Hosted Services Security White Paper

Information Security Management

Management of Data Security of ChemAxon Hosted Services

This document gives an overview of ChemAxon’s security practices employed by ChemAxon to ensure the security of information when resident within, or being actioned by, the technical infrastructure of ChemAxon Hosted Services and how we maintain Customer Data safe, accessible and available.

As the basis of provision of the Hosted Services to Customer, ChemAxon makes available the ChemAxon Software, running in the e-business Hosting Environment made available by the Hosting Party. This Overview identifies the set of measures that comprise the information security system at ChemAxon relevant to its Hosted Services.

Security related to ChemAxon Hosted Services

As indicated above, ChemAxon provides its Hosted Services through making the ChemAxon Software available, running in the e-business Hosting Environment made available by the Hosting Party. ChemAxon carefully selects the Hosting Party based on principles as follows:

  • Reliable information security and operation control of the electronic information resource that is under the control the Hosting Party

  • Full aware of sensitivity of Customer Data residing in or accessible through the relevant Subscription Service

  • Cost of preventive measures and controls designed to detect any errors or irregularities of the e-business Hosting Environment

  • Amount of responsibility that the ChemAxon is willing to absorb

Security-related services by the Hosting Party including process security management, physical security, and network security are specified in separate documents made available by the Hosting Party. ChemAxon does not control the transfer of data over telecommunication facilities, including the Internet except the use of secure connections all of which are supported by ChemAxon and/or the Hosting Party. Customer is advised to review the security features e-business Hosting Environment and responsibilities of the Hosting Party and to determine that they meet Customer’s security needs.

Furthermore, ChemAxon cannot prevent third party disruptions of the e-business Hosting Environment or in connection with Customer Data although it has taken all reasonable commercial and technical measures to avoid this eventuality. Customer is advised to determine the appropriate procedures and controls regarding security of Customer Data and for the implementation of any such procedures and controls.

ChemAxon shall assume no liability whatsoever for the security-related services by the Hosting Party and/or telecommunication facilities and/or third-party disruptions of the e-business Hosting Environment or in connection with Customer Data .

ChemAxon recognizes that the absolute security of its Hosted Services against all threats is an unrealistic expectation that would require the commitment of a prohibitively high level of resource. Therefore, our goals for achieving successful information security that requires management planning to ensure the preparedness of the environment to meet the challenges associated with the detection of, response to and recovery from any information security breach. To be successful, determination of appropriate security measures must be a part of the design and management of all systems on the part of ChemAxon and the Hosting Party regarding ChemAxon Hosted Services.

Process security management

Process security management addresses threats from human factors, technology, and procedures that may cause harm to any data or system. Key elements to our process security management related to ChemAxon Hosted Services are security policies and procedures, and personnel security.

Security policies and procedures

ChemAxon is responsible for developing, implementing, enforcing and maintaining appropriate security policies to ensure the security of all ChemAxon Hosted Services and for controlling any breach that may occur. All relevant policies and any associated procedures, documents and records are proactively maintained to ensure that they remain effective and fit for purpose.

Collectively, these policies specify the information security procedures for ensuring confidentiality, integrity and availability of information assets. Formal processes are in place reviewed and approved by the Compliance Officer; once approved, the appropriate audience is trained.

Personnel security

Personnel security control addresses ChemAxon’s ability to mitigate risk inherent in human interactions, including:

  • Security responsibilities: All ChemAxon employees are required to follow specific guidelines on their information security responsibilities. These include a formal commitment to follow the practice of Information Security Management System which is part of their Terms and Conditions of employment, and an Information Classification and Handling policy detailing the identification, labeling, handling and exchange of all information assets. All customer specific information is treated as confidential at all times and is only passed to third parties when express permission is granted. Only ChemAxon’s authorized personnel have access to the ChemAxon Hosted Services and Customer data.

  • Training and Awareness: It is mandatory that all new ChemAxon employees receive information security awareness training as part of their induction process to the organization. In addition, this training is regularly reinforced with follow up designed to maintain and enhance information security understanding.

  • User access rights: Access to all systems and data is managed on a need to access basis. For ChemAxon information systems, this is managed through the use of managed user rights which are tailored to the role that the ChemAxon employee undertakes. These user roles are regularly reviewed to ensure that they remain current. In addition, all such users are authenticated to their role when they sign in to a system by the use of a combination of unique user name and personal password which is required to be changed on a regular basis.

  • Moving role and leaving the company: When moving roles within ChemAxon, the access rights are reviewed and if necessary changed to reflect the requirements of their new role. When an individual decides to leave the ChemAxon organization all their access rights are removed from all systems and they are obliged to return all ChemAxon owned information.

Network security

When any electronic information resource manages or contains restricted data, appropriate measures must be in place to safeguard against unauthorized access to the data. This includes not only the primary operational copy of the information but also data extracts and backup copies. It is important to consider access to data from viruses and other electronic forms of attack.

