SYNTHIA^® is a cloud-based retrosynthesis software solution developed and commercialized by Merck KGaA, Darmstadt, Germany, and its affiliates. The platform is designed to enable chemists to efficiently plan synthetic routes for both novel and published molecules. Security and data protection are foundational to SYNTHIA^®, as evidenced by its ISO 27001:2022 certification and top-tier cybersecurity ratings. This document provides a factual overview of the security measures, certifications, and practices in place for SYNTHIA^®, referencing only the attached and officially published sources.

 

Security Framework Overview

An outline of core security domains and practices across governance, infrastructure, compliance, and risk management.
 

Information Security Governance

ISO 27001 Certification

SYNTHIA^® is certified to the ISO/IEC 27001:2022 standard for Information Security Management Systems (ISMS). This certification covers the development and commercialization of SYNTHIA^® and other digital solutions, ensuring a systematic approach to managing sensitive information and mitigating risks. The certification is attached.

Read more
 

CyberVadis Platinum Rating
In 2025, Merck received a Platinum medal from CyberVadis for outstanding cybersecurity performance, reflecting mature and comprehensive security controls across data privacy, data protection, business continuity, and third-party management.

Read more


Data Privacy and Compliance

A formal data protection policy is in place, and the Data Protection Function is responsible for the protection of personal data (PII). Retention periods for personal data are identified, and procedures for deletion, modification, and portability are formalized. All processing of personal data is lawful, and necessary data privacy clauses are included in contracts. The organization complies with GDPR and other applicable data privacy regulations and has processes for notifying individuals and regulators in the event of a data breach.


Application and Infrastructure Security

Secure Development Lifecycle
SYNTHIA^® follows a secure software development lifecycle (SSDLC), including static and dynamic application security testing (SAST/DAST), vulnerability management, and code reviews. Penetration testing and vulnerability analysis are conducted at least annually, with continuous integration of security testing in the development pipeline. Threat modeling and architecture reviews are performed regularly.

Encryption
Data is encrypted in transit using HTTPS (TLS v2) and at rest using cloud-managed encryption. Encryption keys are managed via a key management system (KMS). All passwords are stored in salted and hashed form. 

Access Control
Role-based access control (RBAC) is enforced, with multi-factor authentication (MFA) for user login. Access rights are periodically reviewed, and the principle of least privilege is implemented for all users. Segregation of duties and separate accounts for administrative tasks are in place. Logging, Monitoring, and Incident Response Security events and incidents are managed according to a formalized process, with logs protected from tampering and unauthorized access. Network and Endpoint Security SYNTHIA^® is protected by Web Application Firewalls (WAF), intrusion detection/prevention systems (IDS/ IPS), and data loss prevention (DLP) mechanisms. Distributed Denial of Service (DDoS) protection is implemented at the infrastructure level. Workstations and corporate storage media are encrypted, patched regularly, and protected against unauthorized access and malware.

Logging, Monitoring, and Incident Response
Security events and incidents are managed according to a formalized process, with logs protected from tampering and unauthorized access. 

Network and Endpoint Security
SYNTHIA^® is protected by Web Application Firewalls (WAF), intrusion detection/prevention systems (IDS/ IPS), and data loss prevention (DLP) mechanisms. 
Distributed Denial of Service (DDoS) protection is implemented at the infrastructure level. 
Workstations and corporate storage media are encrypted, patched regularly, and protected against unauthorized access and malware.

Cloud Infrastructure
SYNTHIA^® is hosted on Amazon Web Services (AWS), which is regularly audited for ISO 9001, 27001, 27018, and SOC2 compliance. The platform follows AWS Well-Architected Framework best practices, including private subnetting, key management, and continuous monitoring. Secure configuration, firewall, and malware protection are implemented at both application and infrastructure levels.

Business Continuity and Disaster Recovery
Business continuity management and disaster recovery plans are formalized and periodically tested. Data backups are encrypted and performed daily.

Third-Party and Supply Chain Security
Third-party access is restricted to specific systems and is governed by contracts that include security requirements, NDAs, and audit rights. Third-party risk assessments are conducted, and cloud providers must provide evidence of business continuity and incident response plans, as well as official security certifications.

Third-Party and Supply Chain Security
Third-party access is restricted to specific systems and is governed by contracts that include security requirements, NDAs, and audit rights. Third-party risk assessments are conducted, and cloud providers must provide evidence of business continuity and incident response plans, as well as official security certifications.

Compliance and Regulatory Alignment
SYNTHIA^® is compliant with ISO 27001:2022 and GDPR. Local compliance requirements are tracked and adopted as needed. The platform does not process payment data and is not subject to PCI DSS requirements. 

Security Awareness and Training
Information security and data privacy awareness programs are in place for all staff, including social engineering training and a clear desk policy. New hires, contractors, and temporary workers are required to sign a code of ethics or NDA, and background checks are conducted.