// Trust & Security Report
JSTOR (part of ITHAKA, a 501(c)(3) nonprofit)
JSTOR is a digital library platform providing access to academic journals, scholarly articles, primary source documents, images (3M+ from museums/archives), and research tools. Operated by ITHAKA, which also operates Portico and other digital preservation services.
Certifications held
3
Maturity
Enterprise
Trains on your data
No
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on ithaka.org“We adhere to SOC 2 information security standards. SOC 2 is a technical audit that requires organizations to establish strict information security policies and procedures to protect customer data. ITHAKA undergoes annual external audits to ensure ongoing compliance with the physical, administrative, and technical safeguards required under the SOC 2 framework.”
Verify on ithaka.org“When transferring personally identifying information that is subject to the European Union's General Data Protection Regulations (GDPR), we require a GDPR-approved transfer mechanism to be in place, such as Standard Contractual Clauses.”
Verify on ithaka.org“please contact our U.S.-based third-party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request”
> Show 3 unconfirmed / not-held certifications
source: ithaka.orgNo public evidence of ISO 27001 certification found. ITHAKA holds SOC 2 certification but ISO 27001 status is not documented in publicly available materials.
source: ithaka.orgNo evidence of HIPAA compliance documentation. JSTOR does not appear to process health information, making HIPAA compliance out of scope for this vendor.
source: ithaka.orgNo public evidence of PCI DSS certification found. Credit card information is processed via third-party service providers.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
United States (ITHAKA headquarters-based)
JSTOR explicitly prohibits users from using Content 'to train large language models or other generative AI technologies' except as specifically permitted. JSTOR reserves the right to use input and output from its own AI features 'to develop and improve JSTOR AI Features solely to the extent consistent with JSTOR's non-profit mission.' JSTOR does not train AI models on customer research data or institutional usage patterns.
// Security controls
Encryption
Passwords, physical security measures, managerial measures, and encryption (for credit card information processed through third-party service providers)
ithaka.orgData Processing
Third parties process data based on ITHAKA instructions and in compliance with Privacy Policy and appropriate security measures. Standard Contractual Clauses required for GDPR transfers.
ithaka.orgSub-Processor List
Available on ITHAKA website; sub-processor list available for transparency
ithaka.orgAnnual Audits
Annual external audits to ensure SOC 2 compliance. SOC 3 Report available (Nov 16, 2023 to Nov 15, 2024).
ithaka.org// Products & data scope
data: User accounts, search history, research preferences, institutional affiliation. Does not automatically train AI on user data.
Primary product: multi-disciplinary academic journals, scholarly articles, and primary source content
data: Text submitted for analysis. Users must accept separate terms. Output may be used to improve features.
Optional add-on service with separate terms; allows text/data analysis on select JSTOR content
data: 3M+ images from museums, archives, scholars. No user-generated content training.
Visual materials collection accessible via JSTOR platform
// What to watch
- No dedicated trust center: security/compliance info embedded in privacy policy rather than a centralized trust/security portal
- SOC 2 report (PDF) could not be verified programmatically: report exists at ithaka.org but PDF parsing failed; claims based on privacy policy statement
- No ISO 27001 certification: ITHAKA has SOC 2 but does not claim ISO 27001 (common for US orgs; ISO 27001 more common in EU)
- Identity verification: JSTOR is operated by ITHAKA (nonprofit). SOC 2 cert belongs to 'ITHAKA HARBORS Inc.' (parent entity); applicable to JSTOR service as JSTOR is part of ITHAKA portfolio
- HIPAA: explicitly not applicable—JSTOR is academic/research content platform, not health information platform
- AI training posture is clear: JSTOR prohibits customer-driven LLM training on content but reserves right to use its own AI feature interactions for product improvement (non-profit mission)
// At a glance
Pricing model
Institutional/library subscriptions (no public per-user pricing available)
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on JSTOR (part of ITHAKA, a 501(c)(3) nonprofit)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
ithaka.org