// Trust & Security Report
Clarivate (formerly Clarivate Analytics)
EndNote Click (formerly Kopernio) - a free browser plugin that enables researchers to access full-text research papers via institutional subscriptions and open access sources. Primary use case: academic research paper discovery and access.
Certifications held
2
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on clarivate.com“Clarivate PLC holds ISO 27001 certification covering ISMS supporting IPG, LS&H, and A&G systems, products, and services across InfoSec, IT, Product, and key business functions. This is a Clarivate corporate ISMS certification; EndNote Click / Kopernio sits within the A&G (Academia & Government) segment named in this scope. The product is not individually named or separately audited on Clarivate's compliance page.”
Verify on clarivate.com“If a such transfer is required and no adequacy decision in respect of the country where the data recipient is based, including Clarivate companies, or no legal exception applies (e.g., if the transfer is required for the establishment, exercise or defense of legal claims), we protect transfers from the European Economic Area, the United Kingdom and Switzerland by way of Standard Contractual Clauses approved by the European Commission ("Standard Contractual Clauses") including the amendments under the UK Addendum and the required modifications for Switzerland.”
> Show 10 unconfirmed / not-held certifications
source: clarivate.comNo public evidence for EndNote Click / Kopernio. Per clarivate.com, ISO 27017 is held by the Ex Libris subsidiary (a separate library-systems product line: Alma, Primo, and similar), not by EndNote Click; Clarivate PLC's corporate ISMS certification covers ISO 27001 only. Verbatim source: 'Ex Libris is certified to multiple ISO standards (22301, 27001, 27017, 27018, 27032, 27701) for cloud and operational services.'
source: clarivate.comNo public evidence for EndNote Click / Kopernio. Per clarivate.com, ISO 27018 is held by the Ex Libris subsidiary (a separate library-systems product line), not by EndNote Click; Clarivate PLC's corporate ISMS certification covers ISO 27001 only. Verbatim source: 'Ex Libris is certified to multiple ISO standards (22301, 27001, 27017, 27018, 27032, 27701) for cloud and operational services.'
source: clarivate.comNo public evidence for EndNote Click / Kopernio. Per clarivate.com, ISO 27032 is held by the Ex Libris subsidiary (a separate library-systems product line), not by EndNote Click; Clarivate PLC's corporate ISMS certification covers ISO 27001 only. Verbatim source: 'Ex Libris is certified to multiple ISO standards (22301, 27001, 27017, 27018, 27032, 27701) for cloud and operational services.'
source: clarivate.comNo public evidence for EndNote Click / Kopernio. Per clarivate.com, ISO 27701 is held by the Ex Libris subsidiary (a separate library-systems product line), not by EndNote Click; Clarivate PLC's corporate ISMS certification covers ISO 27001 only. Verbatim source: 'Ex Libris is certified to multiple ISO standards (22301, 27001, 27017, 27018, 27032, 27701) for cloud and operational services.'
source: clarivate.comNo public evidence for EndNote Click / Kopernio. Per clarivate.com, ISO 22301 is held by the Ex Libris subsidiary (a separate library-systems product line), not by EndNote Click; Clarivate PLC's corporate ISMS certification covers ISO 27001 only. Verbatim source: 'Ex Libris is certified to multiple ISO standards (22301, 27001, 27017, 27018, 27032, 27701) for cloud and operational services.'
source: clarivate.comNo public evidence for EndNote Click / Kopernio. The sentence 'Clarivate maintains SOC 2 Type I and Type II certifications' does not appear on Clarivate's compliance page (the page only defines SOC 2 generically). Clarivate's product compliance list scopes SOC 2 to specific products (e.g., Derwent, Primo, Leganto, Rapido, Rialto, Vega Discover); EndNote Click / Kopernio is not among them.
source: clarivate.comNo public evidence for EndNote Click / Kopernio. The sentence 'Clarivate maintains SOC 2 Type I and Type II certifications' does not appear on Clarivate's compliance page. The SOC 2 Type II product list on clarivate.com does not include EndNote or EndNote Click; it covers a distinct set of products (Derwent, Docket, Foundation IP, Integration Hub, IPFolio, Leganto, Memotech, Primo, Rapido, Rialto, Specto, TIPMS, TrademarkVision, Vega Discover).
