Chemicalize Security White Paper

    Information Security Management

    Management of Data Security of Chemaxon's Chemicalize services

    This document gives an overview of Chemaxon's security practices employed by Chemaxon to ensure the security of information when resident within, or being actioned by, the technical infrastructure of Chemaxon's proprietary service, Chemicalize (chemicalize.com) and how we maintain Customer’s data safe, accessible and available there.

    As the basis of provision of such service to Customer, Chemaxon makes available Chemicalize, running in the e-business Hosting Environment provided by a Hosting Party. This Overview identifies the set of measures that comprise the information security system at Chemaxon relevant to Chemicalize.

    Security related to Chemicalize

    As indicated above, Chemaxon provides its services reachable via chemicalize.com in the e-business Hosting Environment made available by the Hosting Party (Amazon.com; Amazon Elastic Compute Cloud (Amazon EC2)). Chemaxon carefully selects the Hosting Party based on principles as follows:

    • Reliable information security and operation control of the electronic information resource that is under the control the Hosting Party;

    • Fully aware of sensitivity of Customers’ data or Customers’ data that Customer upload and download in and from the e-business Hosting Environment with interaction of or in connection with Chemicalize accessible during the relevant service;

    • Cost of preventive measures and controls designed to detect any errors or irregularities of the e-business Hosting Environment;

    • Amount of responsibility that Chemaxon compliance personnel is willing to absorb.

    Security-related services by the Hosting Party including process security management, physical security, and network security are specified in separate documents made available by the Hosting Party (AWS Cloud Security; Amazon EC2 Network and Security). Chemaxon does not control the transfer of data over telecommunication facilities, including the Internet except the use of secure connections all of which are supported by Chemaxon and/or the Hosting Party. Customer is advised to review the security features e-business Hosting Environment and responsibilities of the Hosting Party and to determine that they meet Customer’s security needs.

    Furthermore, Chemaxon cannot prevent third party disruptions of the e-business Hosting Environment or in connection with Customers’ data although it has taken all reasonable commercial and technical measures to avoid this eventuality. Customer is advised to determine the appropriate procedures and controls regarding security of Customers’ data and for the implementation of any such procedures and controls.

    Chemaxon shall assume no liability whatsoever for the security-related services by the Hosting Party and/or telecommunication facilities and/or third-party disruptions of the e-business Hosting Environment or in connection with Customers’ data.

    Chemaxon recognizes that the absolute security of its Hosted Services against all threats is an unrealistic expectation that would require the commitment of a prohibitively high level of resource. Therefore, our goals for achieving successful information security that requires management planning to ensure the preparedness of the environment to meet the challenges associated with the detection of, response to and recovery from any information security breach. To be successful, determination of appropriate security measures must be a part of the design and management of all systems on the part of Chemaxon and the Hosting Party regarding Chemicalize.

    Process security management

    Process security management addresses threats from human factors, technology, and procedures that may cause harm to any data or system. Key elements to our process security management related to Chemicalize are security policies and procedures, and personnel security.

    Security policies and procedures

    The Chemaxon compliance personnel is responsible for developing, implementing, enforcing and maintaining appropriate security policies to ensure the security of Chemicalize and for controlling any breach that may occur. All relevant policies and any associated procedures, documents and records are proactively maintained to ensure that they remain effective and fit for purpose.

    Collectively, these policies specify the information security procedures for ensuring confidentiality, integrity and availability of information assets. Formal processes are in place reviewed and approved by the Compliance Officer; once approved, the appropriate audience is trained.

    Personnel security

    Personnel security control addresses Chemaxon's ability to mitigate risk inherent in human interactions, including:

    • Security responsibilities : All Chemaxon employees are required to follow specific guidelines on their information security responsibilities. These include a formal commitment to follow the practice of Information Security Management System which is part of their Terms and Conditions of employment, and an Information Classification and Handling policy detailing the identification, labeling, handling and exchange of all information assets. All customer specific information is treated as confidential at all times and is only passed to third parties when express permission is granted.

    • Training and Awareness : It is mandatory that all new Chemaxon employees receive information security awareness training as part of their induction process to the organization. In addition, this training is regularly reinforced with follow up sessions designed to maintain and enhance information security understanding.

