Certara, Inc. 10-K Cybersecurity GRC - 2026-02-26

Page last updated on February 26, 2026

Certara, Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2026-02-26 06:55:04 EST.

Filings

10-K filed on 2026-02-26

Certara, Inc. filed a 10-K at 2026-02-26 06:55:04 EST
Accession Number: 0001827090-26-000011

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. We are committed to safeguarding our customers' information that is shared with us in the application of the software and services we contractually provide to them. Our information systems, including our cybersecurity program, risk management systems, processes and governance, reflect our dedication to meeting industry cybersecurity standards. Risk Management and Strategy We have implemented a comprehensive cybersecurity and data privacy program as part of our risk management processes to assess, identify and manage risks posed to our business by cybersecurity threats. We embed cybersecurity considerations into every material aspect of our operations, and our focus encompasses a proactive approach that involves continuous monitoring to swiftly detect and respond to cybersecurity threats. Our cybersecurity risk management processes are grounded in industry best practices, including NIST 800-53, ISO 27001:2022, CIS Top 18, OWASP Top 10, and Security by Design and are intended to prevent adverse effects on the confidentiality, integrity and availability of our information systems and information residing therein. Our cybersecurity processes have been integrated into our risk and change management processes in order for us to assess, identify, and manage risks related to cybersecurity threats and ensure compliance with our legal and contractual obligations, which require us to safeguard the confidential and sensitive information provided to us by our customers. For example, we use various methods and tools to identify and assess cybersecurity threats across all assets in our technical landscape, such as vulnerability scanning, penetration testing, threat intelligence, risk assessments, and audits from customers. We regularly engage third-party assessors, service providers, consultants, and auditors to support and review our risk management processes and to provide independent validation and verification of our security posture. We have established processes to oversee and identify risks from cybersecurity threats associated with our use of third-party assessors and service providers , such as due diligence, contractual language, monitoring and periodic vendor evaluation and qualification. We maintain robust cybersecurity threat procedures, which includes escalating threats to the appropriate level of risk management, mitigation, remediation and the assessment of materiality of cybersecurity threats, or a series of related incidents, that may materially affect or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. We disclose information regarding our cybersecurity and privacy program and practices on our website and in our public-facing notices. Furthermore, we conduct annual cybersecurity awareness training for our employees in order to provide them with the knowledge necessary to navigate the digital landscape securely. We understand that cybersecurity is not a static concept but a dynamic discipline, and our security and privacy program reflects this by incorporating internal and third-party audits, penetration testing, active vulnerability scanning, simulated phishing programs and a continuous improvement mindset. As of December 31, 2025, we were not aware of any cybersecurity threats that have materially affected, or are reasonably likely to affect, the Company, including its business strategy, results of operations or financial condition. As discussed more fully under Part 1, Item 1A. Risk Factors, the sophistication of cyber threats continues to increase, and the preventative actions the Company takes to reduce the risk of cyber incidents and protect its systems and information may be insufficient. No matter how well designed or implemented the Company's cybersecurity controls are, it will not be able to anticipate all security breaches, and it may not be able to implement effective preventive measures against cybersecurity breaches in a timely manner. See Part 1, Item 1A. Risk Factors entitled "Risks Related to Intellectual Property, Information Technology and Data Privacy" included elsewhere in this Annual Report on Form 10-K. Governance We have established a corporate governance framework that provides oversight and strategic guidance for our cybersecurity and data privacy program. Our Board of Directors (the "Board") oversees our cybersecurity and data privacy program, including risks associated with cybersecurity threats. Our Board's Audit Committee supports the Board in this oversight role and is specifically focused on monitoring cybersecurity and data privacy risks, including incident response readiness, timely identification and assessment of cybersecurity threats, cybersecurity incident recovery processes, and business continuity considerations. We have established defined roles and responsibilities for assessing and managing risks associated with cybersecurity threats, including designated executive-level and management-level positions or committees. Oversight of our cybersecurity and privacy program is carried out by our Security and Privacy Program Office ("SPPO"), which comprises leaders from our legal and information technology ("IT") functions. The SPPO reports to our Head of Information Technology, who serves as the accountable executive for our cybersecurity program. Executive leadership, across our functional and business units, working in coordination with the SPPO, is responsible for ensuring organizational compliance with data protection regulations and the implementation of related risk-mitigation controls. Our Head of Information Technology and our Director, Compliance Standards & Data Privacy ("DCSDP") oversee the development, implementation, and monitoring of the cybersecurity and data privacy policies, standards, procedures, and controls that govern our information systems and data-processing activities. Our Head of Information Technology brings more than 30 years of experience in IT infrastructure, cybersecurity operations, and site reliability engineering within software and services organizations, including 16 years of experience supporting SaaS environments that handle sensitive customer data. The DCSDP also has over 30 years of experience in IT with the last 13 years focused on compliance and data privacy matters at Certara. Our DCSDP reports directly to our SVP of Information Technology . Our SVP, Information Technology, in turn, reports to the Audit Committee . The IT Security team and DCSDP jointly coordinate the response to and remediation of cybersecurity incidents and data breaches. They also provide updates on the status and effectiveness of our security and privacy program to the SPPO, the Board and the Audit Committee on a quarterly basis, or more frequently when circumstances require. We have established processes to ensure that management is informed about and actively monitors cybersecurity threat prevention, detection, mitigation, and, when necessary, incident remediation. These processes include established reporting, escalation, and communication protocols, as well as periodic reviews and audits of our cybersecurity and data privacy program.

Company Information