Skip to main content

Unfortunately we don't fully support your browser. If you have the option to, please upgrade to a newer version or use Mozilla Firefox, Microsoft Edge, Google Chrome, or Safari 14 or newer. If you are unable to, and need support, please send us your feedback.

We'd appreciate your feedback.Tell us what you think!

Elsevier
Publish with us

Information Security Requirements

1. Subscriber’s Information Security Program

1.1. Subscriber will implement and document appropriate policies and procedures (1) covering its administrative, physical and technical safeguards and (2) relevant to access, use, loss, alteration, disclosure, storage, destruction and control of information that are measured against objective standards and controls (“Subscriber’s Information Security Program”). Subscriber will, without undue delay, remediate any deficiencies identified in Subscriber’s Information Security Program.

1.2. The Subscriber’s Information Security Program will, at a minimum (1) address risks presented by processing, including risks associated from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Elsevier Data transmitted, stored or otherwise processed; (2) account for known and reasonably anticipated threats and continually monitor for new threats; (3) meet or exceed industry best practices for which, among other items, address the nature, scope, context and purposes of processing and the risks associated with the severity for the confidentiality and integrity of Elsevier Data and (4) include all appropriate technical and organizational measures ensuring a level of security appropriate to the risk, including as appropriate, (i) ensuring the confidentiality, integrity, availability and resilience of the systems associated with the storage and processing of Elsevier Data and (ii) such technical and organizational measures are regularly tested, assessed, and evaluated for effectiveness to guarantee the security of the data and processing activities as they relate to Elsevier Data.

1.3. Subscriber will review all its Restricted and Authorized Users and ensure their access to Elsevier Data does not create: (1) an unacceptable risk of misuse or (2) inappropriate access to such information (“Personnel Reviews”). Subscriber will ensure the substance and manner of any Personnel Reviews. Personnel Reviews will conform to all applicable laws. If Subscriber at any time becomes aware that a Restricted or Authorized User to whom Subscriber has granted access to the services creates a risk, Subscriber will determine the User’s suitability to continue to access the services, or information derived therefrom, under this Agreement and, if appropriate, will terminate such access.

2. Subscriber Data Breach

Subscriber has in place documented, tested and updated incident handling procedures which will comply with all applicable laws.

In addition to, and not in lieu of, the obligations in this Agreement between the Parties, if Subscriber learns or has reason to believe that user IDs, the services, or any information to which Subscriber otherwise has access under the Agreement, has led to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Elsevier Data transmitted, stored or otherwise processed (a “Subscriber Data Breach”), Subscriber will:

2.1. notify Elsevier immediately and within seventy-two (72) hours if practicable, but in all cases without undue delay, of confirmation of the Subscriber Data Breach. Notice will be provided via email to [email protected];

2.2. provide to Elsevier a reasonable summary of the circumstances surrounding such Subscriber Data Breach;

2.3. co-operate reasonably with Elsevier’s requests for information regarding such Subscriber Data Breach;

2.4. without undue delay investigate the situation;

2.5. obtain written consent from Elsevier, not to be unreasonably withheld, prior to disclosing Elsevier or the services to any third party in connection with the Subscriber Data Breach;

2.6. provide all proposed third party notification materials, if such materials will identify Elsevier products or its services, to Elsevier for review and approval, such approval not to be unreasonably withheld or delayed.

In the event of a Subscriber Data Breach, Elsevier may, in its sole discretion, take immediate action, including suspension or termination of Subscriber’s account, without further obligation or liability of any kind.

3. Elsevier Audit Rights

Subscriber agrees that Elsevier may periodically, but not more than once per calendar year unless a documented Subscriber security vulnerability arises, review, with reasonable notice, Subscriber’s Information Security Program including its facilities, policies and procedures, and all relevant documentation, including logs, practices and operations. All reviews will be at Elsevier’s expense. If there is any failure to co-operate with Elsevier, or if any review reveals the lack of compliance with the terms and conditions of this Agreement, Elsevier may deny or limit access to the services and will be under no obligation to reduce the fees payable by Subscriber to the extent that it is unable to provide the services, and may, at its discretion pursue legal action.

Version number: V1.1

Date: 04 August 2025