    • User access rights : Access to all systems and data is managed on a need to access basis. For Chemaxon information systems, this is managed through the use of managed user rights which are tailored to the role that the Chemaxon employee undertakes. These user roles are regularly reviewed to ensure that they remain current.

    • Moving role and leaving the company : When moving roles within Chemaxon, the access rights are reviewed and if necessary changed to reflect the requirements of their new role. When an individual decides to leave the Chemaxon organization all their access rights are removed from all systems and they are obliged to return all Chemaxon owned information.

    Data security

    In Chemicalize, we record the users’ search and calculation history. However, the user has the option to either delete such history, which will be permanently deleted in the underlying system of Chemicalize, or turn off the history feature completely.

    In case of other services including Chemicalize Compliance Checker and Calculation API, we collect information for usage statistics and invoicing without any structural information.

    Data backup

    Chemaxon's backups protect the availability of Customer’s information assets and ensure that Customer’s data is retrievable. The strategy employed to achieve this is the recurring saving of data before it is lost due to malfunctions of Chemicalize, Customers’ data, the Hosted Services or e-business Hosting Environment.

    • Data backup satisfactory for potential disaster recovery requirements : Chemaxon retains backup copies of all its critical data related to Customers’ data, the Hosted Services or e-business Hosting Environment.

    • Recovery points : An electronic backup practice is used which allows the identification and recovery of both individual files and complete folders.

    • Off-site backups : in order to maximize security data backups are stored on geographically/physically separated server.

    • Access to backups : retrievable data can only be available by the Customer’s and Chemaxon's authorized personnel.

    Data retention

    Upon the termination of using Chemicalize, Chemaxon ensures that any residual data security issues are removed by ensuring that the relevant data and instance in Chemicalize used are destroyed in a defined and controlled manner. This involves after termination of the services:

    • Deleting all Customers’ data; only backup of such data will be stored for a designated period of time;

    • Deleting any expired data from the Backup platforms by Chemaxon based on normal cycle of Chemaxon's backup practice;

    • Terminating access and availability to Chemicalize particularly set up for the Customer.

    Network security

    When any electronic information resource manages or contains restricted data, appropriate measures must be in place to safeguard against unauthorized access to the data. This includes not only the primary operational copy of the information but also data extracts and backup copies. It is important to consider access to data from viruses and other electronic forms of attack. The communication between users’ browser and Chemicalize service is always protected by HTTPS, thus all data going through the internet is invisible to others. Chemicalize uses RSA algorithm with 2048-bit key size for encryption.

    Network segmentation, data access and connectivity

    Chemaxon operates its network on the principle of Defense in Depth approach to security. The strategy behind this is to protect all assets that are managed, hosted or co-located in multiple layers of defense, such that should one layer fail, another layer will provide the necessary protection. Secure lines: Chemaxon provides its Chemicalize running in the e-business Hosting Environment via a secure connection.

    • Separate network : network used is distributed into sub-nets that are completely independent of each other.

    • Secure storage of access information : Access codes and other authentication parameters are stored in strict confidence and in a separate system.

    • No hidden back doors are used.

    User security

    User authentication is handled by Chemaxon's central authentication solution that uses an industry standard authentication method (Oauth2). The communication, while authenticating, is protected by HTTPS and all user passwords are hashed, so the password is not visible or accessible. The user identity related information and the user's activity history stored separately.

    Application Security

    In order to ensure maximum measures of application security, automatic dependency vulnerability scanners and static code scanners are used throughout the development process of Chemicalize. The application code base is under source control that follows industrial standards. All modification in the code base are stored with date and name of the modifier and transparent for our developers and QM. Continuous integration system with hundreds of security and functional tests guarantee system integrity. The deployment is also executed in a secure way.

    Severity

    Chemaxon may use third party software and services within provision high quality of security measures.

    • Adherence of service protocols : Chemaxon follows the protocols of the services as determined by recommendations

    • Continuous update and upgrades : Chemaxon uses the utmost higher version of the security systems and services.

    Secure billing information

    All transactions are processed via trusted and independent third-party service provider using the highest security standards commercially available. Card information is transmitted, and processed securely as defined by the service provider. Chemaxon does not store card information.

    Do you want to know more?

    Chemaxon may be contacted as written on Chemaxon web site.