Pure

Service scope

Software add-on or extension: No
Cloud deployment model: Private cloud
Service constraints: Pure has multiple configuration options, some of which can be set up during implementation and onboarding. System administrators can edit and configure options throughout the service period. Instructions for doing so will be covered during training, and ongoing support is available throughout the service period.

Maintenance is managed as much as possible in low usage times, such as night time.
System requirements: Internet connectivity

Up to date browser

User support

Email or online ticketing support: Email or online ticketing
Support response times: Category A (critical defect with no workaround), response within 4 hours (during help desk hours only);
Category B (critical defect with workaround), response within 2 working days;
Category C (non-critical defect with no workaround), response within 4 working days;
Category D (non-critical defect with workaround), response within 8 working days.
User can manage status and priority of support tickets: No
Phone support: Yes
Phone support availability: 24 hours, 7 days a week
Web chat support: No
Onsite support: Onsite support
Support levels: Access to the Pure help desk is included as part of a customer’s Pure licence.

The Pure help desk provides ongoing technical support to customers. Their primary aim is to make sure customers use Pure efficiently and have the best possible experience with it.

Our help desk is based in the USA, Denmark and Singapore, allowing us to provide the best possible service and response times. Customers can raise a support request using our online ticketing system, email or telephone.

In addition, we provide customers with a Customer Consultant for additional technical support. The Customer Consultant ensures customers use Pure optimally and assists them with any concerns they have that are not issues for the support desk.
Support available to third parties: No

Onboarding and offboarding

Getting started: To help users get started with using Pure, we make the following available to them from day one:
• a dedicated Pure server;
• documentation allowing you to easily explore Pure configurations;
• access to our global Pure Academy training program.

During implementation, the Pure Implementation Manager holds an (optional) on-site workshop. This workshop is tailored to your needs and provides in-depth training about the implementation and configuration of Pure.
Once implementation is nearing the launch phase, your dedicated Pure Customer Consultant will deliver additional training (a combination of onsite and online). Your Customer Consultant has an in-depth knowledge of Pure and best-practices for rolling it out. They will provide continuous training to help you explore the additional functionality in Pure, and will remain as your go-to person for training-related enquiries after launch.
Service documentation: Yes
Documentation formats: HTML

PDF
End-of-contract data extraction: Once their contract ends, users can extract data from Pure using the Pure Web Service API. This allows them to extract their data in XML and JSON format.
End-of-contract process: The costs of the basic end-of-contract process are included in a customer's Pure licence fee.

Elsevier provides guidance to customers about the tasks they need to complete as part of their migration strategy and the expected timeline they must complete these tasks in. This is a once-off meeting. Effort for consultancy, project work, configurations, or any other form of customised work is excluded from the basic process. The actual extraction and transformation of data is the customer's responsibility. Customers are notified well in advance of their contract end date, so they have sufficient time to extract and transfer data.

Once their contract with Elsevier comes to an end, all data and backups are deleted. AWS uses the techniques detailed in NIST 800-88 (“Guidelines for Media Sanitization”) to destroy data as part of the decommissioning process for their storage hardware.

Using the service

Web browser interface: Yes
Supported browsers: Microsoft Edge

Firefox

Chrome

Safari
Application to install: No
Designed for use on mobile devices: No
Service interface: Yes
User support accessibility: WCAG 2.1 AA or EN 301 549
Description of service interface: Customers access Pure in a web-browser. They require credentials from their institution to log in.

The Pure Portal is also accessed in a web-browser. Institutions can control what content is displayed internally and externally on their Pure Portal.
Accessibility standards: WCAG 2.1 AA or EN 301 549
Accessibility testing: We carry out an annual Voluntary Product Accessibility Template (VPAT) assessment, which is conducted by the Elsevier Accessibility team. During this VPAT assessment, we test the Pure interface to ensure it is screen reader friendly and compatible with screen readers such as JAWS, NVDA and Apple's VoiceOver. Pages employ Accessibility for Rich Internet Applications (ARIA) to enhance navigation, orientation and labelling for users of screen readers and other assistive technology.
API: Yes
What users can and can't do using the API: Web services are used to extract data from Pure. Pure contains three open interfaces: SOAP, REST and OAI. Both XML and JSON are supported as output formats.

With each new (major) version, a corresponding new version of the Pure Web Service is also released which includes support for all new additions to the data model introduced in that particular major version of Pure.

The API has endpoints available for most content types in Pure. The access is controlled using API keys; the endpoints available are tied to your API key, which is managed in the Administrator tab of Pure.

NOTE: Not all endpoints will be available — the number of endpoints available depends on your API key and how Pure is configured.

