Citrine’s Corporate Trust Commitment
At Citrine, we take security of all customer data extremely seriously. This document outlines our system architecture and the steps we take to keep customer data secure across our platform.
Physical Infrastructure & Security
We fully embrace cloud computing at Citrine, and as such do not maintain physical access to the systems that manage our infrastructure. This infrastructure is provided, maintained and secured completely by Amazon Web Services. Amazon’s data centers have obtained the highest levels of security compliance certification and employ rigorous physical security measures, including security guards, two-factor access and biometric screening. You can read more about the details of Amazon’s physical security here: http://aws.amazon.com/security/ and here: https://media.amazonwebservices.com/pdf/AWS_Security_Whitepaper.pdf
On the Citrination platform, raw data is encrypted both over the wire from a customer upload to our platform and between our primary data center and backup locations. Data uploaded to the platform and stored in our search service, databases and raw file storage are encrypted at rest using AES-256 encryption.
Access to the Citrination platform relies on username & password logins. These logins create sessions and store data in your browser to track your login session. The platform supports optional two-factor authentication for logins as well. Citrine employees cannot view or set passwords for a user; passwords may only be reset by a temporary token delivered directly to a user’s email.
Tracking & Analytics
Citrine may use customer access data to improve the user experience of the Citrination platform. We may also collect & share anonymized usage data to third party providers for services that help improve the user experience of the platform. Any usage data shared in this way will not contain identifying personal information or any private data that was uploaded to the platform. To be clear, while usage data may be anonymized and shared with third party providers, the materials science data uploaded by the customer will never be re-used or re-distributed.
Reliability & Backup
The Citrination platform is designed with redundancy in mind. All pieces of the infrastructure have redundant configurations, and we can swiftly bring up a new instance of our platform in a new data center in the event of a data center loss at AWS. Customer data is backed up and duplicated to other data centers for extra redundancy and emergency recovery. In the event of contract termination, data backups will be kept for 90 days and then securely erased from our backup systems.
As referenced above, we keep customer data backed up in a physically distinct location from the platform installation to aid in disaster recovery and availability. Our goal for disaster recovery is to have completely restored platform services within 12 hours after a disaster
In the event of a security incident, we will promptly notification affected customers of unauthorized data access, to the extent allowed by law.
Return & Deletion of Customer Data
In the event of contract termination, a customer may request, within 30 days, to have their data returned. Citrine will return data in the original format in which it was uploaded. Non-public customer data will be removed from the site within 30 days. Backups of this data, as specified above, will be securely erased after 90 days. While customers will be able to ask Citrine to return their private data in the event that Citrine services have been canceled, Citrine may choose to modify the length of time it maintains a copy of such data. In the event that Citrine makes such a change, Citrine will update its documentation accordingly. This process is subject to applicable legal requirements.