// Trust & Security Report
Corporation for Digital Scholarship (Zotero Project)
Zotero is a free, open-source research tool for collecting, organizing, and analyzing bibliographic data. Includes desktop app, web interface, and optional cloud sync via AWS. Available with optional library synchronization to Zotero servers or WebDAV.
Certifications held
1
Maturity
Startup
Trains on your data
No
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on forums.zotero.org“"We can provide a HECVAT (an assessment tool used by higher-education institutions to evaluate security and privacy) on request." (Zotero team, Zotero Forums). Separately, some institutions report friction completing the broader compliance review despite this offer.”
> Show 6 unconfirmed / not-held certifications
source: zotero.orgNo mention of SOC 2 on Zotero's own security page. In a Zotero Forums thread, a Zotero team member wrote: "These are enterprise certifications that aren't realistic for an organization of our size."
source: zotero.orgNo mention of SOC 2 Type 2 on Zotero's own security page or elsewhere in public Zotero documentation; no formal attestation reports have been published.
source: zotero.orgNo mention of ISO 27001 on Zotero's own security page. In the same Zotero Forums thread, the team characterized formal certifications like this as 'enterprise certifications that aren't realistic for an organization of our size,' pointing to open-source auditability as an alternative.
source: zotero.orgZotero privacy policy states 'All Zotero server data is stored in the United States in Amazon Web Services.' No GDPR annexes, Data Processing Agreement, or GDPR compliance statement found in public documentation. US-based servers raise concerns under post-Schrems II judgment.
source: zotero.orgNo public evidence of HIPAA compliance or Business Associate Agreement. Security documentation notes data encrypted at rest with AES-256, but Zotero/AWS staff have access to decrypted data. Not marketed as HIPAA-compliant.
source: zotero.orgNo public evidence of PCI DSS certification. Credit card processing handled by third party, but no specific certification mentioned.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Not offered
Data region
United States (AWS us-east-1 region). Privacy policy explicitly states 'All Zotero server data is stored in the United States in Amazon Web Services.' Raises GDPR concerns for EU users post-Schrems II judgment.
Terms of Service contain no mention of AI training, machine learning, or model development using user data. However, no explicit opt-out or commitments were found either.
// Security controls
Encryption in Transit
Yes, using current best practices. SSL Labs rates Zotero API endpoint with A+ score.
zotero.orgOpen Source
All software is open source and available for auditing. Code-signed builds for macOS and Windows.
zotero.orgDefault Data Storage
Local-first design. All research data remains local by default unless user explicitly enables syncing.
zotero.orgSynced Data Access
Access limited to essential Zotero staff when syncing enabled. Data stored in AWS us-east-1.
zotero.orgFormal Security Audit
No evidence of external formal security audits or penetration testing reports.
zotero.org// Products & data scope
data: Local storage by default. Optional cloud sync via Zotero servers or WebDAV.
Free, open-source application. No account required for local use. Runs on Windows, macOS, Linux.
data: Requires synced Zotero account. Data stored on US-based AWS servers.
Requires user to enable sync on desktop app. Access to library from any browser.
data: Optional add-on. Syncs research libraries to AWS us-east-1.
Available as optional paid add-on or free limited tier. Encrypted at rest (AES-256) and in transit.
// What to watch
- NO_FORMAL_CERTIFICATIONS: Zotero lacks SOC 2, ISO 27001, HIPAA, and all standard enterprise compliance certifications. Organization is transparent about this limitation.
- GDPR_CONCERNS: US-based servers (AWS) without formal DPA raise compliance concerns for GDPR-regulated organizations post-Schrems II ECJ judgment.
- NO_DPA: No Data Processing Agreement found in public documentation despite being used in education and healthcare.
- INSTITUTIONAL_FRICTION: Some universities have removed Zotero from computers due to refusal/inability to complete HECVAT or other formal compliance documentation.
- NONPROFIT_STANCE: Corporation for Digital Scholarship emphasizes open-source and privacy-first design as alternative to formal certifications, rather than pursuing SOC 2 or ISO 27001.
- UNCLEAR_ENTERPRISE_SUPPORT: No public information about whether DPA, HECVAT completion, or other enterprise compliance support is available upon request.
- NO_AI_POLICY: Terms contain no AI training clause, but also no explicit commitment against AI training on user data.
- HOST_NOT_VENDOR_CERT: Any AWS certifications (SOC 2) belong to Amazon, not Zotero. Zotero does not hold these directly.
// At a glance
Pricing model
Free open-source desktop app with optional paid cloud storage tiers (File storage; GB packages available)
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Corporation for Digital Scholarship (Zotero Project)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
zotero.org