Security, Stability, and ISO27001 Certification

This page is applicable to academic institutions, government agencies, funders, and publishers. If you are a figshare.com user, see the other section on this page.

Figshare is a fully maintained and developed Software as a Service (SaaS) platform running on Amazon Web Services (AWS) with a record of 99.9% uptime, reported transparently through the Figshare Status page. Figshare (founded in 2010 and incorporated in 2012) is held by Digital Science & Research Solutions Limited (founded 2010) and works with Digital Science and its other portfolio companies to provide a secure and stable research services environment. Figshare aims to be as transparent as possible around security measures and personal data protections. This page outlines Figshare’s security measures and data storage options to help you understand how we protect information. Figshare can provide an example of the standard SLA and other security documentation upon request (info@figshare.com).

Figshare Security Information

We have a dedicated team with robust security measures in place (dictated by one of the highest standards in the industry, ISO27001). Real-time and historical status for the platform is at status.figshare.com and email updates are available from that page. 

Figshare is ISO27001 certified

Being a trusted digital repository is a vital component in ensuring funder and government compliance when providing these services to institutions. As such, Figshare is delighted to have been awarded ISO27001 certification, after more than a year of structured improvements to our system and our workflows.

ISO 27001 is a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation’s information risk management processes.

ISO27001 is part of ISO/IEC 27000 family of standards that helps organizations keep information assets secure. Using this family of standards helps your organization manage the security of assets such as financial information, intellectual property, employee details or information entrusted to you by third parties.

For more information on our ISO27001 certification, please visit this page.

Given growing concerns around the sustainability of digital repositories and what is considered trustworthy, we feel that all repository systems should be aiming for ISO27001 compliance going forward.

Platform security overview

• Digital Science and Figshare are both ISO27001 certified. If you require more details please contact us at info@figshare.com
• Figshare is a multi-tenant platform. Access to data is controlled through access control lists and query filters
• The system is monitored 24/7 with OS level monitoring, real-time analysis, and an antivirus solution
• The system also undergoes regular vulnerability scanning and 3rd party penetration testing.
• Figshare has completed a HECVATlite audit and we can share the results with those evaluating the platform for enterprise use.

Figshare scalability and availability

Figshare serves individuals and institutions across the globe. To meet IT business continuity requirements, the Figshare platform is deployed across multiple AWS Availability Zones and Regions.  All Figshare public services are deployed in a highly available and fault tolerant design following AWS cloud best practices.

Platform updates and functionality

• The Figshare platform is updated about eight to 12 times a year with no planned downtime during updates
• Figshare’s public pages are optimized for mobile devices through a mobile responsive website
• Figshare functions on these minimum browser versions

Data location, transfer, backup, and preservation

Storage can be provided via the closest AWS node, via another cloud storage provider, or data can be stored locally at the institution.

If using Figshare Amazon S3 storage:

• Resistance to unavailability of a data center is provided by AWS S3 standard multiple backups. Both Figshare and AWS are ISO 27001 certified.
• Data in transit and at rest is encrypted.

Figshare integrates with preservation systems to enable institutions to use their preferred preservation service or system. Figshare provides preservation for researchers accounts on figshare.com. For organizations that license Figshare, we enable integrations with various preservations systems. Figshare does not provide preservation services for clients.

User authentication and user roles

• Institutional portals can integrate with SAML2 single sign-on systems.
• Permissions for the Figshare API are managed through account tokens. A user account’s permissions determine their permissions when using the API. The Figshare REST API supports the OAuth2 authorization standard and API Personal Access Tokens.
• Authenticated users can be assigned roles by group and these are managed internally. A user account can have multiple roles. Users with no administrator privileges are only able to access their own private records. Administrators can assign roles with elevated permissions to users as needed. Available user roles are detailed on our support site.

Support

Support is detailed in the standard Figshare SLA. In addition to 24/7 monitoring of the figshare platform, support agents are available to respond to general technical and configuration issues between 8am – 4pm UTC, Monday – Friday, excluding public holidays. Email support requests may be submitted at any time.  For customers based in regions with working hours outside of the Main Support Desk Hours, regional account managers monitor support tickets, so requests and emergencies can be responded to and escalated in a timely manner.

Data Protection Compliance

Figshare complies with GDPR and thus most other requirements around the world. As part of a licensing agreement, we provide a Data Processing Addendum to clients that details compliance with data processing under data protection laws. Digital Science complies with GDPR and is ISO 27701 certified.

Figshare collects IP and user agent information (as advertised by our cookie banner) for visitors to the public portal. We collect this in our capacity as the platform provider and in accordance with our privacy policy. Figshare (or one of our third party sub processors) is the processor and the user or institution is the controller of their data. We only record non-sensitive information provided by the user, such as name, email, title, research categories and city/location. Please see our privacy policy for security measures taken.

We keep personal data for as long as it is necessary for the purposes for which it was collected, after which it is destroyed, erased, or anonymised. For figshare.com users that have made content public, we retain a record of the association with that content.

If you need more information, please contact us at info@figshare.com.