// Trust & Security Report

    Litmap Ltd. logo

    Litmap Ltd.

    Litmaps: A literature review assistant and citation-network visualization tool for academic researchers. Also owns ResearchRabbit (acquired May 2025). Core features: Discover papers, Visualize citation networks, Share research, Monitor new publications.

    Certifications held

    3

    Maturity

    Growth

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    GDPR Compliance
    HELD

    Privacy Policy explicitly references 'Regulation (EU) 2016/679 General Data Protection Regulation' and implements Standard Contractual Clauses (2021/914) for international data transfers. States 'appropriate security measures to prevent personal information from being accidentally lost, used or accessed in an unauthorized way.'

    Verify on litmaps.com
    UK Data Protection
    HELD

    Privacy Policy references compliance with 'UK International Data Transfer Addendum' and UK data protection requirements alongside GDPR.

    Verify on litmaps.com
    New Zealand Privacy Act 2020
    HELD

    Privacy Policy explicitly states 'committed to protecting personal information while seeking to comply with all applicable data protection and privacy legislation, including the New Zealand Privacy Act 2020.'

    Verify on litmaps.com
    > Show 3 unconfirmed / not-held certifications
    SOC 2 Type II
    NOT CONFIRMED

    Third-party review site (TechVernia) claims 'maintains SOC 2 Type II certification' but Litmaps' official Privacy Policy and Terms make no mention of SOC 2. No vendor-domain proof of certification found. Marketing over-claim without substantiation.

    source: litmaps.com
    ISO 27001
    NOT CONFIRMED

    No public evidence of ISO 27001 certification in Litmaps' official documentation or dedicate security pages. Vendor does not claim this standard.

    source: litmaps.com
    HIPAA
    NOT CONFIRMED

    Third-party review (TechVernia) claims HIPAA compliance, but Litmaps' official Privacy Policy and Terms contain no mention of HIPAA, BAA, or healthcare compliance. No vendor-domain proof found. Likely marketing over-claim.

    source: litmaps.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    Multi-region: AWS (USA, Standard Contractual Clauses), Microsoft Azure (USA, Standard Contractual Clauses), Brevo SAS (France/EEA), Hotjar (Malta/EEA), Intercom (USA, Standard Contractual Clauses), Stripe (USA, Standard Contractual Clauses), Mixpanel (USA, Standard Contractual Clauses). Registered address: Wellington, New Zealand.

    Litmaps uses citation-network analysis by default (no AI). Optional AI-driven search and chatbot available via third-party LLM (vendor not disclosed). No explicit statement about whether customer research data is used for model training. No clear opt-out language found in policies.

    // Security controls

    Password Storage

    Passwords stored as salted hashes (cryptographic hashing)

    litmaps.com

    Data Protection Measures

    Appropriate security measures to prevent personal information from being accidentally lost, used or accessed in an unauthorized way. Limits access to employees and contractors under confidentiality obligations.

    litmaps.com

    Session Recording

    Text fields masked in session replay (Hotjar integration)

    litmaps.com

    International Data Transfers

    Standard Contractual Clauses (2021/914) and UK International Data Transfer Addendum used for non-EEA processing

    litmaps.com

    Data Processor Agreements

    Enters into data-protection terms with subprocessors that are no less protective than customer agreements; remains accountable for subprocessor activities

    litmaps.com

    // Products & data scope

    LitmapsResearch Software / Literature Review

    data: Academic papers metadata, user research notes, citation networks, usage data, email, authentication

    Uses citation-network analysis by default. Optional AI-driven discovery and chatbot available. Processes researcher metadata from Semantic Scholar, OpenAlex, ORCID, LibKey. Session analytics via Hotjar (masked text fields). Product analytics via Mixpanel.

    ResearchRabbitResearch Software / Literature Review

    data: Academic papers metadata, user research notes, usage data

    Acquired by Litmaps in May 2025. Separate product but under same parent entity. Privacy/security posture not independently verified as part of this assessment.

    // What to watch

    • Over-claim detected: Third-party review site (TechVernia) claims SOC 2 Type II certification and HIPAA compliance without vendor-domain evidence. Litmaps' official Privacy Policy and Terms do not mention these certifications. Marketing materials may be misleading.
    • No dedicated Security or Trust Center page: Unlike enterprise-grade vendors, Litmaps has no public security page, only standard privacy/terms pages.
    • Limited encryption documentation: Marketing claims 'bank-grade encryption' and 'data encrypted at rest and in transit' appear only in third-party review, not in Litmaps' official policies. Actual encryption implementation not detailed.
    • Early-stage company: 7 employees as of late 2025; just raised Series A. Limited compliance infrastructure typical of startup maturity. Exercise caution for highly regulated use cases.
    • AI model transparency: Vendor does not disclose which LLM powers optional AI-driven features. No statement on whether customer research data is used for model fine-tuning or training.
    • HIPAA unsuitability: Despite third-party claims, Litmaps shows no evidence of HIPAA BAA, HIPAA-Ready infrastructure, or healthcare-specific compliance. Not suitable for HIPAA-regulated environments without explicit vendor confirmation and BAA.

    // At a glance

    Pricing model

    Freemium with paid tiers (Team, Pro). Stripe payment processing.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Litmap Ltd.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    litmaps.com

    > Browse all vendor trust reports