// Trust & Security Report

    Clarivate Analytics plc (EndNote product line) logo

    Clarivate Analytics plc (EndNote product line)

    EndNote is an enterprise reference and citation management tool for researchers, with desktop (Windows/Mac), web, and iOS clients. Includes EndNote Click browser plugin, AI-powered Research Assistant (2025+) for document summarization and analysis, and cloud-based library sharing with institutional support.

    Certifications held

    10

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    ISO 27001 (Information Security Management System)
    HELD

    Clarivate PLC holds ISO 27001 certification covering ISMS supporting IPG, LS&H, and A&G systems, products, and services. Certification based on ISO/IEC 27001:2022 edition.

    Verify on clarivate.com
    ISO 27017 (Cloud Security Controls)
    HELD

    Clarivate maintains ISO 27017 certification for cloud information security controls.

    Verify on clarivate.com
    ISO 27018 (Personal Data Protection in Cloud)
    HELD

    Clarivate holds ISO 27018 certification for personal data protection in the cloud.

    Verify on clarivate.com
    ISO 27032 (Cybersecurity Incident Management)
    HELD

    Clarivate maintains ISO 27032 certification for cybersecurity incident management.

    Verify on clarivate.com
    ISO 27701 (Privacy Information Management System)
    HELD

    Clarivate holds ISO 27701 certification for privacy information management system.

    Verify on clarivate.com
    ISO 22301 (Business Continuity Management)
    HELD

    Clarivate maintains ISO 22301 certification for business continuity management.

    Verify on clarivate.com
    SOC 2 Type II
    HELD

    Multiple Clarivate products maintain SOC 2 Type II certification, which evaluates both the design and operating effectiveness of controls over a defined period, typically six to twelve months.

    Verify on clarivate.com
    PCI DSS (Payment Card Industry Data Security Standard)
    HELD

    Clarivate supports compliance with PCI DSS, a global security standard that protects cardholder data and secures payment card transactions. Vendors are contractually bound to meet PCI DSS standards.

    Verify on clarivate.com
    FedRAMP (U.S. Federal Cloud Security Authorization)
    HELD

    Clarivate's cloud services maintain FedRAMP authorization for U.S. federal government compliance.

    Verify on clarivate.com
    GDPR Compliance (via Standard Contractual Clauses)
    HELD

    Where Clarivate receives personal data protected under GDPR from outside EU/EEA, parties agree to enter into EU Standard Contractual Clauses (SCCs), with Clarivate as data importer and Client as data exporter. Data Processing Addendum dated June 2025 provides comprehensive GDPR terms.

    Verify on clarivate.com
    > Show 3 unconfirmed / not-held certifications
    HIPAA (Health Insurance Portability and Accountability Act)
    NOT CONFIRMED

    No public evidence of HIPAA certification or compliance claims found on endnote.com or clarivate.com trust center documentation.

    source: endnote.com
    ISO/IEC 42001 (AI Governance)
    NOT CONFIRMED

    No public evidence of ISO/IEC 42001 AI governance certification found; not listed in Clarivate's published certifications.

    source: clarivate.com
    CSA STAR AI (Cloud Security Alliance AI Certification)
    NOT CONFIRMED

    No public evidence of CSA STAR AI certification found in Clarivate or EndNote documentation.

    source: endnote.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Not publicly specified; multiple data centers referenced but specific regional locations not disclosed in available documentation

    Clarivate explicitly states: 'They use commercially pre-trained large language models (LLMs) as part of their information retrieval and augmentation framework—they do not train public LLMs. They access these LLMs through a private setup, and they do not share or pass any user data to LLMs for any purpose.' EndNote 2025 Research Assistant uses this approach. Minimal copyright risk due to non-training-based processing.

    // Security controls

    Encryption in Transit

    Implemented across all systems

    clarivate.com

    Encryption at Rest

    Implemented across all systems

    clarivate.com

    Access Controls

    Implemented and monitored across all systems

    clarivate.com

    Security Operations Center (SOC)

    24/7 SOC with SIEM correlation, threat intelligence integration, and incident response framework

    clarivate.com

    Vulnerability Management

    HackerOne Responsible Disclosure Program (hackerone@clarivate.com); SAST/DAST testing, multi-level reviews, third-party assessments

    clarivate.com

    Secure Software Development Lifecycle

    Industry-standard SSDLC with threat modeling, secure architecture, and compliance integration; security embedded from earliest design stages

    clarivate.com

    Data Recovery

    Data recovery and retention features protect user work; cloud storage with flexible retention policies

    endnote.com

    // Products & data scope

    EndNote DesktopDesktop Reference Manager

    data: Local + cloud sync via EndNote Web; libraries shareable with up to 1,000 users

    Windows and Mac support; unlimited local references; 3-year cloud storage for institutional subscriptions

    EndNote WebCloud Reference Manager

    data: Cloud-hosted; accessible from any device; real-time collaboration

    Integrated with Word Online (Microsoft 365 certified); direct integrations with research databases

    EndNote ClickBrowser Plugin

    data: Browser-based reference discovery and capture; integrates with web of Science, PubMed, and other databases

    Data handling explicitly documented; does not train on user capture history

    EndNote Research AssistantAI-Powered Analysis Tool (2025+)

    data: Document summarization, key takeaway extraction, and translation within user's own libraries; no external training data usage

    Uses commercial LLMs via private APIs; user data not shared with external LLM providers; no training on customer documents

    // What to watch

    • All certifications are held by parent company Clarivate, not directly by endnote.com. Clarivate's trust center confirms these certifications apply to their services and products (including Academic products like EndNote), but no product-specific certification documents are publicly available from endnote.com.
    • HIPAA: No certification claims found. EndNote is not positioned as a HIPAA-compliant healthcare tool and does not appear to market itself for healthcare/clinical data handling. Institutions using research data (not healthcare) would not require HIPAA.
    • No dedicated EndNote trust center exists; reliance on parent company Clarivate trust center documentation. This is standard for subsidiary products but may create clarity gap for procurement teams.
    • AI training posture is clearly stated and favorable (no customer data training), but this clarity is found only in blog posts and announcements, not in formal security/privacy documentation.
    • Data residency locations not publicly disclosed; only that multiple data centers exist globally.

    // At a glance

    Pricing model

    Subscription-based: perpetual license (pay-once), annual subscription, and institutional/site licenses available; 20% promotional discount noted in 2025/2026 campaigns

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Clarivate Analytics plc (EndNote product line)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    clarivate.com

    > Browse all vendor trust reports