// Trust & Security Report
arXiv, Inc. (Cornell University Library before July 1, 2026)
Free, open-access preprint repository for scholarly articles in physics, mathematics, computer science, quantitative biology, finance, statistics, electrical engineering, and economics. ~2.4 million papers, ~24,000 monthly submissions. Recently spun off from Cornell University as an independent nonprofit.
Certifications held
0
Maturity
Enterprise
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
> Show 8 unconfirmed / not-held certifications
source: info.arxiv.orgNo public evidence of SOC 2 Type 1 certification. Privacy policy and public documentation make no reference to SOC 2 compliance.
source: info.arxiv.orgNo public evidence of SOC 2 Type 2 certification. No security audit or ongoing controls attestation mentioned in any vendor documentation.
source: info.arxiv.orgNo public evidence of ISO 27001 certification. No information security management system certification mentioned.
source: info.arxiv.orgWhile privacy policy mentions data handling, no GDPR compliance claim or Data Processing Agreement (DPA) is offered. Vendor serves global EU researchers without explicit GDPR certification.
source: info.arxiv.orgNo public evidence of HIPAA compliance. arXiv is a preprint repository with no health/medical compliance certifications.
source: info.arxiv.orgNo public evidence. Cloud security controls not certified.
source: info.arxiv.orgNo public evidence. PII protection controls not certified.
source: info.arxiv.orgNo public evidence of FedRAMP authorization. arXiv is a nonprofit with no federal government security certification.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Not offered
Data region
United States (Cornell Tech HQ, New York City). Service providers used for hosting and data processing—specific regions not disclosed.
Submission agreement does not explicitly restrict or permit AI training on submitted papers. Vendor claims no AI training use in current documentation, but this critical gap creates ambiguity during industry-wide LLM training debates. Authors' papers may be used for research purposes via anonymized data sharing with 'trusted partners' but explicit AI training policy is absent.
// Security controls
Encryption in Transit
HTTPS standard mentioned in privacy policy as 'standard practices,' but no specific TLS version, cipher suite, or implementation details disclosed.
info.arxiv.orgEncryption at Rest
Not mentioned. No disclosure of encryption methods for stored data.
info.arxiv.orgAccess Controls
Privacy policy mentions 'detecting fraud and preventing unauthorized access, including DDoS attacks,' but no details on authentication, authorization, or role-based access controls.
info.arxiv.orgIncident Response
No incident response policy or breach notification timeline disclosed.
info.arxiv.orgSecurity Audit / Penetration Testing
No third-party security audits, penetration testing, or vulnerability assessment programs disclosed.
info.arxiv.orgData Minimization
arXiv collects author names, affiliations, email addresses, and submission metadata—all of which are made publicly available by design. User registration data retained up to 1 year.
info.arxiv.orgAnonymization / De-identification
Anonymized research data deleted after 5 years. No disclosure of anonymization techniques or reversibility risks.
info.arxiv.org// Products & data scope
data: Author names, affiliations, email addresses, submitted manuscripts (permanent public archive), submission metadata, user registration data
Free to use and submit. Data is permanently archived in the public interest. No registration required to read. No payment model—supported by member institutions and the Simons Foundation.
data: Anonymized manuscript data shared with research partners for search and discovery tools (e.g., NASA Astrophysics Data System)
Partners must adhere to privacy and ethical standards. Data shared is anonymized; specific retention and usage terms per partner agreement (not publicly detailed).
// What to watch
- CRITICAL: arXiv spun off from Cornell on July 1, 2026 (5 days old at time of assessment). Organization is legally newly established. Governance, compliance, and security infrastructure may not yet be fully operational.
- CRITICAL: No explicit policy prohibiting AI training on submitted papers. Submission agreement grants 'non-exclusive, perpetual' license for 'machine-readable formats' but does not address LLM training use—ambiguous during industry-wide AI training data controversies.
- NO SECURITY CERTIFICATIONS: Zero SOC 2, ISO 27001, or equivalent third-party security certifications despite handling global scholarly data.
- GDPR GAP: No Data Processing Agreement offered despite serving thousands of EU researchers. No explicit GDPR compliance claim.
- WEAK SECURITY DISCLOSURES: Privacy policy states only 'standard practices' without specifics on encryption, key management, audit trails, or incident response.
- NO INDEPENDENT AUDIT: No evidence of third-party security audits, penetration testing, or vulnerability assessment programs.
- DATA COLLECTION BY DESIGN: Core business model requires public disclosure of author names, affiliations, and emails. While necessary for scholarly record, this increases privacy surface.
- SERVICE PROVIDER TRANSPARENCY GAP: Data is shared with 'trusted partners' and service providers for hosting/processing, but specific vendors, locations, and contractual security terms are not publicly detailed.
- ORGANIZATIONAL TRANSITION RISK: New nonprofit board structure (12 members), interim CEO, and governance still being established. Long-term security strategy and compliance roadmap not communicated.
- OUTDATED NONPROFIT COMPLIANCE: As a new IRS 501(c)(3) entity, arXiv must file Form 990-N annually but has not yet done so (organization is <6 months old). Tax-exempt status verified but financial transparency reports pending.
// At a glance
Pricing model
Free to read and submit. Nonprofit funding model: member institutions + Simons Foundation support. Membership program allows libraries and research labs to contribute financially.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on arXiv, Inc. (Cornell University Library before July 1, 2026)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
info.arxiv.org