Last updated: 2026-03-19
Version: 1.1
Applies to: All employees, contractors, and service providers of Research Signals Ltd.
At Signals, we provide a secure Software as a Service (SaaS) platform that publishers, researchers, and research organizations can rely on to assess the value and potential integrity risks of scholarly publications and manuscripts. Our commitment is to adhere rigorously to security best practices, ensuring the robustness of our platform so our users can concentrate on advancing global research.
Corporate Security Governance
Ownership and Scope
- Accountability: Overall responsibility for the security of Signals’ information systems rests with the Signals founding team.
- Review Cycle: This Security Policy is formally reviewed and ratified annually, or immediately following any significant changes to our platform infrastructure or shifts in the threat landscape.
Infrastructure and Resilience
Cloud Hosting Environment
Signals’ operational cloud infrastructure is hosted within Amazon Web Services (AWS) secure data centres, specifically located in Ireland and Germany. AWS maintains ongoing risk management and undergoes continuous, recurring assessments to uphold stringent industry compliance standards, including:
- ISO 27001
- SOC 1 and SOC 2/SSAE 16/ISAE 3402
- PCI DSS Level 1
- FISMA Moderate
- Sarbanes-Oxley (SOX)
Further details on AWS security measures are available here: https://aws.amazon.com/security/
Data Backups and Disaster Recovery
We maintain a robust strategy for data integrity and recovery:
- Automated Backups: Snapshots of the Signals AWS RDS database are taken automatically several times daily and stored in secure, access-controlled, and redundant storage.
- Recovery Point Objective (RPO): Our daily database snapshots ensure a maximum data loss threshold of 24 hours.
- Recovery Time Objective (RTO): We aim to bring Signals back online within 4 hours in the event of a major outage.
- Validation: Ad-hoc restoration tests from backups are routinely performed. Formal disaster recovery exercises are conducted periodically to validate restoration procedures and confirm recovery timelines.
Risk Management Framework
Continuous Risk Assessment
Signals operates a defined process for the ongoing identification, assessment, and prioritization of security and operational risks.
- Evaluation: Identified risks are analysed based on their calculated likelihood and potential impact.
- Mitigation and Acceptance: Each risk is assigned an owner responsible for developing a mitigation plan or formally documenting and justifying acceptance of the risk.
- Review Frequency: Comprehensive risk assessments are performed at least once per year and following any critical changes to infrastructure, architecture, or business operations.
- Documentation: All risk treatment decisions, including acceptance of risks, are formally documented and require approval from senior management.
Data Privacy and Handling
Privacy Policy Details
Signals maintains a comprehensive, publicly available privacy policy detailing precisely what personal data is collected and how it is used: https://research-signals.com/privacy-policy/.
- Data Minimization: We adhere to the principle of collecting and processing only the minimum personal information necessary for service delivery.
- Access Restriction: Access to all personal data is strictly controlled based on the individual’s role and defined business need.
Core Security Controls
Data Protection and Encryption
- Data in Transit: Signals enforces HTTPS encryption for all data transmitted to and from the application, securing communications.
- Data at Rest: All production data stored within our infrastructure is encrypted using AWS-managed encryption services.
Application Security and Development Lifecycle
Signals employs secure software development methodologies:
- Practices: This includes mandatory peer code reviews, automated testing, and static code analysis.
- Mitigation: We implement internal controls to mitigate all items on the OWASP Top 10 Web Application Security Risks list.
Vulnerability Management and Patching
- Process: Signals follows a formal process for managing vulnerabilities.
- Automation: Automated dependency scanning, static code analysis, and security testing tools are integrated directly into our Continuous Integration/Continuous Deployment (CI/CD) pipeline.
- Remediation: Identified vulnerabilities are triaged based on severity and must be remediated within predefined timeframes.
- Systems Updates: Infrastructure and system components are regularly patched in alignment with vendor security updates.
Access Control Protocol
Our access controls are based on foundational security principles:
- Least Privilege: Access to production systems is strictly limited according to the principle of least privilege.
- Multi-Factor Authentication (MFA): MFA is mandatory for all administrative and cloud infrastructure accounts.
- Lifecycle Management: Access rights are reviewed periodically and immediately revoked upon an employee’s role change or termination.
Monitoring and Alerting
We maintain extensive monitoring and logging capabilities to aid in troubleshooting and proactive issue investigation. The Signals engineering team receives automated alerts immediately upon detection of any anomalous activity.
Incident Response
Signals maintains a defined Incident Response Plan (IRP) designed to manage and mitigate the impact of any security incidents swiftly and effectively. This plan is available here: https://research-signals.com/incident-response-plan/
Employee Security Awareness
All Signals staff must complete security awareness training that meets the recommendations set out by Cyber Essentials. This training is refreshed periodically to ensure staff remain aware of evolving security threats and best practices.
Contact Information
For inquiries regarding this policy or to report a security concern:
📧 Email: security@research-signals.com
📍 Address: 167-169 Great Portland Street, 5th Floor, London, United Kingdom, W1W 5PF