Security

Confidentiality and security are crucial in chemistry, and we take protecting our users' data seriously.

This page describes our current security practices. It is informational only and does not form part of any contract unless explicitly incorporated into a signed agreement.

Account Security & Access

We protect user accounts using modern authentication safeguards:

• Secure OAuth2-based authentication with automatic session refresh
• Support for Google sign-in for eligible accounts
• Email verification required for password resets (users are also notified via email upon password reset)
• Coming soon: email notifications when an account email address is changed
• Optional multi-factor authentication (MFA) via authenticator apps
• Email notifications when 2FA is enabled/disabled
• Ability to log out of all active sessions

Organization Security Controls

Rowan provides organization-level controls to help teams manage access to sensitive data and projects:

• Role-based access controls for administrators and members
• Fine-grained control over who can view or modify each project
• Centralized user management and access revocation

Organization accounts also support IP-based access restrictions, allowing administrators to restrict access to approved IP addresses or ranges.

Security Certifications

Rowan is not currently certified under formal security frameworks such as SOC 2. We are actively building our internal controls and processes to align with industry best practices and intend to pursue SOC 2 certification as our organization and systems mature.

Formal penetration testing is not yet part of our security program; we plan to incorporate it alongside our SOC 2 efforts.

Until then, we continue to invest in security, monitoring, and access controls, and we welcome customer feedback.

Cyber Insurance Coverage

Rowan maintains dedicated cyber liability insurance to support incident response and risk management.

Our current coverage includes:

• Up to $1M in cyber liability coverage
• Coverage for data breaches and security incidents
• Incident response and forensic investigation costs
• Legal and regulatory response expenses
• Business interruption resulting from security failures
• Cyber extortion and fraud protection
• Public relations and reputational response costs

This coverage is designed to support rapid recovery and customer protection in the event of a confirmed security incident.

Encryption & Data Protection

Customer data is protected using industry-standard encryption technologies:

• Encryption in transit using TLS/SSL
• Encryption at rest using LUKS AES-XTS-plain64
• Passwords salted and hashed
• API keys hashed before storage
• Database backups are encrypted

We perform daily encrypted backups of our production database and retain seven days of rolling backups. Backups are stored securely and are accessible only to authorized personnel for operational recovery purposes.

Credit card information never touches Rowan systems; instead, we use Stripe as our payments processor.

Internal Access

Monitoring

Rowan monitors job metadata, both through automated dashboards and manually, to help us detect failures and improve our platform. Specifically, we monitor:

• When workflows were submitted, when they started running, and when they completed (or failed).
• What types of workflows are submitted.
• Which users submit workflows.

We do not monitor data that might compromise customer IP. Specifically:

• We do not monitor any input structures, sequences, or settings.
• We do not monitor job names, as these sometimes contain identifiable information.

Personnel Access

Access to production systems is limited to Rowan staff. At present, a small number of employees have database-level access required to operate and maintain the platform.

In the event of a confirmed breach, affected customers will be notified in accordance with applicable law and contractual obligations.

Infrastructure & Hosting

Rowan uses third-party cloud infrastructure providers for hosting and compute, including:

• Amazon Web Services
• DigitalOcean
• Modal
• Azure

Customer data is typically stored in a DigitalOcean-hosted database in the United States.

Enterprise deployments with alternative hosting or database arrangements are available.

Data & Privacy

Data Processing & Legal Protections

Organization customers may execute a Data Processing Addendum (DPA), which governs:

• Sub-processor obligations
• Breach notifications
• Cross-border data transfers
• Data return and deletion procedures

Data Retention & Deletion

By default, data is retained unless a customer requests deletion. Operational backups are retained separately for disaster recovery.

We offer configurable data auto-deletion policies for organization customers who prefer time-limited retention.

Data Export & Control

Customers maintain full control of their intellectual property. Uploading a structure to Rowan doesn't give us any claim to your IP, just like making a presentation in PowerPoint doesn't give Microsoft any claim to your IP. We do not use customer data to train machine learning models without explicit permission.

We support export of computational data in formats including XYZ, SDF, CSV, JSON, and PDB.

Questions & Security Requests

Security is an ongoing commitment. If you have specific requirements or ideas for improvement, please reach out at contact@rowansci.com.