// Trust & Security Report

    Elsevier Limited logo

    Elsevier Limited

    Mendeley Reference Manager (cloud-based reference management with free and premium tiers), Mendeley Cite (Microsoft Word plugin for citations), Mendeley Data (research data repository), and legacy Mendeley Desktop (desktop client, being phased out). AI features include Reading Assistant and Ask My Library.

    Certifications held

    2

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    GDPR Compliance
    HELD

    Elsevier's Microsoft 365 app self-attestation answers 'Do you have GDPR or other privacy or data protection requirements or obligations (such as CCPA)?' with 'Yes' and lists its external privacy notice at https://privacy.elsevier.com. GDPR is a legal obligation for this EU/UK-based vendor, not a third-party certification.

    Verify on learn.microsoft.com
    EU-U.S. Data Privacy Framework
    HELD

    Elsevier's privacy policy states: 'Elsevier Inc. has certified certain of its services to the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework as set forth by the U.S. Department of Commerce.' Note: this framework certification is held by Elsevier Inc. (a different legal entity than the Mendeley vendor Elsevier Limited) and covers only 'certain' unspecified services; Mendeley is not specifically named as in scope.

    Verify on elsevier.com
    > Show 9 unconfirmed / not-held certifications
    SOC 2 Type 1
    NOT CONFIRMED

    Service Organization Controls (SOC 2): No

    source: learn.microsoft.com
    SOC 2 Type 2
    NOT CONFIRMED

    Service Organization Controls (SOC 2): No

    source: learn.microsoft.com
    ISO 27001
    NOT CONFIRMED

    International Organization for Standardization (ISO 27001) certified: No

    source: learn.microsoft.com
    ISO 27017
    NOT CONFIRMED

    International Organization for Standardization (ISO 27017): No

    source: learn.microsoft.com
    ISO 27002
    NOT CONFIRMED

    International Organization for Standardization (ISO 27002): No

    source: learn.microsoft.com
    HIPAA
    NOT CONFIRMED

    Health Insurance Portability and Accounting Act (HIPAA): N/A. Mendeley reference manager is not designed for healthcare data handling and explicitly recommends not entering personal, confidential, or protected health information (PHI) in AI features.

    source: service.elsevier.com
    FedRAMP
    NOT CONFIRMED

    Federal Risk and Authorization Management Program (FedRAMP) compliant: No

    source: learn.microsoft.com
    CSA STAR
    NOT CONFIRMED

    Cloud Security Alliance (CSA Star) certified: No

    source: learn.microsoft.com
    Core Trust Seal (Mendeley Data only)
    NOT CONFIRMED

    Mendeley Data was assessed against the CoreTrustSeal 2016 / Data Seal of Approval framework (guidelines version 2017-2019). No public evidence of a current or renewed CoreTrustSeal certification exists; CoreTrustSeal seals lapse after their multi-year term, so the certification is not verifiable as current (2026).

    source: coretrustseal.org

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Multi-region (Ireland, AWS infrastructure primarily mentioned). Elsevier maintains comprehensive security, disaster recovery, and business continuity plans.

    Elsevier has zero-retention contracts with AWS, Microsoft Azure, OpenAI, and Anthropic, ensuring that prompts and documents are never used to train any large language models. Customer data is NOT used for AI model training. However, users are warned not to enter personal, confidential, or sensitive information into Mendeley AI features (Reading Assistant, Ask My Library) as a precaution. Only aggregated, anonymized patterns are analyzed internally.

    // Security controls

    Encryption in transit

    AES-256 encryption applied to data in transit (same standard as major banks). Hosted on AWS S3 in Ireland.

    learn.microsoft.com

    Vulnerability scanning

    Quarterly vulnerability scanning on app and supporting infrastructure. Penetration testing conducted during development.

    learn.microsoft.com

    Change management

    Established change management process for code review and approval before production deployment. Additional person reviews all code changes.

    learn.microsoft.com

    Incident response

    Formal security incident response process documented and established. Reports breaches to supervisory authorities and affected individuals within 72 hours of detection.

    learn.microsoft.com

    Multi-factor authentication

    MFA enabled for credentials, DNS management, and code repositories.

