Security

Protecting customer data and IP is crucial to what we're building. Computational chemistry workflows handle structures, targets, and assay data that represent years of research and business-critical IP for our customers. We take no ownership over that work, and we treat protecting it as a core product responsibility.

This page describes our current security practices honestly. We welcome direct conversations with security and procurement teams at security@rowansci.com. If you're comparing deployment models, see our deployment options page.

This page is informational only and does not form part of any contract unless explicitly incorporated into a signed agreement.

Account security & access

User accounts are protected using modern authentication safeguards:

Secure OAuth2-based authentication with automatic session refresh, including single sign-on (SSO)
Email verification required for password resets, with email notification upon reset
Email notifications when an account email address is changed or when two-factor authentication (2FA) is enabled or disabled
Two-factor authentication (2FA) via authenticator apps
Ability to log out of all active sessions

Organization security controls

Rowan provides organization administrators with fine-grained access controls:

Role-based access controls for administrators and members
Per-project visibility and edit permissions
Centralized user management and instant access revocation
IP allowlisting: administrators may restrict platform access to approved IP ranges

Additionally, Rowan can configure additional security features for organizations:

Mandatory 2FA and SSO enforcement: require all organization members to authenticate via 2FA or a configured SSO provider
Disable public sharing: prevent any organization member from sharing results or projects externally
Disable external data integrations: block access to external databases (e.g., RCSB PDB, PubChem) to prevent inadvertent data egress or IP disclosure

These controls are designed to satisfy the requirements of IT and security teams at pharmaceutical and materials-science organizations.

Data ownership & model training

Customers retain full ownership of all input data, structures, sequences, and computational results. Rowan does not acquire any license or intellectual property rights through your use of the platform. We do not use customer data to train machine learning models without explicit written permission.

Security certifications & program

Rowan is not currently SOC 2 certified. We are building the internal controls and documentation to support certification, and we are prepared to prioritize undergoing a formal audit when required by a customer. Contact security@rowansci.com to discuss your requirements.

Secure development practice

Security is integrated into our development process. We follow secure coding practices including input validation and SQL injection prevention and conduct informal threat modeling for features that touch customer data.

Cyber insurance

Rowan maintains dedicated cyber liability insurance, including:

Up to $1M in cyber liability coverage
Data breach and security incident coverage
Incident response, forensic investigation, and legal/regulatory response costs
Business interruption coverage
Cyber extortion and fraud protection

Encryption & data protection

Customer data is protected using industry-standard encryption:

Encryption in transit via TLS/SSL
Encryption at rest via LUKS AES-XTS-plain64
Passwords salted and hashed; API keys hashed before storage
Database backups encrypted

We perform daily encrypted backups of our production database and retain seven days of rolling backups. Backups are accessible only to authorized personnel for operational recovery.

Credit card information never touches Rowan systems; all payment processing is handled by Stripe.

Internal access controls

What we monitor

Rowan monitors job metadata to detect failures and improve the platform:

Workflow submission, start, and completion times
Workflow types submitted
Which users submitted workflows

We deliberately do not monitor data that could compromise customer IP:

We do not monitor input structures, sequences, or parameters
We do not monitor job names, which may contain identifiable information

Personnel access

Access to production systems is restricted to Rowan engineering staff. At present, a small number of employees have database-level access required to operate and maintain the platform.

Infrastructure & hosting

Rowan uses established cloud infrastructure providers for hosting and compute:

Amazon Web Services — compute and storage
DigitalOcean — primary database hosting (United States)
Modal — on-demand compute for simulation workloads
Microsoft Azure — supplementary compute

Customer data is stored in a DigitalOcean-managed database located in the United States. Enterprise deployments with alternative hosting, data residency, or VPC arrangements are available. Read more about deployment options.

Sub-processors

The following third-party sub-processors may handle customer data:

Sub-processor	Purpose
DigitalOcean	Primary database hosting
Amazon Web Services	Compute and storage
Modal	On-demand compute
Microsoft Azure	Supplementary compute
Stripe	Payment processing

Organization customers may request a Data Processing Addendum (DPA) governing sub-processor obligations, breach notifications, cross-border data transfers, and data return and deletion procedures.

Data retention & export

Data is retained until a customer requests deletion. Organization customers may request automatic data-deletion policies for time-limited retention. We support data export in XYZ, SDF, CSV, JSON, and PDB formats.

Vulnerability disclosure

If you discover a security vulnerability in Rowan's platform, please report it to security@rowansci.com. We will acknowledge receipt within 48 hours and work to remediate confirmed vulnerabilities promptly. We ask that you give us reasonable time to investigate before public disclosure.

We do not offer bug bounties.

Questions & security reviews

We recognize that security reviews are a normal part of enterprise procurement, and we want to make that process as smooth as possible. We are happy to:

Complete security questionnaires
Provide documentation on specific controls
Schedule a call with your IT, legal, or compliance team
Execute a DPA

Reach us at security@rowansci.com.