// Trust & Security Report

    arXiv, Inc. (Cornell University Library before July 1, 2026) logo

    arXiv, Inc. (Cornell University Library before July 1, 2026)

    Free, open-access preprint repository for scholarly articles in physics, mathematics, computer science, quantitative biology, finance, statistics, electrical engineering, and economics. ~2.4 million papers, ~24,000 monthly submissions. Recently spun off from Cornell University as an independent nonprofit.

    Certifications held

    0

    Maturity

    Enterprise

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    > Show 8 unconfirmed / not-held certifications
    SOC 2 Type 1
    NOT CONFIRMED

    No public evidence of SOC 2 Type 1 certification. Privacy policy and public documentation make no reference to SOC 2 compliance.

    source: info.arxiv.org
    SOC 2 Type 2
    NOT CONFIRMED

    No public evidence of SOC 2 Type 2 certification. No security audit or ongoing controls attestation mentioned in any vendor documentation.

    source: info.arxiv.org
    ISO 27001
    NOT CONFIRMED

    No public evidence of ISO 27001 certification. No information security management system certification mentioned.

    source: info.arxiv.org
    GDPR Compliance
    NOT CONFIRMED

    While privacy policy mentions data handling, no GDPR compliance claim or Data Processing Agreement (DPA) is offered. Vendor serves global EU researchers without explicit GDPR certification.

    source: info.arxiv.org
    HIPAA
    NOT CONFIRMED

    No public evidence of HIPAA compliance. arXiv is a preprint repository with no health/medical compliance certifications.

    source: info.arxiv.org
    ISO 27017 (Cloud Security)
    NOT CONFIRMED

    No public evidence. Cloud security controls not certified.

    source: info.arxiv.org
    ISO 27018 (PII Protection)
    NOT CONFIRMED

    No public evidence. PII protection controls not certified.

    source: info.arxiv.org
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP authorization. arXiv is a nonprofit with no federal government security certification.

    source: info.arxiv.org

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Not offered

    Data region

    United States (Cornell Tech HQ, New York City). Service providers used for hosting and data processing—specific regions not disclosed.

    Submission agreement does not explicitly restrict or permit AI training on submitted papers. Vendor claims no AI training use in current documentation, but this critical gap creates ambiguity during industry-wide LLM training debates. Authors' papers may be used for research purposes via anonymized data sharing with 'trusted partners' but explicit AI training policy is absent.

    // Security controls

    Encryption in Transit

    HTTPS standard mentioned in privacy policy as 'standard practices,' but no specific TLS version, cipher suite, or implementation details disclosed.

    info.arxiv.org

    Encryption at Rest

    Not mentioned. No disclosure of encryption methods for stored data.

    info.arxiv.org

    Access Controls

    Privacy policy mentions 'detecting fraud and preventing unauthorized access, including DDoS attacks,' but no details on authentication, authorization, or role-based access controls.

    info.arxiv.org

    Incident Response

    No incident response policy or breach notification timeline disclosed.

    info.arxiv.org

    Security Audit / Penetration Testing

    No third-party security audits, penetration testing, or vulnerability assessment programs disclosed.

    info.arxiv.org

    Data Minimization

    arXiv collects author names, affiliations, email addresses, and submission metadata—all of which are made publicly available by design. User registration data retained up to 1 year.

    info.arxiv.org

    Anonymization / De-identification

    Anonymized research data deleted after 5 years. No disclosure of anonymization techniques or reversibility risks.

    info.arxiv.org

    // Products & data scope

    arXiv Preprint RepositoryOpen-Access Academic Publishing Platform

    data: Author names, affiliations, email addresses, submitted manuscripts (permanent public archive), submission metadata, user registration data

    Free to use and submit. Data is permanently archived in the public interest. No registration required to read. No payment model—supported by member institutions and the Simons Foundation.

    arXivLabs (Research Partnerships)Research Collaboration

    data: Anonymized manuscript data shared with research partners for search and discovery tools (e.g., NASA Astrophysics Data System)

    Partners must adhere to privacy and ethical standards. Data shared is anonymized; specific retention and usage terms per partner agreement (not publicly detailed).

    // What to watch

    • CRITICAL: arXiv spun off from Cornell on July 1, 2026 (5 days old at time of assessment). Organization is legally newly established. Governance, compliance, and security infrastructure may not yet be fully operational.
    • CRITICAL: No explicit policy prohibiting AI training on submitted papers. Submission agreement grants 'non-exclusive, perpetual' license for 'machine-readable formats' but does not address LLM training use—ambiguous during industry-wide AI training data controversies.
    • NO SECURITY CERTIFICATIONS: Zero SOC 2, ISO 27001, or equivalent third-party security certifications despite handling global scholarly data.
    • GDPR GAP: No Data Processing Agreement offered despite serving thousands of EU researchers. No explicit GDPR compliance claim.
    • WEAK SECURITY DISCLOSURES: Privacy policy states only 'standard practices' without specifics on encryption, key management, audit trails, or incident response.
    • NO INDEPENDENT AUDIT: No evidence of third-party security audits, penetration testing, or vulnerability assessment programs.
    • DATA COLLECTION BY DESIGN: Core business model requires public disclosure of author names, affiliations, and emails. While necessary for scholarly record, this increases privacy surface.
    • SERVICE PROVIDER TRANSPARENCY GAP: Data is shared with 'trusted partners' and service providers for hosting/processing, but specific vendors, locations, and contractual security terms are not publicly detailed.
    • ORGANIZATIONAL TRANSITION RISK: New nonprofit board structure (12 members), interim CEO, and governance still being established. Long-term security strategy and compliance roadmap not communicated.
    • OUTDATED NONPROFIT COMPLIANCE: As a new IRS 501(c)(3) entity, arXiv must file Form 990-N annually but has not yet done so (organization is <6 months old). Tax-exempt status verified but financial transparency reports pending.

    // At a glance

    Pricing model

    Free to read and submit. Nonprofit funding model: member institutions + Simons Foundation support. Membership program allows libraries and research labs to contribute financially.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on arXiv, Inc. (Cornell University Library before July 1, 2026)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    info.arxiv.org

    > Browse all vendor trust reports