We are currently developing the Pure Write API for populating Pure with content from external sources. This is an evolution of the existing REST web services, to support a backward-compatible read and write REST JSON endpoint for using and managing research information data in Pure. The API currently covers the most commonly used content types: Organisations, Persons, Users, Applications, Awards and Project. We estimate that all content will be accessible via the API by the end of 2023.
API documentation: Yes
API documentation formats: Open API (also known as Swagger)

HTML
API sandbox or test environment: Yes
Customisation available: Yes
Description of customisation: Pure offers functionality through optional modules, which allows only relevant client features to be available. Within the Core module and the optional modules the following is relevant:

• Data can be synchronised into Pure from other institutional systems, where the mapping of data is determined by the client. This is set up during implementation and is subsequently managed by clients. Training will be provided by Elsevier.

• Multiple workflows are present that are highly configurable to ensure relevance to client processes.

• Classifications present can be edited, and new classifications can be added and added to various content templates.

• Pure can reflect institutional name, field naming preferences, system messages, and editable support text. The Pure Portal is templated in terms of functionality, but branding can match the client (logo, colour, text, and messaging).

Scaling

Independence of resources: Pure customers using our standard hosting infrastructure have their own database instance with unique credentials. Our standard hosting offers customers reliable, scalable, and inexpensive cloud computing services via Amazon Web Services.

Analytics

Service usage metrics: Yes
Metrics types: The system captures data around each institution’s usage of Pure. This information includes which features, types of content and maintenance jobs are used in Pure and at which volume. These metrics help to measure the health of an institution’s Pure instance, diagnose and solve problems, as well as prioritise our development work.
Institutions can also capture metrics about the visitors to their Pure Portal using Google Analytics. They set this up from Pure by entering their Google Analytics tracking code.
Reporting types: Real-time dashboards

Reports on request

Resellers

Supplier type: Not a reseller

Staff security

Staff security clearance: Other security clearance
Government security clearance: None

Asset protection

Knowledge of data storage and processing locations: Yes
Data storage and processing locations: European Economic Area (EEA)

Other locations
User control over data storage and processing locations: Yes
Datacentre security standards: Managed by a third party
Penetration testing frequency: At least once a year
Penetration testing approach: Another external penetration testing organisation
Protecting data at rest: Physical access control, complying with another standard

Encryption of all physical media
Data sanitisation process: Yes
Data sanitisation type: Explicit overwriting of storage before reallocation
Equipment disposal approach: A third-party destruction service

Data importing and exporting

Data export approach: Users can export their data in JSON and XML formats using the Pure Web Service API.

It is also possible for users to create lists of data and export them in various formats such as BibTeX, Reference Manager (RIS), HTML and Excel, depending on the type of data.

Pure can also be harvested via OAI-PMH using a variety of metadata formats.

In addition, users can produce reports and export them to PDF, Word, Excel and HTML formats.
Data export formats: Other
Other data export formats: JSON

XML

XLS

HTML

PDF

Word

BibTex

Reference Manager (RIS)

OpenAire
Data import formats: Other
Other data import formats: XML

Reference Manager (RIS)

BibTex

XLS

OpenAire

Data-in-transit protection

Data protection between buyer and supplier networks: TLS (version 1.2 or above)

IPsec or TLS VPN gateway
Data protection within supplier network: TLS (version 1.2 or above)

IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability: Our service level agreement (SLA) guarantees a 99.5% system uptime. If availability drops below 99.5%, customers are entitled to receive a service credit. Availability warranties and service credit calculations are outlined in our SLA.
Approach to resilience: Elsevier implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

• Encryption of personal data;
• Ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
• Ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
• Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
Outage reporting: Email alerts

Identity and authentication

User authentication needed: Yes
User authentication: Identity federation with existing provider (for example Google Apps)

Username or password

Other
Other user authentication: In addition to supporting federated identity solutions, including SAML2, WAYF, Shibboleth, ADFS and CAS, Pure also supports Active Directory authentication using the LDAP protocol.
Access restrictions in management interfaces and support channels: Pure does not have a management interface. Only authorised Elsevier employees can access the server infrastructure. All access control is reviewed regularly, and system access is audited.

No employee has permanent access to application level data; temporary access is allocated on an individual’s “need to know,” as determined by job functions and requirements. Authorised Elsevier employees access customer environments via two-factor authentication. We maintain a full audit trail of Elsevier staff logins to customer environments and review this log regularly.
Access restriction testing frequency: At least every 6 months
Management access authentication: Public key authentication (including by TLS client certificate)

Username or password

Audit information for users

Access to user activity audit information: Users have access to real-time audit information
How long user audit data is stored for: User-defined
Access to supplier activity audit information: No audit information available
How long system logs are stored for: At least 12 months

Standards and certifications

ISO/IEC 27001 certification: Yes
Who accredited the ISO/IEC 27001: SGS United Kingdom Ltd
ISO/IEC 27001 accreditation date: 29/7/2021
What the ISO/IEC 27001 doesn’t cover: We hold 27001:2013 Certification. The Information Security Management System (ISMS) provides the management of information security arrangements and activities that support the delivery of information services for Institutional Products and Clinical Solutions globally.
ISO 28000:2007 certification: No
CSA STAR certification: No
PCI certification: No
Cyber essentials: No
Cyber essentials plus: No
Other security certifications: Yes
Any other security certifications: EU-U.S. Privacy Shield

Security governance

Named board-level person responsible for service security: Yes
Security governance certified: Yes
Security governance standards: ISO/IEC 27001
Information security policies and processes: Elsevier has implemented policies, standards, and guidelines aligned with ISO 27002 domains that govern data access, protection, transport, restriction, retention, deletion, and classification. Policies, standards, and guidelines are reviewed and updated regularly.

