Information Security Management
Management of Data Security of ChemAxon’s Chemicalize services
This document gives an overview of ChemAxon’s security practices employed by ChemAxon to ensure the security of information when resident within, or being actioned by, the technical infrastructure of ChemAxon’s proprietary service, Chemicalize (chemicalize.com) and how we maintain Customer’s data safe, accessible and available there.
As the basis of provision of such service to Customer, ChemAxon makes available Chemicalize, running in the e-business Hosting Environment provided by a Hosting Party. This Overview identifies the set of measures that comprise the information security system at ChemAxon relevant to Chemicalize.
Process security management
Process security management addresses threats from human factors, technology, and procedures that may cause harm to any data or system. Key elements to our process security management related to Chemicalize are security policies and procedures, and personnel security.
Security policies and procedures
The ChemAxon compliance personnel is responsible for developing, implementing, enforcing and maintaining appropriate security policies to ensure the security of Chemicalize and for controlling any breach that may occur. All relevant policies and any associated procedures, documents and records are proactively maintained to ensure that they remain effective and fit for purpose.
Collectively, these policies specify the information security procedures for ensuring confidentiality, integrity and availability of information assets. Formal processes are in place reviewed and approved by the Compliance Officer; once approved, the appropriate audience is trained.
Personnel security control addresses ChemAxon’s ability to mitigate risk inherent in human interactions, including:
Security responsibilities: All ChemAxon employees are required to follow specific guidelines on their information security responsibilities. These include a formal commitment to follow the practice of Information Security Management System which is part of their Terms and Conditions of employment, and an Information Classification and Handling policy detailing the identification, labeling, handling and exchange of all information assets. All customer specific information is treated as confidential at all times and is only passed to third parties when express permission is granted.
Training and Awareness: It is mandatory that all new ChemAxon employees receive information security awareness training as part of their induction process to the organization. In addition, this training is regularly reinforced with follow up sessions designed to maintain and enhance information security understanding.
User access rights: Access to all systems and data is managed on a need to access basis. For ChemAxon information systems, this is managed through the use of managed user rights which are tailored to the role that the ChemAxon employee undertakes. These user roles are regularly reviewed to ensure that they remain current.
Moving role and leaving the company: When moving roles within ChemAxon, the access rights are reviewed and if necessary changed to reflect the requirements of their new role. When an individual decides to leave the ChemAxon organization all their access rights are removed from all systems and they are obliged to return all ChemAxon owned information.
In Chemicalize, we record the users’ search and calculation history. However, the user has the option to either delete such history, which will be permanently deleted in the underlying system of Chemicalize, or turn off the history feature completely.
In case of other services including Chemicalize Compliance Checker and Calculation API, we collect information for usage statistics and invoicing without any structural information.
ChemAxon’s backups protect the availability of Customer’s information assets and ensure that Customer’s data is retrievable. The strategy employed to achieve this is the recurring saving of data before it is lost due to malfunctions of Chemicalize, Customers’ data, the Hosted Services or e-business Hosting Environment.
Data backup satisfactory for potential disaster recovery requirements: ChemAxon retains backup copies of all its critical data related to Customers’ data, the Hosted Services or e-business Hosting Environment.
Recovery points: An electronic backup practice is used which allows the identification and recovery of both individual files and complete folders.
Off-site backups: in order to maximize security data backups are stored on geographically/physically separated server.
Access to backups: retrievable data can only be available by the Customer’s and ChemAxon’s authorized personnel.
Upon the termination of using Chemicalize, ChemAxon ensures that any residual data security issues are removed by ensuring that the relevant data and instance in Chemicalize used are destroyed in a defined and controlled manner. This involves after termination of the services:
Deleting all Customers’ data; only backup of such data will be stored for a designated period of time;
Deleting any expired data from the Backup platforms by ChemAxon based on normal cycle of ChemAxon’s backup practice;
Terminating access and availability to Chemicalize particularly set up for the Customer.
When any electronic information resource manages or contains restricted data, appropriate measures must be in place to safeguard against unauthorized access to the data. This includes not only the primary operational copy of the information but also data extracts and backup copies. It is important to consider access to data from viruses and other electronic forms of attack. The communication between users’ browser and Chemicalize service is always protected by HTTPS, thus all data going through the internet is invisible to others. Chemicalize uses RSA algorithm with 2048-bit key size for encryption.
Network segmentation, data access and connectivity
ChemAxon operates its network on the principle of Defense in Depth approach to security. The strategy behind this is to protect all assets that are managed, hosted or co-located in multiple layers of defense, such that should one layer fail, another layer will provide the necessary protection. Secure lines: ChemAxon provides its Chemicalize running in the e-business Hosting Environment via a secure connection.
Separate network: network used is distributed into sub-nets that are completely independent of each other.
Secure storage of access information: Access codes and other authentication parameters are stored in strict confidence and in a separate system.
No hidden back doors are used.
User authentication is handled by ChemAxon’s central authentication solution that uses an industry standard authentication method (Oauth2). The communication, while authenticating, is protected by HTTPS and all user passwords are hashed, so the password is not visible or accessible. The user identity related information and the user's activity history stored separately.
In order to ensure maximum measures of application security, automatic dependency vulnerability scanners and static code scanners are used throughout the development process of Chemicalize. The application code base is under source control that follows industrial standards. All modification in the code base are stored with date and name of the modifier and transparent for our developers and QM. Continuous integration system with hundreds of security and functional tests guarantee system integrity. The deployment is also executed in a secure way.
ChemAxon may use third party software and services within provision high quality of security measures.
Adherence of service protocols: ChemAxon follows the protocols of the services as determined by recommendations
Continuous update and upgrades: ChemAxon uses the utmost higher version of the security systems and services.
Secure billing information
All transactions are processed via trusted and independent third-party service provider using the highest security standards commercially available. Card information is transmitted, and processed securely as defined by the service provider. ChemAxon does not store card information.
Do you want to know more?
ChemAxon may be contacted as written on ChemAxon web site.