ChemAxon provides its Hosted Services throughout the following particular measures:

Network segmentation, data access and connectivity

ChemAxon operates its network on the principle of Defense in Depth approach to security. The strategy behind this is to protect all assets that are managed, hosted or co-located in multiple layers of defense, such that should one layer fail, another layer will provide the necessary protection. Secure lines: ChemAxon provides its Hosted Services running in the e-business Hosting Environment via a secure connection.

  • Separate network: network used is distributed into sub-nets that are completely independent of each other.

  • Strict access rights to Accounts: end users can access to Account information and Hosted Service on a need to access basis.

  • Secure storage of access information: Access codes and other authentication parameters are stored in strict confidence.

  • No hidden back doors are used except as stated in ChemAxon Privacy Policy.

Data backup

ChemAxon’s backups protect the availability of Customer’s information assets and ensure that Customer Data is retrievable. The strategy employed to achieve this is the recurring saving of data before it is lost due to malfunctions of ChemAxon Software, the Hosted Services or e-business Hosting Environment.

  • Data backup satisfactory for potential disaster recovery requirements: ChemAxon retains backup copies of all its critical data related to Customer Data, the Hosted Services or e-business Hosting Environment.

  • Recovery points: An electronic backup practice is used which allows the identification and recovery of both individual files and complete folders.

  • Off-site backups: in order to maximize security data backups are stored on geographically/physically separated server.

  • Access to backups: retrievable data can only be available by the Customer’s and ChemAxon’s authorized personnel.

Data retention

Upon the termination of the Hosted Services Agreement (“HOSA”) and/or the Hosted Services, ChemAxon ensures that any residual data security issues are removed by ensuring that the relevant data and ChemAxon Software used are destroyed in a defined and controlled manner. This involves after termination of the HOSA or the Hosted Services:

  • Deleting all Customer Data; only backup of such data will be stored for a designated period of time

  • Deleting any expired data from the Backup platforms by ChemAxon based on normal cycle of ChemAxon’s backup practice;

  • Terminating access and availability to ChemAxon Hosted Services and ChemAxon Software particularly set up for the Customer;

Severity

ChemAxon may use third party software and services within provision high quality of security measures.

  • Adherence of service protocols: ChemAxon follows the protocols of the services as determined by recommendations

  • Continuous update and upgrades: ChemAxon uses the utmost higher version of the security systems and services.

Secure billing information

If payments are settled using credit cards, all transactions are processed via trusted and independent third party service provider using the highest security standards commercially available. Card information is transmitted, and processed securely as defined by the service provider. ChemAxon does not store card information.

Special Provisions

In case of ChemAxon Hosted Services is provided to a particular Customer, conditions may alter from the above general provisions depending on Customers’ specific needs and the ChemAxon Software involved. Special provisions may collect all terms and conditions as well as parameters set regarding the Hosted Services and ChemAxon Software, which supersede certain parts in this document according to particular use case applied upon request by the Customer and concluded in a written document in mutual agreement between the Customer and ChemAxon. In case of conflict between provisions of this document and the document of special provisions, the latter prevails. The document of such special provisions is inseparable part of this Information Security Management document.

Do you want to know more?

ChemAxon may be contacted as written on ChemAxon web site.

---

Special Provisions

(This separate pager is to be used by ChemAxon to inform any Customer about particular conditions and parameters set regarding Information Security Management of ChemAxon Hosted Services.)

In the following case, conditions of ChemAxon Hosted Services provided to Customer named below alter from provisions of the general Information Security Management document according to Customers’ special needs and the ChemAxon Software involved. Such special provisions supersede provisions listed below of the general Information Security Management document. In case of conflict between provisions of the general Information Security Management document and this document of special provisions, the latter prevails. This document of special provisions is inseparable part of the Information Security Management document.

Customer

(Customer name) (Customer URL)

ChemAxon Hosted Services

  • (List of services provided)

  • (…)

ChemAxon Software involved

  • (List of ChemAxon Software involved)

  • (…)

Relevant agreement type

ChemAxon Hosted Services Agreement (HOSA)

Host Party

  • Legal

  • Security

Amazon AWS (primary)

Google Cloud

Network segmentation, data access and connectivity

  • Web services are TLS1.x protected, TLS1.2 if the Customer’s software application (e.g. browser) is capable.

  • Upon Customer’s request, access may be restricted to one single IP address of the Customer’s office.

  • Web connection is over HTTPS protocol

  • Keys are using RSA algorithm

Data backup

Data is block level encrypted at rest.

Upon Customer’s request, backup data may optionally reside in Customer’s country.

Data retention

  • Default Retention Period: 6 months; thereafter ChemAxon removes all

o search history

o report data

o uploaded structure

o search statistics

  • No Log files can contain any structure information

  • After remove nothing is recoverable