Nested Knowledge delivers a web-based software application and customer support services, including email notices of new releases. This policy ensures that third party services used by Nested Knowledge undergo appropriate risk and data protection assessment.
Third-Party Service Policy #
A list of sub-processors and third-party service providers is maintained below. The list is updated at least annually. Subprocessors handle user data processing tasks on behalf of the software application and on behalf of the company support staff.
List of Sub-processors #
| Name (Manufacturer) | Data Processing Agreement | Critical to application? | Purpose | Data Processed | Country |
|---|---|---|---|---|---|
| Abstra | Signed, available upon request https://www.abstra.io/ | No | Internal customer support applications. | User emails and billing data | Brazil |
| Auth0 | Auth0 DPA | Yes | authentication of users accounts for the NK application. | User email and password or social login account identifiers and Login history | United States |
| HubSpot | https://legal.hubspot.com/dpa | No | Send release and marketing emails to users | Full name and email addresses of users. Users can have their personal or organizational data deleted at any time. All user data is deleted from HubSpot if an account is deleted. | MA, United States |
| Metabase | https://www.metabase.com/license/hosting | No | User analytics | User accounts & activity | United States |
| OpenAI | Signed, available upon request | No | Screening model features | Record abstracts | United States |
| Scite | https://scite.ai/policy | No | Screening model features, record display badge | Record DOIs | United States |
| Stripe | https://stripe.com/legal/dpa | No | Payment services | User email, location, subscription, and payment details | United States |
List of Infrastructure Providers #
Infrastructure Providers house the physical hardware used to run the application. These providers do not process user data, although they contain it.
| Name (Manufacturer) | Data Processing Agreement | Purpose | Data Processed |
|---|---|---|---|
| AWS (Amazon) | https://docs.aws.amazon.com/whitepapers/latest/navigating-gdpr-compliance/aws-data-processing-addendum-dpa.html | Production Infrastructure (servers, services, databases) | All user accounts and data generated on the NK application are stored in databases in AWS, behind a firewall (VPC). This data, including personal information, is not shared with AWS in a structured or meaningful way, instead only being processed by NK application code within the VPC. |
| GCP (Alphabet) | https://cloud.google.com/terms/data-processing-addendum | Storage of production database backups |
List of third-party providers #
Third-party providers offer services that are integrated into the application in an opt-in manner or without processing user data, and they are not necessary for core functionality.
| Name (Manufacturer) | Data Processing Agreement | Critical to application? | Purpose | Data Processed |
|---|---|---|---|---|
| EuropePMC | No | Run searches against EuropePMC | Literature Searches | |
| DOAJ | No | Run searches against DOAJ | Literature Searches | |
| Pubmed Entrez API | No | Run searches against PubMed | Literature Searches | |
| Unpaywall | No | Full text retrieval | Record DOI | |
| ClinicalTrials.gov | No | Run searches against ClinicalTrials.gov | Literature Searches |
Monitoring for Vulnerabilities #
Developers monitory third party providers for breaches and vulnerabilities, and notify the Technical Lead by email or slack when a breach is detected.
If a security breach is detected, we:
- Evaluate the severity of the incident and determine the urgency of response and resource deployment.
- Identify the classes of data affected by the breach.
- Remove the service provider, or modify use of the service provider.
- Disclose the security incident to users.
- If applicable, we escalate to clients by following the chain on communication described in our service license agreement.
Third party processors are similarly monitored for policy changes, specifically with regard to changes impacting GDPR regulatory requirements.
Third-Party Services and Data Protection #
The Privacy Policy describes the data Nested Knowledge shares with third party service providers.
Contracts with Third Parties #
Contracts with third party service providers must incorporate information security requirements, including data protection and notices of security incidents. We will document roles, responsibilities, and controls between Nested Knowledge and third parties, where applicable. Documentation and risk assessment should be stored in our filesystem drive in the respective directory for the third party provider.
Upon client request, disclosure of all contracts with third party service providers where such third party service providers are involved in the client’s deliverables shall be made.
Compliance and Updates #
At least annually, Nested Knowledge will review third parties vendors to assess compliance with contracts and security standards, and we will update the relevant policies accordingly.
Communicating Updates #
When new third party sub-processors are to be added, data supplied to vendors is to change, or the vendor’s processing agreement are to change, all affected users will be notified via email with at least 7 days notice.
Termination of Services #
When Nested Knowledge terminates a contract with a sub-processor, within 60 days we will request deletion of all personal data. Nested Knowledge will review the data deletion/backup retention policies of our sub-processor and inquire about practices if it is not sufficently documented.
Third-Party Provider Data Breaches #
| Timestamp | Event | Description | Reporting | Status |
|---|---|---|---|---|
07-13-2023 – 07-28-2023 | Detection of vulnerabilities | Vulnerabilities with the H2 database. | Metabase Post-Mortem | No impact on Nested Knowledge data as Nested Knowledge is a Metabase’s Cloud customer. |
03-20-2023 1:00AM PT – 03-20-2023 10:00 AM PT | Leakage of other users’ personal data | Other active users name, email address, credit card number, and credit card expiration date were visible to active Open AI users managing their subscriptions. | Open AI Statement | No impact on Nested Knowledge data. |
| 03-18-2023 | Compromised employee account | Affected 30 accounts in the Cryptocurrency industry. | Hubspot statement | No impact on Nested Knowledge data. |
Revision History #
| Author | Date of Revision/Review | Comments/Description |
|---|---|---|
| K. Kallmes | 1/26/2023 | Reviewed |
| K. Cowie | 1/26/2023 | Drafted |
| K. Holub | 6/24/2024 | Updating subprocessors (remove Airplane.dev) |
| K. Cowie | 10/29/2024 | Reviewed and Updated. Removed Plausible. |
