// Trust & Security Report

    Capacities Labs GmbH logo

    Capacities Labs GmbH

    Capacities - knowledge management platform with object-based note-taking, AI assistant features, and integrations (web, desktop, mobile)

    Certifications held

    1

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    GDPR
    HELD

    Capacities is GDPR compliant. The General Data Protection Regulations are among the highest data protection laws in the world. At Capacities, we give these rights not only to them but to all of our users globally.

    Verify on docs.capacities.io
    > Show 10 unconfirmed / not-held certifications
    SOC 2 (Type 1 or 2)
    NOT CONFIRMED

    No public evidence of SOC 2 certification found in vendor documentation, trust center, or public disclosures.

    source: capacities.io
    ISO 27001
    NOT CONFIRMED

    No public evidence of ISO 27001 certification found in vendor documentation, trust center, or public disclosures.

    source: capacities.io
    HIPAA
    NOT CONFIRMED

    No public evidence or mention of HIPAA compliance. Not marketed as healthcare-compliant product.

    source: capacities.io
    PCI DSS
    NOT CONFIRMED

    No public evidence of PCI DSS certification. Not a payment processing platform.

    source: capacities.io
    ISO 27017 (Cloud security)
    NOT CONFIRMED

    No public evidence of ISO 27017 certification found in vendor documentation.

    source: capacities.io
    ISO 27018 (Personal data in cloud)
    NOT CONFIRMED

    No public evidence of ISO 27018 certification found in vendor documentation.

    source: capacities.io
    ISO 27701 (Privacy management)
    NOT CONFIRMED

    No public evidence of ISO 27701 certification found in vendor documentation.

    source: capacities.io
    ISO/IEC 42001 (AI governance)
    NOT CONFIRMED

    No public evidence of ISO/IEC 42001 certification. Company has published clear AI training policy (no training on customer data) but not pursued formal AI governance certification.

    source: capacities.io
    CSA STAR
    NOT CONFIRMED

    No public evidence of CSA STAR certification found in vendor documentation.

    source: capacities.io
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP certification. Not marketed for US government use.

    source: capacities.io

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    European Union (stored on encrypted disks in EU; backups on multiple encrypted long-term storage disks in different locations in Europe)

    Explicitly stated: 'Your content is not used to train models.' AI features are opt-in. Third-party AI providers are contractually prohibited from using customer data for model training, fine-tuning, or product improvement analytics. Data is not retained after processing.

    // Security controls

    Encryption in transit

    TLS 1.2 or higher; all data transfers employ secure connections

    docs.capacities.io

    Encryption at rest

    Industry-standard encrypted disk storage; all data stored on encrypted disks; only Capacities can decrypt

    docs.capacities.io

    Media file security

    Signed URLs with access tokens that expire after 12 hours

    docs.capacities.io

    Infrastructure isolation

    Production servers physically separated from development environment; access restricted to single password-protected computer with secret key; services operate in containers with restricted inter-communication

    docs.capacities.io

    Data backup strategy

    Daily backups to multiple encrypted long-term storage disks in different EU locations; backup and restore mechanisms regularly tested

    docs.capacities.io

    Multi-factor authentication

    Two-factor authentication (2FA) available for account protection

    docs.capacities.io

    Third-party access

    Strictly protects data against third-party access; even cloud provider cannot access user data; data not sold or used for advertising

    docs.capacities.io

    Compliance auditing

    Regular audits and monitoring of third-party service providers' compliance standards; however, no public third-party security audit or penetration test results available

    capacities.io

    End-to-end encryption

    NOT implemented by design. Company explicitly chose not to implement E2EE to maintain API compatibility, AI features, and third-party integrations (WhatsApp, email, calendar, Readwise). Data encrypted in transit and at rest on company servers instead.

    docs.capacities.io

    // Products & data scope

    Capacities Web & DesktopKnowledge management / Note-taking

    data: All user notes, documents, objects, connections, custom properties, media files, AI conversation history

    Free tier and paid Pro/Believer tiers; all tiers receive same privacy protections globally

    Capacities MobileKnowledge management / Note-taking

    data: Access to user knowledge base on mobile devices with same encryption and security

    Mobile apps available on iOS and Android

    Capacities APIDeveloper integration

    data: Programmatic access to user data through REST API

    Same security and encryption standards apply; documentation at docs.capacities.io/developer/api

    // What to watch

    • No formal security certifications (SOC 2, ISO 27001) publicly available—typical for growth-stage vendor but notable for buyers seeking formal compliance attestation
    • No dedicated trust center or security page—compliance information scattered across privacy policy and documentation
    • No public third-party security audit or penetration test results published
    • Deliberately not end-to-end encrypted (architectural choice for API/integration support); transparent about trade-offs but not suitable for max-security use cases
    • Company size and maturity: ~50,000 users, user-funded (not VC), young company—represents growth rather than enterprise maturity
    • AI training policy is explicitly customer-friendly (no training on customer data) but not formally certified via ISO 42001 or similar

    // At a glance

    Pricing model

    Freemium (free forever plan) + paid subscriptions (Pro, Believer annual plans); user-funded, not VC-backed

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Capacities Labs GmbH's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    capacities.io

    > Browse all vendor trust reports