// Trust & Security Report
Capacities Labs GmbH
Capacities - knowledge management platform with object-based note-taking, AI assistant features, and integrations (web, desktop, mobile)
Certifications held
1
Maturity
Growth
Trains on your data
No
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on docs.capacities.io“Capacities is GDPR compliant. The General Data Protection Regulations are among the highest data protection laws in the world. At Capacities, we give these rights not only to them but to all of our users globally.”
> Show 10 unconfirmed / not-held certifications
source: capacities.ioNo public evidence of SOC 2 certification found in vendor documentation, trust center, or public disclosures.
source: capacities.ioNo public evidence of ISO 27001 certification found in vendor documentation, trust center, or public disclosures.
source: capacities.ioNo public evidence or mention of HIPAA compliance. Not marketed as healthcare-compliant product.
source: capacities.ioNo public evidence of PCI DSS certification. Not a payment processing platform.
source: capacities.ioNo public evidence of ISO 27017 certification found in vendor documentation.
source: capacities.ioNo public evidence of ISO 27018 certification found in vendor documentation.
source: capacities.ioNo public evidence of ISO 27701 certification found in vendor documentation.
source: capacities.ioNo public evidence of ISO/IEC 42001 certification. Company has published clear AI training policy (no training on customer data) but not pursued formal AI governance certification.
source: capacities.ioNo public evidence of CSA STAR certification found in vendor documentation.
source: capacities.ioNo public evidence of FedRAMP certification. Not marketed for US government use.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
European Union (stored on encrypted disks in EU; backups on multiple encrypted long-term storage disks in different locations in Europe)
Explicitly stated: 'Your content is not used to train models.' AI features are opt-in. Third-party AI providers are contractually prohibited from using customer data for model training, fine-tuning, or product improvement analytics. Data is not retained after processing.
// Security controls
Encryption in transit
TLS 1.2 or higher; all data transfers employ secure connections
docs.capacities.ioEncryption at rest
Industry-standard encrypted disk storage; all data stored on encrypted disks; only Capacities can decrypt
docs.capacities.ioInfrastructure isolation
Production servers physically separated from development environment; access restricted to single password-protected computer with secret key; services operate in containers with restricted inter-communication
docs.capacities.ioData backup strategy
Daily backups to multiple encrypted long-term storage disks in different EU locations; backup and restore mechanisms regularly tested
docs.capacities.ioMulti-factor authentication
Two-factor authentication (2FA) available for account protection
docs.capacities.ioThird-party access
Strictly protects data against third-party access; even cloud provider cannot access user data; data not sold or used for advertising
docs.capacities.ioCompliance auditing
Regular audits and monitoring of third-party service providers' compliance standards; however, no public third-party security audit or penetration test results available
capacities.ioEnd-to-end encryption
NOT implemented by design. Company explicitly chose not to implement E2EE to maintain API compatibility, AI features, and third-party integrations (WhatsApp, email, calendar, Readwise). Data encrypted in transit and at rest on company servers instead.
docs.capacities.io// Products & data scope
data: All user notes, documents, objects, connections, custom properties, media files, AI conversation history
Free tier and paid Pro/Believer tiers; all tiers receive same privacy protections globally
data: Access to user knowledge base on mobile devices with same encryption and security
Mobile apps available on iOS and Android
data: Programmatic access to user data through REST API
Same security and encryption standards apply; documentation at docs.capacities.io/developer/api
// What to watch
- No formal security certifications (SOC 2, ISO 27001) publicly available—typical for growth-stage vendor but notable for buyers seeking formal compliance attestation
- No dedicated trust center or security page—compliance information scattered across privacy policy and documentation
- No public third-party security audit or penetration test results published
- Deliberately not end-to-end encrypted (architectural choice for API/integration support); transparent about trade-offs but not suitable for max-security use cases
- Company size and maturity: ~50,000 users, user-funded (not VC), young company—represents growth rather than enterprise maturity
- AI training policy is explicitly customer-friendly (no training on customer data) but not formally certified via ISO 42001 or similar
// At a glance
Pricing model
Freemium (free forever plan) + paid subscriptions (Pro, Believer annual plans); user-funded, not VC-backed
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Capacities Labs GmbH's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
capacities.io