// Trust & Security Report
Clarivate Analytics plc (EndNote product line)
EndNote is an enterprise reference and citation management tool for researchers, with desktop (Windows/Mac), web, and iOS clients. Includes EndNote Click browser plugin, AI-powered Research Assistant (2025+) for document summarization and analysis, and cloud-based library sharing with institutional support.
Certifications held
10
Maturity
Enterprise
Trains on your data
No
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on clarivate.com“Clarivate PLC holds ISO 27001 certification covering ISMS supporting IPG, LS&H, and A&G systems, products, and services. Certification based on ISO/IEC 27001:2022 edition.”
Verify on clarivate.com“Clarivate maintains ISO 27017 certification for cloud information security controls.”
Verify on clarivate.com“Clarivate holds ISO 27018 certification for personal data protection in the cloud.”
Verify on clarivate.com“Clarivate maintains ISO 27032 certification for cybersecurity incident management.”
Verify on clarivate.com“Clarivate holds ISO 27701 certification for privacy information management system.”
Verify on clarivate.com“Clarivate maintains ISO 22301 certification for business continuity management.”
Verify on clarivate.com“Multiple Clarivate products maintain SOC 2 Type II certification, which evaluates both the design and operating effectiveness of controls over a defined period, typically six to twelve months.”
Verify on clarivate.com“Clarivate supports compliance with PCI DSS, a global security standard that protects cardholder data and secures payment card transactions. Vendors are contractually bound to meet PCI DSS standards.”
Verify on clarivate.com“Clarivate's cloud services maintain FedRAMP authorization for U.S. federal government compliance.”
Verify on clarivate.com“Where Clarivate receives personal data protected under GDPR from outside EU/EEA, parties agree to enter into EU Standard Contractual Clauses (SCCs), with Clarivate as data importer and Client as data exporter. Data Processing Addendum dated June 2025 provides comprehensive GDPR terms.”
> Show 3 unconfirmed / not-held certifications
source: endnote.comNo public evidence of HIPAA certification or compliance claims found on endnote.com or clarivate.com trust center documentation.
source: clarivate.comNo public evidence of ISO/IEC 42001 AI governance certification found; not listed in Clarivate's published certifications.
source: endnote.comNo public evidence of CSA STAR AI certification found in Clarivate or EndNote documentation.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Not publicly specified; multiple data centers referenced but specific regional locations not disclosed in available documentation
Clarivate explicitly states: 'They use commercially pre-trained large language models (LLMs) as part of their information retrieval and augmentation framework—they do not train public LLMs. They access these LLMs through a private setup, and they do not share or pass any user data to LLMs for any purpose.' EndNote 2025 Research Assistant uses this approach. Minimal copyright risk due to non-training-based processing.
// Security controls
Security Operations Center (SOC)
24/7 SOC with SIEM correlation, threat intelligence integration, and incident response framework
clarivate.comVulnerability Management
HackerOne Responsible Disclosure Program (hackerone@clarivate.com); SAST/DAST testing, multi-level reviews, third-party assessments
clarivate.comSecure Software Development Lifecycle
Industry-standard SSDLC with threat modeling, secure architecture, and compliance integration; security embedded from earliest design stages
clarivate.comData Recovery
Data recovery and retention features protect user work; cloud storage with flexible retention policies
endnote.com// Products & data scope
data: Local + cloud sync via EndNote Web; libraries shareable with up to 1,000 users
Windows and Mac support; unlimited local references; 3-year cloud storage for institutional subscriptions
data: Cloud-hosted; accessible from any device; real-time collaboration
Integrated with Word Online (Microsoft 365 certified); direct integrations with research databases
data: Browser-based reference discovery and capture; integrates with web of Science, PubMed, and other databases
Data handling explicitly documented; does not train on user capture history
data: Document summarization, key takeaway extraction, and translation within user's own libraries; no external training data usage
Uses commercial LLMs via private APIs; user data not shared with external LLM providers; no training on customer documents
// What to watch
- All certifications are held by parent company Clarivate, not directly by endnote.com. Clarivate's trust center confirms these certifications apply to their services and products (including Academic products like EndNote), but no product-specific certification documents are publicly available from endnote.com.
- HIPAA: No certification claims found. EndNote is not positioned as a HIPAA-compliant healthcare tool and does not appear to market itself for healthcare/clinical data handling. Institutions using research data (not healthcare) would not require HIPAA.
- No dedicated EndNote trust center exists; reliance on parent company Clarivate trust center documentation. This is standard for subsidiary products but may create clarity gap for procurement teams.
- AI training posture is clearly stated and favorable (no customer data training), but this clarity is found only in blog posts and announcements, not in formal security/privacy documentation.
- Data residency locations not publicly disclosed; only that multiple data centers exist globally.
// At a glance
Pricing model
Subscription-based: perpetual license (pay-once), annual subscription, and institutional/site licenses available; 20% promotional discount noted in 2025/2026 campaigns
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Clarivate Analytics plc (EndNote product line)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
clarivate.com