// Trust & Security Report
Elsevier B.V. (a member of RELX Group)
ScienceDirect is Elsevier's full-text scientific, technical, and medical (STM) research literature platform (peer-reviewed journal articles and book chapters). It includes ScienceDirect AI, a generative-AI research assistant add-on that summarizes and cross-references content with source citations. Elsevier operates it as one product line within a much larger portfolio (Scopus, Pure, ClinicalKey/ClinicalKey AI, etc.) that share corporate security and privacy infrastructure but have some product-specific compliance claims (e.g., HIPAA is associated with ClinicalKey AI, not ScienceDirect).
Certifications held
2
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on elsevier.com“We maintain compliance with leading security frameworks and hold certifications such as ISO 27001.”
Verify on elsevier.com“All cross-border transfers of personal data are subject to appropriate safeguards compliant with the GDPR, including the EU Standard Contractual Clauses. / We treat personal data in line with applicable privacy laws, such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).”
> Show 8 unconfirmed / not-held certifications
source: elsevier.comNo public evidence: Elsevier's group-wide Security & Compliance page (elsevier.com/en-gb/security) does not mention SOC 2 for ScienceDirect. A SOC 1/SOC 2 report is referenced only for the separate Pure product ('SOC 1 and SOC 2 reports can be confirmed by Elsevier upon request from active Pure customers' per Pure's help center), which is a different product line than ScienceDirect.
source: helpcenter.pure.elsevier.comNo public evidence for ScienceDirect specifically. These extended ISO control sets are documented for Elsevier's Pure product ('fully certified under ISO/IEC 27001:2022, including the extended control sets of ISO 27017 and ISO 27018' per Pure help center), not confirmed for ScienceDirect.
source: elsevier.comElsevier's privacy policy states it has 'certified certain services to the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework' but does not confirm ScienceDirect by name as one of the certified services, so this is graded unconfirmed for this specific product rather than assumed.
source: hitconsultant.netNot applicable / no evidence for ScienceDirect. HIPAA compliance and PHI-handling controls are documented for Elsevier's separate ClinicalKey AI product ('HIPAA-compliant privacy controls to protect patient health information'), a distinct clinical product, not ScienceDirect, which is a research-literature database and does not advertise PHI handling.
source: elsevier.comNo public evidence found on Elsevier's or ScienceDirect's own domain of a PCI DSS attestation. Consumer/individual ScienceDirect subscriptions involve payment card processing, but no PCI DSS claim is published.
source: elsevier.comNo public evidence found. Elsevier documents a 'Responsible AI Principles' framework and product-level safeguards (e.g., zero-retention LLM contracts) for ScienceDirect AI, but does not claim ISO/IEC 42001 certification.
source: elsevier.comNo public evidence found on any Elsevier-owned domain of CSA STAR registration or STAR for AI certification.
source: elsevier.comNo public evidence found on any Elsevier-owned domain. (A third-party security-rating aggregator lists 'FedRamp compliance' for Elsevier, but this is not corroborated by any first-party Elsevier/ScienceDirect page, so it is not counted as verified per the vendor-domain-proof rule.)
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Elsevier states data is 'hosted in Europe or the US based on application and regulatory requirements' and that 'Customer personal data is not transferred to China.' The broader privacy policy lists processing locations including Australia, France, Germany, India, Ireland, the Netherlands, the Philippines, Singapore, the UK, and the US.
For the ScienceDirect AI feature specifically, Elsevier states: 'Our enterprise agreements with AWS, Microsoft Azure, OpenAI, and Anthropic include zero-retention contracts, so your prompts and documents are never used for large language model development,' and 'Our use of third-party LLMs is private, with no data shared for public model improvement.' Separately, ScienceDirect's own site footer states 'All content on this site: Copyright (c) 2026 Elsevier B.V.... All rights are reserved, including those for text and data mining, AI training, and similar technologies' -- this is Elsevier reserving rights over its own published content against third-party AI scraping/training, a different and non-contradictory claim from the zero-retention promise about user prompts.
// Security controls
AI prompt/conversation protection
User prompts and responses in ScienceDirect AI conversation history are secured in encrypted databases with AES-256 level encryption; zero-retention contracts with OpenAI/Anthropic/AWS/Azure mean prompts are not used for LLM training.
elsevier.comCross-border transfer safeguards
GDPR-compliant mechanisms including EU Standard Contractual Clauses; data not transferred to China.
elsevier.comData Processing Addendum
Published Data Processing Addendum available covering Elsevier's processing of personal data on behalf of institutional subscribers/customers.
elsevier.com// Products & data scope
data: User accounts, institutional/library subscription access, search and reading activity, saved lists. No end-user 'customer data' upload in the SaaS sense -- primary content is Elsevier's own published literature.
Primarily institution-licensed (libraries, universities, enterprises) with some individual/consumer article purchase and personal subscription options.
data: User prompts/queries over licensed full-text content; per vendor, prompts are processed via zero-retention contracts with OpenAI/Anthropic and are not used to train public models.
Launched as an add-on; won a 2025 CODiE Award for 'Best Generative AI solution.' Distinct security posture documented from the base ScienceDirect platform.
data: Patient/health-context integrations (EHR API integrations); explicitly HIPAA-compliant per vendor.
Not part of ScienceDirect; listed here only to flag that HIPAA claims found in Elsevier's portfolio belong to this sibling product, not ScienceDirect, avoiding cert misattribution.
// What to watch
- Scope ambiguity on ISO 27001: Elsevier's security page makes a general corporate-level ISO 27001 claim without stating the certificate's exact ISMS scope/boundary (which systems, entities, or products are covered). Treated as held=true for the corporate claim but flagged for lack of scope detail typical of a full trust-center certificate excerpt.
- No SOC 2 evidence for ScienceDirect: only Elsevier's Pure product (a research-information-management system, different from ScienceDirect) documents SOC 1/SOC 2 report availability. Do not conflate Pure's SOC 2 with ScienceDirect.
- HIPAA belongs to a sibling product (ClinicalKey AI), not ScienceDirect -- explicitly excluded to avoid identity conflation across Elsevier's product portfolio.
- A third-party security-ratings aggregator (Nudge Security) lists Elsevier as having SOC 2, FedRAMP, and CSA STAR compliance, but none of these could be corroborated on any Elsevier-owned domain; per the hard rule against fabrication, these are graded held=false pending first-party confirmation.
- No single dedicated 'ScienceDirect trust center' exists; security/compliance content lives on the group-wide elsevier.com security and legal pages, which is normal for a large multi-product publisher but means product-specific nuance (e.g., is the ISO 27001 scope inclusive of ScienceDirect infrastructure specifically) is not independently confirmable from public pages alone.
// At a glance
Pricing model
Primarily institutional/library site-license subscriptions; also offers individual article purchase (pay-per-view) and a personal digital subscription tier for ScienceDirect AI.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Elsevier B.V. (a member of RELX Group)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
elsevier.com