any expired data from the Backup platforms by ChemAxon based on normal cycle of ChemAxon’s backup practice;

    • Terminating access and availability to the Subscription Services and ChemAxon Software particularly set up for the Customer;

    Severity

    ChemAxon may use third party software and services within provision high quality of security measures.

    • Adherence of service protocols: ChemAxon follows the protocols of the services as determined by recommendations.

    • Continuous update and upgrades: ChemAxon uses the outmost higher version of the security systems and services.

    Secure billing information

    If payments are settled using credit cards, all transactions are processed via trusted and independent third party service provider using the highest security standards commercially available. Card information is transmitted, and processed securely as defined by the service provider. ChemAxon does not store card information.

    Special Provisions

    In case of Subscription Services is provided to a particular Customer, conditions may alter from the above general provisions depending on Customer’s specific needs and the ChemAxon Software involved. Special provisions may collect all terms and conditions as well as parameters set regarding the Subscription Services and ChemAxon Software, which supersede certain parts in this document according to particular use case applied upon request by the Customer and concluded in a written document in mutual agreement between the Customer and ChemAxon. In case of conflict between provisions of this document and the document of special provisions, the latter prevails. The document of such special provisions is inseparable part of this Information Security Management document.

    Do you want to know more?

    ChemAxon may be contacted as written on ChemAxon web site.


    Special Provisions

    (This separate pager is to be used by ChemAxon to inform any Customer about particular conditions and parameters set regarding Information Security Management of ChemAxon SaaS.)

    In the following case, conditions of ChemAxon Subscription Services provided to Customer named below alter from provisions of the general Information Security Management document according to Customers’ special needs and the ChemAxon Software involved. Such special provisions supersede provisions listed below of the general Information Security Management document. In case of conflict between provisions of the general Information Security Management document and this document of special provisions, the latter prevails. This document of special provisions is inseparable part of the Information Security Management document.

    Customer (Customer name) (Customer URL)
    ChemAxon Subscription Services (List of services provided) (…)
    ChemAxon Software involved (List of ChemAxon Software involved) (…)
    Relevant agreement type ChemAxon EUSA
    Host Party Legal Security Amazon AWS (primary) https://aws.amazon.com/legal/ https://aws.amazon.com/security/Google Cloud https://cloud.google.com/terms/ https://cloud.google.com/security/
    Network segmentation, data access and connectivity Web services are TLS1.x protected, TLS1.2 if the Customer’s software application (e.g. browser) is capable. Upon Customer’s request, access may be restricted to one single IP address of the Customer’s office. Web connection is over HTTPS protocol Keys are using RSA algorithm
    Data backup Data is block level encrypted at rest.Upon Customer’s request, backup data may optionally reside in Customer’s country.
    Data retention Default Retention Period:6 months; thereafter ChemAxon removes allo search historyo report datao uploaded structureo search statistics No Log files can contain any structure information * After remove nothing is recoverable