// Trust & Security Report

    JSTOR (part of ITHAKA, a 501(c)(3) nonprofit) logo

    JSTOR (part of ITHAKA, a 501(c)(3) nonprofit)

    JSTOR is a digital library platform providing access to academic journals, scholarly articles, primary source documents, images (3M+ from museums/archives), and research tools. Operated by ITHAKA, which also operates Portico and other digital preservation services.

    Certifications held

    3

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2
    HELD

    We adhere to SOC 2 information security standards. SOC 2 is a technical audit that requires organizations to establish strict information security policies and procedures to protect customer data. ITHAKA undergoes annual external audits to ensure ongoing compliance with the physical, administrative, and technical safeguards required under the SOC 2 framework.

    Verify on ithaka.org
    GDPR Compliance
    HELD

    When transferring personally identifying information that is subject to the European Union's General Data Protection Regulations (GDPR), we require a GDPR-approved transfer mechanism to be in place, such as Standard Contractual Clauses.

    Verify on ithaka.org
    TRUSTe
    HELD

    please contact our U.S.-based third-party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request

    Verify on ithaka.org
    > Show 3 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No public evidence of ISO 27001 certification found. ITHAKA holds SOC 2 certification but ISO 27001 status is not documented in publicly available materials.

    source: ithaka.org
    HIPAA
    NOT CONFIRMED

    No evidence of HIPAA compliance documentation. JSTOR does not appear to process health information, making HIPAA compliance out of scope for this vendor.

    source: ithaka.org
    PCI DSS
    NOT CONFIRMED

    No public evidence of PCI DSS certification found. Credit card information is processed via third-party service providers.

    source: ithaka.org

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    United States (ITHAKA headquarters-based)

    JSTOR explicitly prohibits users from using Content 'to train large language models or other generative AI technologies' except as specifically permitted. JSTOR reserves the right to use input and output from its own AI features 'to develop and improve JSTOR AI Features solely to the extent consistent with JSTOR's non-profit mission.' JSTOR does not train AI models on customer research data or institutional usage patterns.

    // Security controls

    Encryption

    Passwords, physical security measures, managerial measures, and encryption (for credit card information processed through third-party service providers)

    ithaka.org

    Data Processing

    Third parties process data based on ITHAKA instructions and in compliance with Privacy Policy and appropriate security measures. Standard Contractual Clauses required for GDPR transfers.

    ithaka.org

    Sub-Processor List

    Available on ITHAKA website; sub-processor list available for transparency

    ithaka.org

    Annual Audits

    Annual external audits to ensure SOC 2 compliance. SOC 3 Report available (Nov 16, 2023 to Nov 15, 2024).

    ithaka.org

    // Products & data scope

    JSTOR Academic Research PlatformAcademic Digital Library

    data: User accounts, search history, research preferences, institutional affiliation. Does not automatically train AI on user data.

    Primary product: multi-disciplinary academic journals, scholarly articles, and primary source content

    JSTOR Text AnalysisResearch Tools

    data: Text submitted for analysis. Users must accept separate terms. Output may be used to improve features.

    Optional add-on service with separate terms; allows text/data analysis on select JSTOR content

    Artstor CollectionsDigital Collections

    data: 3M+ images from museums, archives, scholars. No user-generated content training.

    Visual materials collection accessible via JSTOR platform

    // What to watch

    • No dedicated trust center: security/compliance info embedded in privacy policy rather than a centralized trust/security portal
    • SOC 2 report (PDF) could not be verified programmatically: report exists at ithaka.org but PDF parsing failed; claims based on privacy policy statement
    • No ISO 27001 certification: ITHAKA has SOC 2 but does not claim ISO 27001 (common for US orgs; ISO 27001 more common in EU)
    • Identity verification: JSTOR is operated by ITHAKA (nonprofit). SOC 2 cert belongs to 'ITHAKA HARBORS Inc.' (parent entity); applicable to JSTOR service as JSTOR is part of ITHAKA portfolio
    • HIPAA: explicitly not applicable—JSTOR is academic/research content platform, not health information platform
    • AI training posture is clear: JSTOR prohibits customer-driven LLM training on content but reserves right to use its own AI feature interactions for product improvement (non-profit mission)

    // At a glance

    Pricing model

    Institutional/library subscriptions (no public per-user pricing available)

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on JSTOR (part of ITHAKA, a 501(c)(3) nonprofit)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    ithaka.org

    > Browse all vendor trust reports