// Trust & Security Report

    Clarivate (formerly Clarivate Analytics) logo

    Clarivate (formerly Clarivate Analytics)

    EndNote Click (formerly Kopernio) - a free browser plugin that enables researchers to access full-text research papers via institutional subscriptions and open access sources. Primary use case: academic research paper discovery and access.

    Certifications held

    2

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    ISO 27001
    HELD

    Clarivate PLC holds ISO 27001 certification covering ISMS supporting IPG, LS&H, and A&G systems, products, and services across InfoSec, IT, Product, and key business functions. This is a Clarivate corporate ISMS certification; EndNote Click / Kopernio sits within the A&G (Academia & Government) segment named in this scope. The product is not individually named or separately audited on Clarivate's compliance page.

    Verify on clarivate.com
    GDPR
    HELD

    If a such transfer is required and no adequacy decision in respect of the country where the data recipient is based, including Clarivate companies, or no legal exception applies (e.g., if the transfer is required for the establishment, exercise or defense of legal claims), we protect transfers from the European Economic Area, the United Kingdom and Switzerland by way of Standard Contractual Clauses approved by the European Commission ("Standard Contractual Clauses") including the amendments under the UK Addendum and the required modifications for Switzerland.

    Verify on clarivate.com
    > Show 10 unconfirmed / not-held certifications
    ISO 27017
    NOT CONFIRMED

    No public evidence for EndNote Click / Kopernio. Per clarivate.com, ISO 27017 is held by the Ex Libris subsidiary (a separate library-systems product line: Alma, Primo, and similar), not by EndNote Click; Clarivate PLC's corporate ISMS certification covers ISO 27001 only. Verbatim source: 'Ex Libris is certified to multiple ISO standards (22301, 27001, 27017, 27018, 27032, 27701) for cloud and operational services.'

    source: clarivate.com
    ISO 27018
    NOT CONFIRMED

    No public evidence for EndNote Click / Kopernio. Per clarivate.com, ISO 27018 is held by the Ex Libris subsidiary (a separate library-systems product line), not by EndNote Click; Clarivate PLC's corporate ISMS certification covers ISO 27001 only. Verbatim source: 'Ex Libris is certified to multiple ISO standards (22301, 27001, 27017, 27018, 27032, 27701) for cloud and operational services.'

    source: clarivate.com
    ISO 27032
    NOT CONFIRMED

    No public evidence for EndNote Click / Kopernio. Per clarivate.com, ISO 27032 is held by the Ex Libris subsidiary (a separate library-systems product line), not by EndNote Click; Clarivate PLC's corporate ISMS certification covers ISO 27001 only. Verbatim source: 'Ex Libris is certified to multiple ISO standards (22301, 27001, 27017, 27018, 27032, 27701) for cloud and operational services.'

    source: clarivate.com
    ISO 27701
    NOT CONFIRMED

    No public evidence for EndNote Click / Kopernio. Per clarivate.com, ISO 27701 is held by the Ex Libris subsidiary (a separate library-systems product line), not by EndNote Click; Clarivate PLC's corporate ISMS certification covers ISO 27001 only. Verbatim source: 'Ex Libris is certified to multiple ISO standards (22301, 27001, 27017, 27018, 27032, 27701) for cloud and operational services.'

    source: clarivate.com
    ISO 22301
    NOT CONFIRMED

    No public evidence for EndNote Click / Kopernio. Per clarivate.com, ISO 22301 is held by the Ex Libris subsidiary (a separate library-systems product line), not by EndNote Click; Clarivate PLC's corporate ISMS certification covers ISO 27001 only. Verbatim source: 'Ex Libris is certified to multiple ISO standards (22301, 27001, 27017, 27018, 27032, 27701) for cloud and operational services.'

    source: clarivate.com
    SOC 2 Type I
    NOT CONFIRMED

    No public evidence for EndNote Click / Kopernio. The sentence 'Clarivate maintains SOC 2 Type I and Type II certifications' does not appear on Clarivate's compliance page (the page only defines SOC 2 generically). Clarivate's product compliance list scopes SOC 2 to specific products (e.g., Derwent, Primo, Leganto, Rapido, Rialto, Vega Discover); EndNote Click / Kopernio is not among them.

    source: clarivate.com
    SOC 2 Type II
    NOT CONFIRMED

    No public evidence for EndNote Click / Kopernio. The sentence 'Clarivate maintains SOC 2 Type I and Type II certifications' does not appear on Clarivate's compliance page. The SOC 2 Type II product list on clarivate.com does not include EndNote or EndNote Click; it covers a distinct set of products (Derwent, Docket, Foundation IP, Integration Hub, IPFolio, Leganto, Memotech, Primo, Rapido, Rialto, Specto, TIPMS, TrademarkVision, Vega Discover).

