Maintaining the pact of trust: Patrick Crisfulla, VP of Pure and Interfolio on data privacy and security in Elsevier’s software solutions

At Elsevier, we are working to help universities reconcile the need for global impact and   collaboration with robust commitments to data privacy and security – nowhere more so than in our portfolio of Software as a Service (SaaS) solutions. These products, which include Pure,  Interfolio and the Digital Commons suite, all host customer data. A growing number of  customers have been asking us to clarify how their data is being used, shared, and  protected, so we asked Patrick Crisfulla, VP of Pure and Interfolio, to respond to some of the  questions that are put to his team most frequently.

Q. Can you explain how Software as a Service (SaaS) solutions work at Elsevier?

A. While Elsevier solutions like Pure, Interfolio, the Digital Commons suite, InsightGraph and SciBite cover distinct use cases, they all share the SaaS business model. This means they are business information solutions hosted online by Elsevier and made available to customers on a subscription basis. Elsevier maintains and secures the infrastructure of these applications and the data they hold, partnering with industry-leading tech providers (e.g. data center operators, security providers, etc). Customers upload and maintain their own data within these solutions and benefit from use of the features and functionality.

Q. What kind of data is Elsevier hosting in these solutions on behalf of customer institutions?

A. Elsevier’s SaaS solutions host what we call customer data, which is the information that our customers upload to run through the solutions. For a SaaS solution like Pure, which is a research information management system, the customer data might include descriptions of researcher projects, awards/grants, research outputs, and impact evidence. For Interfolio, the world’s leading Faculty Information System, the customer data might include academic staff job applications, committee feedback on tenure or promotion applicants and academic staff activity listings.

Q. So when a customer institution uploads its data into an Elsevier SaaS product like Pure, what happens to it? Does Elsevier assume ownership of that information?

A. Customers always retain ownership and control of their data uploaded into our SaaS solutions. Elsevier isn’t allowed to use this information for any purposes other than those agreed in the software contract. Customers are free to extract their data whenever they like, and when their subscription ends, all copies are deleted from Elsevier’s servers. With respect to personal data, to use European data protection terminology, customers are “controllers” while Elsevier is a “processor” that processes the data on behalf of the customers and at their instruction.

Q. Does Elsevier ever sell customer data to third parties?

A. No. We never sell customer data.

Q. And what about sharing customer data with other companies?

A. Elsevier engages cloud service providers to host customer data. Elsevier also has affiliates   and other companies provide security and perform other work that requires access to customer data. All these companies are contractually obligated to meet strict confidentiality, privacy   and security requirements, just as we are. 

Q. How will you use customer data?

A. Elsevier will use customer data only to provide, manage, operate and secure the SaaS solution. We don’t use customer data to enhance any Elsevier or RELX company products, or to support behind-the-scenes commercial intelligence gathering. We will not use or disclose customer data for marketing or advertising.

Q. Elsevier has recently launched AI solutions, e.g., LeapSpace. Is customer data uploaded to Elsevier’s SaaS solutions ever used to train Large Language Models for these Elsevier AI tools?

Definitely not.

Q. The Elsevier staff who work on solutions like Pure or Interfolio must be exposed to customer data, right?

A. Yes, the only people at Elsevier who can access customer data are a small group of staff, less than 1% of the company, whose roles require them to maintain and support the solutions, including to respond to technical customer support needs. We don’t make this information available to other Elsevier employees, such as journal publishers or editors.

Q. Does Elsevier ever host customer data outside its country of origin – and if so, where?

A. Customer data resides in the geographical location agreed with the customer and documented in the contract. This will usually be in whichever of our regional data centers is closest to a customer’s location. For example, for Pure, customer data of our European customers is held in our hosted data center in Ireland. US customer data is hosted in the US. China customer data is hosted in China. If alternative arrangements are made, as is occasionally the case, this will always be with the full agreement of the customer.

Q. And what about cyber security?

A: We know cyberattacks on universities are increasing in frequency, volume and sophistication, so we apply a range of security measures to protect customer data. These include encryption technologies that make data unreadable to unauthorized users, network security technologies to identify and prevent unwanted traffic and physical security at our data hosting locations. A solution like Pure also has audit logging in place, which allows customers to keep track of any interactions with their data, while user accounts can be configured to authenticate against external systems or Single-Sign-On solutions, or for local authentication.

Q. Have third parties reviewed your security practices?

A: Elsevier’s SaaS solutions are ISO/IEC 27001 and ISO/IEC 27701 certified, which means that they meet the security standards set by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) for Information Security and Personal Data Protection. Our compliance is verified by an independent third-party auditor.