Information Security

Information security program

At Clarivate, we are dedicated to maintaining a secure and dependable environment for our clients. Our commitment to security is unwavering, and we have established a comprehensive security program grounded in the ISO 27001 standards. This forms the cornerstone of our Information Security Management System, encompassing a broad range of security measures.

Our multi-layered security infrastructure applies the security model to all system layers and includes, but is not limited to, the following measures: Additionally, our security infrastructure is extensive and includes:

• Personnel Security: Ensuring that our team is trustworthy and well-trained.
• Access Management: Controlling who can access what within our systems.
• Infrastructure Protection: Safeguarding the backbone of our technology.
• Endpoint and Malware Protection: Protecting our devices and networks from malicious software.
• Patch Management: Applying system updates to protect against vulnerabilities.
• Security Monitoring: Vigilantly observing our systems to detect and respond to threats.
• Incident Response: Being prepared to address security breaches swiftly.
• Device Lockdown: Securing devices against unauthorized use.
• Operations Security: Protecting the integrity of our day-to-day operations.
• Capacity Management: Ensuring our systems can handle the demands placed on them.
• Vulnerability Scanning: Proactively identifying and addressing potential security weaknesses.
• Risk Assessment: Evaluating potential risks to mitigate them effectively.
• Physical Security: Protecting our premises and hardware from physical threats.
• Vendor Management: Holding our partners to high-security standards.

In addition to these measures, we have a Responsible Disclosure Program in place.

To ensure ongoing security, Clarivate emphasizes continuous education, risk evaluations, vulnerability scans, and adherence to compliance standards. We control access to our facilities meticulously and conduct thorough reviews of third-party data centres to confirm their compliance with our stringent security protocols.

Recognizing the critical nature of robust security practices, Clarivate is committed to safeguarding customer data and meeting the global marketplace’s diverse statutory and regulatory demands.

The Clarivate privacy program is built on a strong foundation of internationally accepted privacy principles and reflects Clarivate company values in action. We seek to continuously improve and enhance our privacy program and carry on our tradition of upholding high standards in collecting and processing personal data across our business practices, products and services.

Transparency and choice

We strive to ensure that our privacy practices are explained clearly so that our stakeholders can understand how we collect and process personal data. This privacy center is designed to be a resource where individuals can learn about our privacy policies and how to exercise choice and control over their personal data.

Learn more about your rights and choices

Clarivate Subprocessor List

Accountability

We act with integrity and are accountable to ourselves, our colleagues and clients for the responsible and proper collection and processing of personal data. We have implemented many standards and practices to drive accountability in our organisation.

Security

We are committed to keeping your personal data secure. Our approach to data security is a comprehensive, multi-layered strategy where physical security, network infrastructure, software, and personnel security practices and procedures are implemented and maintained to protect the confidentiality, integrity and availability of the personal data we collect and process.

Learn more about our practices

Our data protection program

We have developed a robust data protection program with consistent global privacy standards to ensure we meet our obligations across the countries and regions where we operate. Our policies and procedures are built on strong foundations and principles of transparency, accountability and individual rights.

Download our privacy program overview

Policies and standards

Clarivate maintains a documented information privacy, security, and risk management program with clearly defined roles, responsibilities, policies, and procedures to secure the information maintained on Clarivate’s Platforms.

This Clarivate program:

• Assigns data security responsibilities and accountabilities to specific individuals.
• Describes acceptable use of Clarivate’s platforms.
• Provides access control and password attributes for Clarivate workforce members.
• Enforces Clarivate end-user authentication requirements.
• Describes audit logging and monitoring of Clarivate-hosted production environments.
• Details the Clarivate incident response plan.
• Describes appropriate risk management controls, security certifications, and periodic risk assessments.
• Describes the physical and environmental security requirements for Clarivate networks, Data Centers, and Third-Party Data Centers.

Clarivate tightly controls and does not distribute written or electronic copies of its Information Security Policy and Standards suite. Clarivate regularly reviews and modifies its security program to reflect changing technology, regulations, laws, risk, industry and security practices, and other business needs.

Summary of each area that our policy covers.