We maintain a dedicated Information Security and Data Protection organisation, headed by our Chief Security Information Officer, who is responsible for these policies, standards and guidelines and ensuring all employees adhere to them.

Operational security

Configuration and change management standard: Supplier-defined controls
Configuration and change management approach: Our change management process follows best industry practices.
Vulnerability management type: Supplier-defined controls
Vulnerability management approach: Services, processes, and technology are implemented to execute internal and external vulnerability scans to identify new application and system vulnerabilities. Identified risks are assessed for their potential impact along with determining appropriate response and remediation actions. We use a combination of network security testing, application security testing, application code review, and penetration testing to assess our information security program, and enhance it appropriately.
Protective monitoring type: Supplier-defined controls
Protective monitoring approach: Elsevier’s Information Security and Data Protection (ISDP) team continuously monitor and respond 24/7 to security events. The ISDP team will assess any identified risks for their potential impact and determine the appropriate response and remediation actions.

To ensure monitoring is as thorough as possible, Elsevier uses a combination of automated and manual solutions to inspect applications and identify any vulnerabilities that require remediation.
Incident management type: Supplier-defined controls
Incident management approach: Elsevier manages incidents using a well-established Security Incident Response process. This process covers all security incidents, including hacker, denial of service, lost asset and virus/worm incidents.

When an incident occurs, it is promptly handled by our dedicated Information Security & Data Protection team. They will restore service as soon as possible, determine the cause of the incident, and take appropriate steps to prevent future incidents.

Elsevier’s incident response and notification policy sets out how users are notified in the event of information being compromised. We conduct security incident disclosures in compliance with all appropriate regulatory policies and applicable statutory guidelines.

Secure development

Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks: No

Fighting climate change: Fighting climate change

Implementation of Pure, as an AWS-hosted product, can influence environmental protection and improvement. We use Amazon Web Services (AWS) for web hosting. For details on their commitment to sustainability in the cloud, see https://sustainability.aboutamazon.com/environment/the-cloud?energyType=true. With different initiatives – such as renewable energy projects, energy efficiency in scale, and water stewardship – AWS enables effective stewardship of the environment in a variety of ways. Using an AWS-hosted, cloud-based product can be an energy-efficient and more environmentally friendly choice than a standard self-hosted product. We also are mindful of emissions during implementation from travel. When possible, we connect remotely rather than traveling to your location for meetings and training during implementation. In our own operations (including business travel), our emissions were net zero in 2021 through a combination of reduced emissions and the purchase of renewable energy and renewable energy certificates, with the balance offset through Verified Carbon Standard (VCS) credits in a REDD+ carbon sequestration project. Our parent company, RELX, supports global efforts to mitigate climate change through the rapid reduction of greenhouse gas emissions, aiming to achieve net zero emissions by 2040. Also see https://sdgresources.relx.com.
Covid-19 recovery: Covid-19 recovery

Pure supports COVID-19 recovery in a variety of ways.
1) To support people and community recovery, institutions can showcase COVID-19 research and information to promote the disbursement of sound, scientific knowledge within the institution and wider community.
2) To support health and reduced demand on public services:
-As a cloud product, employees using Pure can work from any location, supporting new ways of working.
-With ease of reporting and built-in workflows, employees’ tasks are easier and less time consuming. Reducing routine and mundane tasks contributes to better mental health, and frees up time for other work.
3) To support workplace conditions:
-As an online product, Pure enables working from non-office locations for effective social distancing; remote and flexible working; and flexible commute times.

Pricing

Price: £20,000 to £250,000 an instance a year
Discount for educational organisations: No
Free trial available: Yes
Description of free trial: Functionality and configuration can be tested in a sandbox environment with test data for a limited time period, to be agreed with the client.

Features

Benefits

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Pricing

Service documents

Cookies on Digital Marketplace

Pure

Features

Benefits

Pricing

Service documents

Framework

Service ID

Contact

Service scope

User support

Onboarding and offboarding

Using the service

Scaling

Analytics

Resellers

Staff security

Asset protection

Data importing and exporting

Data-in-transit protection

Availability and resilience

Identity and authentication

Audit information for users

Standards and certifications

Security governance

Operational security

Secure development

Public sector networks

Social Value

Pricing

Service documents