    learn.microsoft.com

    Logging and monitoring

    Event logging set up on all system components. Logs reviewed regularly by human or automated tooling to detect potential security events. Alerts automatically sent to employees for triage.

    learn.microsoft.com

    Firewall and network security

    Firewall installed on external network boundary. Intrusion Detection and Prevention (IDPS) software deployed at the perimeter.

    learn.microsoft.com

    Data access controls

    Restricted-access datasets in Mendeley Data allow sensitive information to be deposited but not openly accessed. All open-access datasets explicitly cannot contain sensitive information (patient details, dates of birth, etc.).

    coretrustseal.org

    Zero-retention contracts with LLM providers

    Enterprise agreements with AWS, Microsoft Azure, OpenAI, and Anthropic include zero-retention contracts, so prompts and documents are never used for LLM development.

    elsevier.com

    Data Privacy Framework

    Certified compliance with EU-U.S. Data Privacy Framework, UK Extension to EU-U.S. DPF, and Swiss-U.S. Data Privacy Framework.

    elsevier.com

    // Products & data scope

    Mendeley Reference ManagerReference Management / Citation Management

    data: User research libraries (papers, PDFs, metadata, annotations). Synced across devices. Free tier includes 2GB storage. Premium includes 5GB + AI features.

    Cloud-based web application. Replaces Mendeley Desktop. Integrates with Microsoft Word via Mendeley Cite plugin. AI features (Reading Assistant, Ask My Library) available in premium tier. Warns users against entering sensitive/personal information into AI features.

    Mendeley CiteMicrosoft Word Plugin / Citation Management

    data: Citation data and bibliographies generated for Word documents. Does not store Microsoft customer data.

    Microsoft 365 certified add-in. Generates citations and bibliographies. Provides formal security and compliance attestation via Microsoft Learn.

    Mendeley DataResearch Data Repository

    data: Scientific datasets uploaded for long-term archival and open access. Supports tabular data, documents, software/code, images, video. Can include restricted-access datasets.

    Core Trust Seal certified (2017). Hosted on AWS S3 in Ireland. Comprehensive business continuity and disaster recovery plans. Data reviewers ensure datasets do not contain sensitive information or copyrighted material.

    Mendeley DesktopReference Management (Legacy)

    data: User research libraries. Legacy desktop application.

    Being phased out by Elsevier in favor of Mendeley Reference Manager. No separate compliance attestation found; users advised to migrate to Reference Manager.

    // What to watch

    • NO formal trust center or security/compliance documentation on mendeley.com - all information pulled from parent company Elsevier, Microsoft 365 certification, and third-party platforms
    • Mendeley Cite explicitly does NOT hold SOC 2, ISO 27001, HIPAA, FedRAMP, or CSA STAR certifications - only basic security practices confirmed via Microsoft attestation
    • No annual penetration testing or formal SLA for patch management reported
    • Multiple product variants (Reference Manager, Cite, Data, Desktop) with different compliance profiles - no unified compliance statement
    • AI features explicitly warn users against entering personal/sensitive data, suggesting limited readiness for sensitive data handling
    • Core Trust Seal for Mendeley Data is from 2017 (2017-2019 guidelines) with no evidence of renewal - graded held=false because it has almost certainly lapsed and no current certification is verifiable
    • EU-U.S. Data Privacy Framework is held by Elsevier Inc. (US entity) for 'certain' services and does not specifically name Mendeley - do not present as a Mendeley-specific certification without confirming scope
    • Privacy policy hosted on privacy.elsevier.com (parent company) rather than on mendeley.com domain - identity verification requires parent company checking
    • Zero-retention contracts with LLM providers are recent/strong, but no opt-out mechanism for users who wish additional control
    • AWS infrastructure has ISO 27001 and other certs, but Mendeley/Elsevier itself does not hold these - avoid conflating infrastructure certs with vendor certs

    // At a glance

    Pricing model

    Freemium with subscription. Free Reference Manager: 2GB storage. Premium Reference Manager: $55/year or $4.99/month, includes 5GB storage and unlimited AI features (Reading Assistant). Mendeley Data: free public repository. Mendeley Cite: free Word plugin.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Elsevier Limited's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    privacy.elsevier.com

    > Browse all vendor trust reports