source: clarivate.comNot applicable / no public evidence for the free EndNote Click / Kopernio browser plugin, which processes no payments. The compliance table lists 'EndNote (SAQ-A Online)' — the EndNote desktop-product online store, a distinct product — not the EndNote Click plugin.
source: clarivate.comNo public evidence for EndNote Click / Kopernio. Clarivate's compliance table scopes FedRAMP to specific library platforms (Esploro, Leganto, Primo, Rapido, Rialto, RapidILL), none of which is EndNote Click; the product does not appear on the page.
source: kopernio.comNo public evidence of HIPAA compliance. Kopernio/EndNote Click is an academic research tool, not a healthcare application, and does not handle protected health information.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Not offered
Data region
Multi-region: US (Chicago, Seattle), Europe (Amsterdam, Munich), Asia Pacific (Singapore, Sydney). Customers assigned to region matching their geographic location.
Clarivate AI Policy explicitly states: 'Neither your input nor the licensed content are stored by the large language model or used for any other purpose than the immediate interaction session.' The company does not use customer data to directly or indirectly train LLMs. However, aggregated and anonymized metadata (download counts, usage patterns, research trends) may be used for product improvements and recommendations without revealing individual user activity.
// Security controls
Encryption at rest
Institutional credentials stored only in browser and kept encrypted. PDFs stored in private cloud (EndNote Click Locker) with encryption implied.
kopernio.comSecure Software Development Lifecycle
Clarivate applies SAST/DAST testing, multi-level security reviews, and third-party security assessments
clarivate.com24/7 Security Operations
24x7 Security Operations Center with SIEM monitoring and threat intelligence correlation
clarivate.comIncident Response
Defined incident response framework with escalation paths and regulatory notification processes
clarivate.comResponsible Disclosure
HackerOne Responsible Disclosure Program for security vulnerability reporting
clarivate.comData access controls
Credentials used exclusively to provide legitimate access to subscribed resources. Contents of EndNote Click Locker and user activity not shared with third parties.
kopernio.com// Products & data scope
data: Institutional login credentials (encrypted, stored locally in browser), research paper access patterns, aggregated usage analytics
Free browser plugin for Chrome, Firefox, Edge. Used by 750,000+ researchers. Does not require personal account creation; works with institutional credentials via Shibboleth/institutional authentication.
// What to watch
- PARENT_COMPANY_CERTS_NOT_PRODUCT_SPECIFIC: Kopernio/EndNote Click is a browser plugin and is not named anywhere on Clarivate's compliance page. Only Clarivate's corporate ISO 27001 ISMS (whose scope names the A&G segment that includes EndNote) and Clarivate's corporate GDPR posture reasonably extend to this product. The ISO 27017/27018/27032/27701/22301 certifications are held by the Ex Libris subsidiary (a separate library-systems product line), and SOC 2, PCI DSS, and FedRAMP are scoped to other named Clarivate products (e.g., Derwent, Primo, Leganto, Esploro); none of these were confirmed for EndNote Click, so they were downgraded to held=false.
- NO_EXPLICIT_DPA_FOUND: No Data Processing Agreement found at vendor domain. For institutional customers processing personal data, explicit DPA documentation should be requested directly from Clarivate.
- PRODUCT_SPECIFIC_SECURITY_DOCS_MINIMAL: Kopernio/EndNote Click has limited public security documentation. Most security information comes from parent company (Clarivate) trust center. No product-specific security whitepaper or compliance matrix entry found.
- GDPR_POSTURE_INFERRED_FROM_PARENT: GDPR compliance posture inferred from Clarivate corporate privacy policy. No Kopernio-specific GDPR documentation found.
- MULTI_REGION_DATA_CENTERS_FROM_EX_LIBRIS: Data center locations and certifications for EU/US/APAC regions documented for Ex Libris (Clarivate subsidiary), but unclear if Kopernio/EndNote Click specifically uses these data centers or other infrastructure.
// At a glance
Pricing model
Free
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Clarivate (formerly Clarivate Analytics)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
clarivate.com