// Trust & Security Report

    Litmap Limited (trading as Litmaps; operates ResearchRabbit, acquired May 2025) logo

    Litmap Limited (trading as Litmaps; operates ResearchRabbit, acquired May 2025)

    Free-to-use academic literature discovery and citation-mapping web app (ResearchRabbit) that helps researchers explore related papers, authors, and topics via visual citation networks. Sibling product under the same parent company is Litmaps, a separate citation-tracking tool. No enterprise/API/team tier was found for ResearchRabbit itself.

    Certifications held

    0

    Maturity

    Startup

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    > Show 8 unconfirmed / not-held certifications
    SOC 2 (Type I or II)
    NOT CONFIRMED

    No public evidence of a SOC 2 attestation, report, or trust page on the vendor domain (researchrabbit.ai) or its parent (litmaps.com). No trust center exists; targeted web searches for 'ResearchRabbit SOC 2' and 'ResearchRabbit trust center' returned no vendor-domain results.

    source: researchrabbit.ai
    ISO 27001
    NOT CONFIRMED

    No public evidence of ISO 27001 certification on vendor domain or any independent registrar listing.

    source: researchrabbit.ai
    ISO/IEC 42001 (AI management systems)
    NOT CONFIRMED

    No public evidence of an AI-governance certification. No vendor-domain page addresses ISO 42001 or CSA STAR AI.

    source: researchrabbit.ai
    CSA STAR
    NOT CONFIRMED

    No public evidence found on vendor domain or CSA STAR registry.

    source: researchrabbit.ai
    GDPR (compliance posture, not a certification)
    NOT CONFIRMED

    Could not independently verify vendor-quoted language. The privacy policy page (/privacy-policy) exists but is a client-side-rendered SPA page that our fetch tools could not render past the navigation shell, so no verbatim GDPR-rights or Standard Contractual Clauses text could be directly confirmed on the vendor domain. Third-party search-engine summaries (not vendor-quoted) suggest the policy references EEA/UK/Swiss/Canadian/Australian/NZ data-subject rights and SCCs for international transfer, but this is unverified secondary information, not a direct vendor quote.

    source: researchrabbit.ai
    HIPAA
    NOT CONFIRMED

    No public evidence on vendor domain; product is an academic literature tool, not positioned for health-record handling.

    source: researchrabbit.ai
    PCI DSS
    NOT CONFIRMED

    No public evidence found; product has no visible paid checkout flow to necessitate PCI scope.

    source: researchrabbit.ai
    FedRAMP
    NOT CONFIRMED

    No public evidence found; not applicable to this consumer/academic product.

    source: researchrabbit.ai

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Not offered

    Data region

    Unverified. Secondary search summaries suggest primary processing in the United States with Standard Contractual Clauses for EEA/UK transfers, but this was not independently confirmed via direct vendor-domain quote.

    Could not directly render or quote the vendor's privacy policy text (JS-rendered single-page app; our fetch tooling only returned the nav/footer shell, not body content, and the extension-based browser tool was unavailable in this session). Secondary, unverified search-engine summaries indicate the policy mentions partnerships with third-party AI providers (named as Databricks and OpenAI) 'to power certain features' with input/output data 'shared with these providers under their respective agreements,' and states user data 'never leaves ResearchRabbit's own servers and is never sold to third parties' -- but none of this could be confirmed with a direct verbatim vendor-domain quote in this session, so it is reported here as unverified and should be re-checked with a JS-capable fetch before being surfaced to users as fact.

    // Security controls

    Encryption in transit

    not verified

    researchrabbit.ai

    Encryption at rest

    not verified

    researchrabbit.ai

    Cookie consent mechanism

    Site presents an explicit cookie consent banner with Accept / Decline / Preferences options for non-essential cookies; essential cookies are used without consent per site's own disclosure.

    researchrabbit.ai

    Trust center / security documentation

    None found on vendor domain.

    researchrabbit.ai

    // Products & data scope

    ResearchRabbit (web app)Academic literature discovery / citation mapping

    data: Account data (name, email), uploaded/synced reference libraries (e.g. Zotero integration), reading/collection activity, and academic paper metadata pulled from third-party scholarly databases (claims access to 310M+ papers).

    Free consumer/academic tool, no visible paid enterprise tier, no API product surfaced in evidence. Acquired by Litmaps (New Zealand company, Litmap Limited) in May 2025; prior to acquisition it was described in press coverage as a US-based tool.

    // What to watch

    • Site is a JavaScript-rendered SPA; our fetch tooling could not retrieve body text of the privacy policy, terms, cookie policy, or acceptable-use pages beyond navigation/footer shell, and no browser-automation tool was available in this session -- this is a capture-tooling gap, not evidence of absence, and should be re-verified with a JS-capable crawler before finalizing any privacy/security claims as confirmed fact
    • No trust center or SOC 2/ISO/HIPAA/GDPR-certification evidence found anywhere on the vendor domain via targeted web search -- consistent with a small/free academic tool, not indicative of wrongdoing, but should not be marketed with any compliance badges
    • Recent ownership change: ResearchRabbit was acquired by Litmaps / Litmap Limited (New Zealand) in May 2025 -- listing should reflect the current parent entity, not treat ResearchRabbit as independently operated
    • Do not conflate with 'CodeRabbit' (coderabbit.ai), an unrelated company with a similar name that does hold SOC 2 Type II / ISO 27001 / GDPR documentation -- those certifications belong to CodeRabbit, not ResearchRabbit, and must never be attributed to this vendor
    • Secondary/unverified: third-party search summaries describe AI feature partnerships with Databricks and OpenAI involving input/output data sharing, but this was not confirmed with a direct vendor-domain quote in this session and should be re-verified

    // At a glance

    Pricing model

    Free

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Litmap Limited (trading as Litmaps; operates ResearchRabbit, acquired May 2025)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    researchrabbit.ai

    > Browse all vendor trust reports