• Roles and Responsibilities: Defines the roles and responsibilities of the Executive Management, CISO and general management colleagues, as well as Users, System Administrators and Data Custodians.
• Risk Assessment: Defines our risk assessment processes.
• Personnel Security: Defines our security processes for Prior-to, During, and on Termination and Change of Employment.
• Acceptable Use: Outlines the basic acceptable use tenets to be followed by all colleagues.
• Clean Desk and Clear Screen: Outlines our Clean Desk requirements for colleagues.
• Access Control: Outlines the overall access control methodologies required to be used for accessing Clarivate systems.
• Audit Logging and Monitoring: Outlines the requirements on system administrators and implementation teams to ensure appropriate logging on relevant user and system actions are logged and analyzed.
• Data Privacy: Summarises our data privacy obligations and point users to our dedicated Privacy team’s Global Data Privacy Policy.
• Information Systems Acquisition, Development, and Maintenance: Defines the requirements for acquiring new technology assets, New or enhanced Information Systems, Security of systems files and security in Development and Support Processes.
• Change Management: Outlines the requirements of the Change Management Program.
• Asset Management: Defined the overall requirements of the Asset Management program from acquisition to Disposal.
• Data Classification, Handling, and Retention: Outlines the main requirements for the Classification and handling of all data within Clarivate.
• Data Backup and Recovery: Outlines the requirements for Data Backup and recovery of our systems.
• Data Disposal: Outlines the requirements of how data is to be disposed.
• Security Patch Management: Outlines the requirements for applying security patches within the organisation.
• Encryption: Outlines the requirements of various encryption procedures within the organisation including where it is to be used.
• Virus and Malware Protection: Outlines our requirements for overall malware protection on all assets including keeping the technology up to date.
• Mobile Devices: Outlines the responsibilities of colleagues when using mobile devices.
• Network Architecture Security: Defines the requirements regarding network devices and infrastructure. This includes access controls and firewall requirements.
• Wireless Security: Defines the requirements for implementing Wireless Network devices and access within Clarivate.
• Physical and Environmental Security: Protect systems and data from theft and environmental threats.
• Disaster Recovery and Business Continuity: Clarivate maintains formalized Disaster Recovery (DR) and Business Continuity (BC) plans to ensure information system services’ rapid and effective recovery after disruptions.
• Third Party / Outsourcing Security: Third-party providers must meet minimum security standards, and their performance will be continuously evaluated. Before engagement, they will only have access to necessary information and must undergo background checks, control reviews, and evaluations of their continuity and recovery plans.
• Information Security and Privacy Incident Management: We maintain a documented Information Security and Privacy Incident Response Plan that outlines the requirements and responsibilities for identifying, responding to, documenting, reporting, and closing security and data privacy incidents. The plan covers critical and non-critical incidents, ensuring proper alerts, threat management, and operational continuity.
• Cloud Security: (See also “Cloud Security Standard”): Outlines the security of cloud-based systems and data will be continuously monitored and analysed, with any security violations addressed and mitigated to ensure data confidentiality, integrity, and availability.
• Capacity Management: Defines the capacity planning to ensure that Clarivate’s IT resources have adequate processing power, bandwidth, and storage to maintain continuous availability and minimize the risk of system failures.
• Training and Awareness: All employees must complete mandatory security training upon hire and annually thereafter. This training covers security responsibilities, risks, safeguards, policies, and procedures, with role-based training for higher-risk roles and updates following changes in the Information Security Policy and relevant regulations.
• Media Handling: Outlines the physical and electronic media containing Clarivate, and customer data must be protected against unauthorized access, misuse, or corruption during storage, access, and transportation.
• Compliance: Defines the legal requirements for adherence to security policies, laws, regulations, and standards to prevent breaches. Information security controls, proper software licensing, protection of organizational records, compliance with security policies, and technical compliance checks are essential, with sanctions for non-compliance.
• Policy Enforcement (see also “Clarivate Enforcement Standard”): Executive management expects all Clarivate employees and third-party representatives to adhere to the information security policy. Deliberate violations may lead to disciplinary action, contract termination, and/or legal action.
• Information Security Policy Exceptions: Any exceptions to this Policy or any other Standard or procedures shall be applied for, and authorization received in writing.
• Continuous Monitoring of Security Controls : At Clarivate, we understand the importance of continuous vigilance in maintaining robust security. Our approach includes the implementation of continuous monitoring of security controls to ensure that our security measures are always effective and up-to-date.
• Comprehensive Security Audits : Our multi-tiered security audits encompass a range of activities designed to identify and mitigate potential vulnerabilities. These audits include:
  • Regular Reviews : Thorough examinations of our security policies and practices to ensure they meet the latest standards and best practices.
  • Security Scans :Frequent scanning of our systems to detect and address vulnerabilities before they can be exploited.
  • Risk Assessments :Detailed evaluations of potential risks to our systems and data, allowing us to prioritize and address the most critical threats.
  • Compliance Checks :Ensuring all aspects of our security infrastructure comply with relevant laws, regulations, and industry standards.