Nested Knowledge

Bringing Systematic Review to Life

User Tools

Site Tools


wiki:policies:third_party

Third-Party Services Policy

I. Purpose

Nested Knowledge's products offers a web-based software-as-a-service application and customer support services, including notices of new releases. This policy ensures that third party services used by Nested Knowledge undergo appropriate risk and data protection assessment.

II. Scope

III. Third-Party Service Policy

A list of sub-processsors and third-party service providers is maintained below. The list is updated at least annually.

Monitoring for Vulnerabilities

Developers monitory third party providers for breaches and vulnerabilities, and notify the Technical Lead by email or slack when a breach is detected.

If a security breach is detected, we:

  • Evaluate the severity of the incident and determine the urgency of response and resource deployment.
  • Identify the classes of data affected by the breach.
  • Remove the service provider, or modify use of the service provider.
  • Disclose the security incident to users.
  • If applicable, we escalate to clients by following the chain on communication described in our service license agreement.

Third party processors are similarly monitored for policy changes, specifically with regard to changes impacting regulatory requirements.

Summary of Sub-processors

Subprocessors handle user data processing tasks on behalf of the software application.

Name (Manufacturer)
Data Processing Agreement
Critical to application?PurposeData Processed
Airplane.devSigned, available upon request

https://airplane.dev

No
Internal customer support applicationsUser emails and billing data
Auth0Auth0 DPAYesAuthentication of user accountsUser emails & credentials
HubSpothttps://legal.hubspot.com/dpaNoSend release and marketing emails to usersUser emails
Metabasehttps://www.metabase.com/license/hostingNoUser analyticsUser accounts & activity
OpenAISigned, available upon requestNoScreening model featuresRecord abstracts
Scitehttps://scite.ai/policyNoScreening model features, record display badgeRecord DOIs
Stripehttps://stripe.com/legal/dpaNoPayment servicesUser email, location, subscription, and payment details

List of Infrastructure Providers

Infrastructure Providers house the physical hardware used to run the application. These providers do not process user data, although they contain it.

Name (Manufacturer)Data Processing AgreementPurpose
AWS (Amazon)https://docs.aws.amazon.com/whitepapers/latest/navigating-gdpr-compliance/aws-data-processing-addendum-dpa.htmlProduction Infrastructure (servers, services, databases)
GCP (Alphabet)https://cloud.google.com/terms/data-processing-addendumStorage of production database backups

List of third-party providers

Third-party provider offers services that are integrated into the application in an opt-in manner or without processing user data, and are not necessary for core functionality.

Name (Manufacturer)Data Processing AgreementCritical to application?PurposeData Processed
EuropePMC NoRun searches against EuropePMCLiterature Searches
DOAJ NoRun searches against DOAJLiterature Searches
Plausible NoWeb and Mobile analyticsPage visit URL
Pubmed Entrez API NoRun searches against PubMedLiterature Searches
Unpaywall NoFull text retrievalRecord DOI
ClinicalTrials.gov NoRun searches against ClinicalTrials.govLiterature Searches

IV. Third-Party Services and Data Protection

The Policy Privacy describes the data Nested Knowledge shares with third party service providers.

Contracts with Third Parties

Contracts with third party service providers must incorporate information security requirements, including data protection and notices of security incidents.

We will document roles. responsibilities, and controls between Nested Knowledge and third parties, where applicable. Documentation and risk assessment should be stored in our filesystem drive in the respective directory for the third party provider.

Compliance and Updates

At least annually, we will review third parties vendors to assess compliance with contracts and security standards, and we update the privacy policy accordingly.

Communicating Updates

When new third party vendors are to be added, data supplied to vendors is to change, or the vendor's processing agreement are to change, all users will be notified via email with at least 7 days notice.

Revision History

AuthorDate of Revision/ReviewComments/Description
K. Kallmes1/26/2023Reviewed
K. Cowie1/26/2023Drafted
K. Holub9/28/2023Monitoring updates

Return to Policies

wiki/policies/third_party.txt · Last modified: 2023/09/29 02:22 by kholub