Nested Knowledge

Bringing Systematic Review to Life

User Tools

Site Tools


wiki:policies:third_party

Third-Party Services and Subprocessors Policy

I. Purpose

Nested Knowledge's products offers a web-based software-as-a-service application and customer support services, including notices of new releases. This policy ensures that third party services used by Nested Knowledge undergo appropriate risk and data protection assessment.

II. Scope

III. Third-Party Service Policy

A list of sub-processsors and third-party service providers is maintained below. The list is updated at least annually.

Monitoring for Vulnerabilities

Developers monitory third party providers for breaches and vulnerabilities, and notify the Technical Lead by email or slack when a breach is detected.

If a security breach is detected, we:

  • Evaluate the severity of the incident and determine the urgency of response and resource deployment.
  • Identify the classes of data affected by the breach.
  • Remove the service provider, or modify use of the service provider.
  • Disclose the security incident to users.
  • If applicable, we escalate to clients by following the chain on communication described in our service license agreement.

Third party processors are similarly monitored for policy changes, specifically with regard to changes impacting regulatory requirements.

Summary of Sub-processors

Subprocessors handle user data processing tasks on behalf of the software application.

Name (Manufacturer)
Data Processing Agreement
Critical to application?PurposeData ProcessedCountry
Airplane.devSigned, available upon request

https://airplane.dev

No
Internal customer support applicationsUser emails and billing dataCA, United States
Auth0Auth0 DPAYesauthentication of users accounts for the NK application.
User email and password or social login account identifiers and Login history
United States
HubSpothttps://legal.hubspot.com/dpaNoSend release and marketing emails to usersFull name and email addresses of users.
Users can have their personal or organizational data deleted at any time. All user data is deleted from HubSpot if an account is deleted.
MA, United States
Metabasehttps://www.metabase.com/license/hostingNoUser analyticsUser accounts & activityUnited States
OpenAISigned, available upon requestNoScreening model featuresRecord abstractsUnited States
Scitehttps://scite.ai/policyNoScreening model features, record display badgeRecord DOIsUnited States
Stripehttps://stripe.com/legal/dpaNoPayment servicesUser email, location, subscription, and payment detailsUnited States

List of Infrastructure Providers

Infrastructure Providers house the physical hardware used to run the application. These providers do not process user data, although they contain it.

Name (Manufacturer)Data Processing AgreementPurposeData Processed
AWS (Amazon)https://docs.aws.amazon.com/whitepapers/latest/navigating-gdpr-compliance/aws-data-processing-addendum-dpa.html
Production Infrastructure (servers, services, databases)
All user accounts and data generated on the NK application are stored in databases in AWS, behind a firewall (VPC). This data, including personal information, is not shared with AWS in a structured or meaningful way, instead only being processed by NK application code within the VPC.
GCP (Alphabet)https://cloud.google.com/terms/data-processing-addendumStorage of production database backups

List of third-party providers

Third-party provider offers services that are integrated into the application in an opt-in manner or without processing user data, and are not necessary for core functionality.

Name (Manufacturer)Data Processing AgreementCritical to application?PurposeData Processed
EuropePMC NoRun searches against EuropePMCLiterature Searches
DOAJ NoRun searches against DOAJLiterature Searches
Plausible NoWeb and Mobile analyticsPage visit URL
Pubmed Entrez API NoRun searches against PubMedLiterature Searches
Unpaywall NoFull text retrievalRecord DOI
ClinicalTrials.gov NoRun searches against ClinicalTrials.govLiterature Searches

IV. Third-Party Services and Data Protection

The Policy Privacy describes the data Nested Knowledge shares with third party service providers.

Contracts with Third Parties

Contracts with third party service providers must incorporate information security requirements, including data protection and notices of security incidents.

We will document roles. responsibilities, and controls between Nested Knowledge and third parties, where applicable. Documentation and risk assessment should be stored in our filesystem drive in the respective directory for the third party provider.

Upon client request, disclosure of all contracts with third party service providers where such third party service providers are involved in the client's deliverables shall be made.

Compliance and Updates

At least annually, we will review third parties vendors to assess compliance with contracts and security standards, and we update the privacy policy accordingly.

Communicating Updates

When new third party sub-processors are to be added, data supplied to vendors is to change, or the vendor's processing agreement are to change, all affected users will be notified via email with at least 7 days notice.

Termination of Services

When Nested Knowledge terminates a contract with a sub-processor, within 60 days we will request deletion of all personal data. Nested Knowledge will review the data deletion/backup retention policies of our sub-processor and inquire about practices if it is not sufficently documented.

V. Third-Party Provider Data Breaches

TimestampEventDescriptionReportingStatus

07-13-2023 -

07-28-2023
Detection of vulnerabilitiesVulnerabilities with the H2 database.Metabase Post-MortemNo impact on Nested Knowledge data as Nested Knowledge is a Metabase's Cloud customer.

03-20-2023 1:00AM PT -

03-20-2023 10:00 AM PT
Leakage of other users' personal dataOther active users name, email address, credit card number, and credit card expiration date were visible to active Open AI users managing their subscriptions.Open AI StatementNo impact on Nested Knowledge data.
03-18-2023Compromised employee accountAffected 30 accounts in the Cryptocurrent industry.Hubspot statementNo impact on Nested Knowledge data.

Revision History

AuthorDate of Revision/ReviewComments/Description
K. Kallmes1/26/2023Reviewed
K. Cowie1/26/2023Drafted
K. Holub9/28/2023Monitoring updates

Return to Policies

wiki/policies/third_party.txt · Last modified: 2023/11/22 03:29 by katcow