Data Security and Privacy Policy

1. Overview

This Data Security and Privacy Policy describes Chemetrian's comprehensive approach to protecting customer data, intellectual property, and sensitive information. This policy supplements and consolidates the data protection provisions set forth in the Chemetrian Software Subscription Agreement.

2. Strictly Necessary Data Retention

2.1 Data Processing Architecture

Chemetrian operates on a strict data retention model for customer content. Your molecular structures and experimental data never leave your control:

• All processing occurs in isolated sessions
• Data is retained only for the duration of your subscription
• Data can be purged on request

3. Machine Learning and AI Protection

3.1 Prohibition on AI Training

Provider will not use customer data to train or improve machine learning models outside of customer's knowledge. This prohibition is absolute and applies to all forms of artificial intelligence development.

3.2 Anonymized ML Architecture

Our AI models work on numerical relationships and patterns, not specific molecules. Masked or tokenized inputs provide identical predictive performance. The algorithms learn statistical patterns (e.g., "variable X correlates with outcome Y"), not your proprietary structures. Even if molecular identifiers are masked, our predictions remain equally accurate.

3.3 Third-Party LLM Isolation

Literature search agents and natural language processing features use only public domain information. No proprietary molecular data, experimental results, or customer content is transmitted to external AI services (including but not limited to OpenAI, Anthropic, or similar providers). Users maintain complete control over what information, if any, is submitted to literature search tools.

4. Data Encryption and Transmission Security

4.1 Encryption at Rest

All customer content stored during active sessions is encrypted using AES-256 encryption. Encryption keys are managed through industry-standard key management systems and are rotated regularly in accordance with security best practices.

4.2 Encryption in Transit

All data transmitted between customer systems and Chemetrian services is encrypted using TLS 1.2 or higher. We enforce secure HTTPS connections for all web-based interfaces and API communications.

5. Access Controls and Authentication

5.1 User Authentication

Customer is responsible for protecting the confidentiality of user passwords and login credentials.

5.2 Role-Based Access Control

Access to customer content is restricted to authorized users within customer's organization. Chemetrian personnel do not access customer content except as strictly necessary to provide Technical Support or maintain the cloud service, and only with customer's explicit authorization.

6. Security Infrastructure

6.1 Security Policy

Provider uses commercially reasonable efforts to secure the Cloud Service from unauthorized access, alteration, or use and other unlawful tampering. Our security measures include:

• Network Security: Firewalls, intrusion detection systems (IDS), and intrusion prevention systems (IPS) monitor and protect against unauthorized access attempts.
• Vulnerability Management: Regular security assessments, penetration testing, and vulnerability scanning to identify and remediate potential security weaknesses.
• Security Monitoring: 24/7 monitoring of security events and automated alerting for suspicious activities or potential security incidents.

6.2 Backup and Disaster Recovery

Chemetrian maintains redundant infrastructure and disaster recovery capabilities to ensure service availability and business continuity. System configurations and service infrastructure are backed up regularly.

7. Data Retention and Deletion

7.1 Customer Content Deletion

Upon customer's request following termination or expiration, provider will delete customer content within 30 days or sooner upon request.

7.2 Backup Retention

Chemetrian may retain customer content in accordance with standard backup or record retention policies maintained in the ordinary course of business or as required by applicable laws.

8. Confidentiality Obligations

8.1 Non-Use and Non-Disclosure

Chemetrian will not use or disclose customer's confidential information except as authorized in the Agreement or as needed to provide the cloud service. Customer content is classified as confidential information and receives comprehensive protection under our confidentiality framework.

8.2 Prohibition on Commercial Use

Chemetrian shall not sell, license, disclose, transfer, or otherwise make available customer confidential information to any third party for Chemetrian's own benefit or commercial purposes. This prohibition specifically applies to customer content, experimental data, and intellectual property.

8.3 Permitted Disclosures

Chemetrian may disclose customer confidential information only to employees, advisors, contractors, and representatives who have a legitimate need to know and are bound by confidentiality obligations at least as protective as those in the Agreement.

9. Personal Data and GDPR Compliance

9.1 Data Processing Agreement

Before submitting personal data governed by GDPR, customer must enter into a data processing agreement (DPA) with Chemetrian. The DPA establishes the parties' respective obligations as data controller and data processor under GDPR.

9.2 Prohibited Data

Unless specifically authorized in the Order Form or Key Terms, customer will not submit prohibited data to the cloud service, including:

• Patient, medical, or protected health information regulated by HIPAA
• Credit, debit, or bank account numbers
• Social security numbers or government ID numbers
• Special categories of data as defined in GDPR

10. Security Incident Response

10.1 Incident Detection and Response

Chemetrian maintains security incident response procedures to detect, investigate, and respond to potential security incidents. Upon detecting a security incident that affects customer content or personal data, Chemetrian will:

• Promptly investigate the incident to determine its nature and scope
• Take reasonable measures to contain and remediate the incident
• Notify affected customers in accordance with applicable laws and contractual obligations

10.2 Breach Notification

In the event of a confirmed data breach affecting customer data, Chemetrian will notify customer within 72 hours of confirming the breach, or such shorter timeframe as required by applicable data protection laws. Notification will include available information about the nature of the breach, affected data, and remediation measures taken or planned.

11. Regulatory Compliance

11.1 Applicable Laws

Chemetrian complies with all applicable laws in performing its obligations under the Agreement. This includes compliance with data protection laws, export control regulations, and industry-specific requirements applicable to pharmaceutical and chemical research.

11.2 Export Controls

Customer acknowledges export control obligations and represents that it is not located in an embargoed country and is not designated on any prohibited or sanctioned parties lists. Chemetrian reserves the right to terminate access if necessary to comply with export controls and sanctions laws.

12. Policy Updates and Modifications

12.1 Material Changes

Chemetrian may update this Data Security and Privacy Policy from time to time to reflect changes in security practices, legal requirements, or service offerings. Material changes that reduce customer's privacy or security protections will be communicated to customer with at least 30 days' advance notice.

13. Contact Information

For questions regarding this Data Security and Privacy Policy or Chemetrian's data protection practices, please contact:

Chemetrian, LLC
Email: info@chemetrian.com
Phone: 1-630-303-6534
Support Hours: 9:00 AM – 5:00 PM Central Time (excluding Federal Holidays)