Security

Confidentiality and security is crucial in chemistry, and we take protecting our users' data very seriously. Here's what we do to protect the confidentiality of your data:

• All data is encrypted in transit using TLS/SSL and at rest using LUKS AES-XTS-plain64. Database backups are also encrypted.
• Passwords are additionally encrypted via salting and hashing, ensuring that nobody (even us) can figure out your password. Similarly, API keys are hashed before storage.
• Credit card information never even touches our servers; instead, we use Stripe as our payments processor. Stripe also processes payments for companies you may have heard of—like Slack, OpenAI, Shopify, Google, and Amazon—so they're pretty trustworthy.
• Email verification is required to reset passwords, and users are notified upon any password change.
• Calculations that are deleted are actually deleted—the data is gone for good. (We keep a record that a calculation was run, in case we want to reconcile any usage information, but all actual information is destroyed.)
• Internal users don't have any special access to our website. So if you send us a calculation that didn't work, please make sure it's shared first or we won't be able to see it!
• And, of course, users maintain full control of all intellectual property. Uploading a structure to Rowan doesn't give us any claim to your IP, just like making a presentation in PowerPoint doesn't give Microsoft any claim to your IP. (Our terms and conditions state this clearly.)

Nevertheless, there's a limit to how secure a web application can be. Our software has to be able to read your data in order to load web pages, so your data has to reside in our database. This is no different than how any other website works (email, banking, etc), but we recognize that some data is so confidential that you might not want us to store it at all, and we have a few special features for such cases.

First, our Python API allows you to automatically delete all records of your calculation from our database once it's finished. This makes running calculations through the API stateless. We'll store the calculation information while it's running, but once the result is returned no copy of the data will exist on our servers. This is very simple in practice—just set delete_when_finished=True in the client when running in blocking mode.

import rowan
rowan.api_key = "rowan-sk123456"

client = rowan.Client(blocking=True, delete_when_finished=True)

print(client.compute("pka", input_smiles="c1ccccc1O"))

For cases where even stricter security is necessary, we've also listed our software as an Amazon Machine Image (AMI) on AWS Marketplace. Purchasing the Rowan AMI allows you to launch EC2 instances in your own AWS account that come pre-loaded with all of Rowan's scientific capabilities. You can deploy the AMI inside your own virtual private cloud and run our algorithms on confidential data—if even the CIA runs on AWS, you can be confident that your data is safe there. Our scientific code is pretty user-friendly, but it's not as easy to use as our website, so we'll offer phone/email support and white-glove onboarding for AMI customers.

We care about doing a good job here and are always open to being corrected. If you have an idea for how we could improve our security, let us know at contact@rowansci.com!