// Trust & Security Report
Notion Labs, Inc. (acquired Cron in June 2022; product rebranded as Notion Calendar in January 2024)
Notion Calendar (formerly Cron Calendar) - a calendar application integrated with Notion's workspace, featuring OAuth-based sync with Google Calendar and iCloud, AI-powered scheduling, and Notion workspace integration.
Certifications held
7
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on notion.com“SOC 2 Type 2 report assesses the effectiveness of these controls over a period of time.”
Verify on notion.com“Notion has achieved certifications for four ISO standards: ISO 27001, ISO 27701, ISO 27017, and ISO 27018.”
Verify on notion.com“Notion has achieved certifications for four ISO standards: ISO 27001, ISO 27701, ISO 27017, and ISO 27018.”
Verify on notion.com“Notion has achieved certifications for four ISO standards: ISO 27001, ISO 27701, ISO 27017, and ISO 27018.”
Verify on notion.com“Notion has achieved certifications for four ISO standards: ISO 27001, ISO 27701, ISO 27017, and ISO 27018.”
Verify on notion.com“In light of the recent Schrems II ruling, we rely on standard contractual clauses (SCCs) to ensure appropriate safeguards for personal data transfers from the EU to countries outside of the EU.”
Verify on notion.com“BSI C5 is a security standard developed by the German Federal Office for Information Security.”
> Show 3 unconfirmed / not-held certifications
source: notion.comFor Notion Mail and Notion Calendar, enable HIPAA compliance with Google Workspace.
source: notion.comNo public evidence: PCI DSS is not listed among the certifications on Notion's security page or trust center.
source: notion.comNo public evidence: K-FSI (Korea Financial Security Institute) is not mentioned on Notion's security page or trust center.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
United States (AWS)
By default, Notion does not use customer data to train models. Contractual agreements with AI subprocessors prohibit model training on customer data. An opt-in 'AI LEAP Program' allows customers to choose to share data to improve Notion AI, but this is not default behavior. Enterprise plans use zero data retention with LLM providers; non-Enterprise plans use 30-day or fewer retention.
// Security controls
Authentication
OAuth with Google Calendar and iCloud; Notion Calendar never stores or sees passwords. For Notion account users, sessions are tied to Notion login and can be revoked from Notion settings.
notion.comData scope access
Accesses minimum necessary data scopes via Google and iCloud APIs; avoids restricted data categories.
notion.comInfrastructure
Amazon Web Services (AWS) with instances in the United States; shared with Notion's infrastructure.
notion.com// Products & data scope
data: Calendar events, meeting information, task data; integrates with Google Calendar and iCloud; integrates with Notion workspace for notes, databases, and tasks.
Formerly known as Cron Calendar until January 2024. Now fully integrated into Notion platform. Requires OAuth authorization to calendar services; Notion never stores calendar provider passwords. Available as part of Notion workspace; no separate subscription required. Notion's own BAA does not independently cover Notion Calendar; Notion's HIPAA page directs customers to enable HIPAA compliance via Google Workspace for Notion Mail and Notion Calendar.
// What to watch
- VENDOR IDENTITY: Cron Calendar no longer exists as an independent product. It was acquired by Notion in June 2022 and rebranded as Notion Calendar in January 2024. The assessment is for the current Notion Calendar product, which inherits Notion's security posture.
- HIPAA: Notion's HIPAA help page does not extend Notion's own Business Associate Agreement to Notion Calendar; instead it instructs customers to 'enable HIPAA compliance with Google Workspace' for Notion Mail and Notion Calendar. Notion Calendar is therefore not independently BAA-covered by Notion, and any PHI handling depends on the underlying Google Workspace configuration. (The prior draft's proof quote naming Notion Calendar in the BAA-exclusion sentence was fabricated; the literal page only excludes Beta Services.)
- HISTORICAL CRON: The pre-acquisition Cron Calendar (2021-2022) was a startup product with no publicly disclosed security certifications or formal compliance framework. No evidence of SOC 2, ISO, or HIPAA compliance prior to Notion acquisition.
- PRODUCT INTEGRATION: Notion Calendar is now fully integrated into Notion's platform rather than a standalone service. Security and compliance posture is entirely dependent on Notion, not independent.
- TRUST CENTER VERIFICATION: Notion's trust center was verified in June 2026, confirming current compliance status.
// At a glance
Pricing model
Included in Notion subscription (free, Plus, Business, Enterprise tiers)
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Notion Labs, Inc. (acquired Cron in June 2022; product rebranded as Notion Calendar in January 2024)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trustcenter.notion.com