    source: clarivate.com
    PCI DSS
    NOT CONFIRMED

    Not applicable / no public evidence for the free EndNote Click / Kopernio browser plugin, which processes no payments. The compliance table lists 'EndNote (SAQ-A Online)' — the EndNote desktop-product online store, a distinct product — not the EndNote Click plugin.

    source: clarivate.com
    FedRAMP
    NOT CONFIRMED

    No public evidence for EndNote Click / Kopernio. Clarivate's compliance table scopes FedRAMP to specific library platforms (Esploro, Leganto, Primo, Rapido, Rialto, RapidILL), none of which is EndNote Click; the product does not appear on the page.

    source: clarivate.com
    HIPAA
    NOT CONFIRMED

    No public evidence of HIPAA compliance. Kopernio/EndNote Click is an academic research tool, not a healthcare application, and does not handle protected health information.

    source: kopernio.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Not offered

    Data region

    Multi-region: US (Chicago, Seattle), Europe (Amsterdam, Munich), Asia Pacific (Singapore, Sydney). Customers assigned to region matching their geographic location.

    Clarivate AI Policy explicitly states: 'Neither your input nor the licensed content are stored by the large language model or used for any other purpose than the immediate interaction session.' The company does not use customer data to directly or indirectly train LLMs. However, aggregated and anonymized metadata (download counts, usage patterns, research trends) may be used for product improvements and recommendations without revealing individual user activity.

    // Security controls

    Encryption in transit

    Yes - data transmitted over encrypted channels via HTTPS

    clarivate.com

    Encryption at rest

    Institutional credentials stored only in browser and kept encrypted. PDFs stored in private cloud (EndNote Click Locker) with encryption implied.

    kopernio.com

    Secure Software Development Lifecycle

    Clarivate applies SAST/DAST testing, multi-level security reviews, and third-party security assessments

    clarivate.com

    24/7 Security Operations

    24x7 Security Operations Center with SIEM monitoring and threat intelligence correlation

    clarivate.com

    Incident Response

    Defined incident response framework with escalation paths and regulatory notification processes

    clarivate.com

    Responsible Disclosure

    HackerOne Responsible Disclosure Program for security vulnerability reporting

    clarivate.com

    Data access controls

    Credentials used exclusively to provide legitimate access to subscribed resources. Contents of EndNote Click Locker and user activity not shared with third parties.

    kopernio.com

    // Products & data scope

    EndNote Click (formerly Kopernio)Academic Research / Browser Extension

    data: Institutional login credentials (encrypted, stored locally in browser), research paper access patterns, aggregated usage analytics

    Free browser plugin for Chrome, Firefox, Edge. Used by 750,000+ researchers. Does not require personal account creation; works with institutional credentials via Shibboleth/institutional authentication.

    // What to watch

    • PARENT_COMPANY_CERTS_NOT_PRODUCT_SPECIFIC: Kopernio/EndNote Click is a browser plugin and is not named anywhere on Clarivate's compliance page. Only Clarivate's corporate ISO 27001 ISMS (whose scope names the A&G segment that includes EndNote) and Clarivate's corporate GDPR posture reasonably extend to this product. The ISO 27017/27018/27032/27701/22301 certifications are held by the Ex Libris subsidiary (a separate library-systems product line), and SOC 2, PCI DSS, and FedRAMP are scoped to other named Clarivate products (e.g., Derwent, Primo, Leganto, Esploro); none of these were confirmed for EndNote Click, so they were downgraded to held=false.
    • NO_EXPLICIT_DPA_FOUND: No Data Processing Agreement found at vendor domain. For institutional customers processing personal data, explicit DPA documentation should be requested directly from Clarivate.
    • PRODUCT_SPECIFIC_SECURITY_DOCS_MINIMAL: Kopernio/EndNote Click has limited public security documentation. Most security information comes from parent company (Clarivate) trust center. No product-specific security whitepaper or compliance matrix entry found.
    • GDPR_POSTURE_INFERRED_FROM_PARENT: GDPR compliance posture inferred from Clarivate corporate privacy policy. No Kopernio-specific GDPR documentation found.
    • MULTI_REGION_DATA_CENTERS_FROM_EX_LIBRIS: Data center locations and certifications for EU/US/APAC regions documented for Ex Libris (Clarivate subsidiary), but unclear if Kopernio/EndNote Click specifically uses these data centers or other infrastructure.

    // At a glance

    Pricing model

    Free

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Clarivate (formerly Clarivate Analytics)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    clarivate.com

    > Browse all vendor trust reports