// Trust & Security Report

    Notion Labs, Inc. (acquired Cron in June 2022; product rebranded as Notion Calendar in January 2024) logo

    Notion Labs, Inc. (acquired Cron in June 2022; product rebranded as Notion Calendar in January 2024)

    Notion Calendar (formerly Cron Calendar) - a calendar application integrated with Notion's workspace, featuring OAuth-based sync with Google Calendar and iCloud, AI-powered scheduling, and Notion workspace integration.

    Certifications held

    7

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    SOC 2 Type 2 report assesses the effectiveness of these controls over a period of time.

    Verify on notion.com
    ISO 27001
    HELD

    Notion has achieved certifications for four ISO standards: ISO 27001, ISO 27701, ISO 27017, and ISO 27018.

    Verify on notion.com
    ISO 27701
    HELD

    Notion has achieved certifications for four ISO standards: ISO 27001, ISO 27701, ISO 27017, and ISO 27018.

    Verify on notion.com
    ISO 27017
    HELD

    Notion has achieved certifications for four ISO standards: ISO 27001, ISO 27701, ISO 27017, and ISO 27018.

    Verify on notion.com
    ISO 27018
    HELD

    Notion has achieved certifications for four ISO standards: ISO 27001, ISO 27701, ISO 27017, and ISO 27018.

    Verify on notion.com
    GDPR
    HELD

    In light of the recent Schrems II ruling, we rely on standard contractual clauses (SCCs) to ensure appropriate safeguards for personal data transfers from the EU to countries outside of the EU.

    Verify on notion.com
    BSI C5
    HELD

    BSI C5 is a security standard developed by the German Federal Office for Information Security.

    Verify on notion.com
    > Show 3 unconfirmed / not-held certifications
    HIPAA (with caveats)
    NOT CONFIRMED

    For Notion Mail and Notion Calendar, enable HIPAA compliance with Google Workspace.

    source: notion.com
    PCI DSS Merchant Level 2
    NOT CONFIRMED

    No public evidence: PCI DSS is not listed among the certifications on Notion's security page or trust center.

    source: notion.com
    K-FSI
    NOT CONFIRMED

    No public evidence: K-FSI (Korea Financial Security Institute) is not mentioned on Notion's security page or trust center.

    source: notion.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    United States (AWS)

    By default, Notion does not use customer data to train models. Contractual agreements with AI subprocessors prohibit model training on customer data. An opt-in 'AI LEAP Program' allows customers to choose to share data to improve Notion AI, but this is not default behavior. Enterprise plans use zero data retention with LLM providers; non-Enterprise plans use 30-day or fewer retention.

    // Security controls

    Encryption in transit

    TLS 1.2 or greater

    notion.com

    Encryption at rest

    AES-256

    notion.com

    Authentication

    OAuth with Google Calendar and iCloud; Notion Calendar never stores or sees passwords. For Notion account users, sessions are tied to Notion login and can be revoked from Notion settings.

    notion.com

    Data scope access

    Accesses minimum necessary data scopes via Google and iCloud APIs; avoids restricted data categories.

    notion.com

    Infrastructure

    Amazon Web Services (AWS) with instances in the United States; shared with Notion's infrastructure.

    notion.com

    Bug bounty program

    Follows Notion's Responsible Disclosure Policy

    notion.com

    // Products & data scope

    Notion CalendarCalendar / Scheduling

    data: Calendar events, meeting information, task data; integrates with Google Calendar and iCloud; integrates with Notion workspace for notes, databases, and tasks.

    Formerly known as Cron Calendar until January 2024. Now fully integrated into Notion platform. Requires OAuth authorization to calendar services; Notion never stores calendar provider passwords. Available as part of Notion workspace; no separate subscription required. Notion's own BAA does not independently cover Notion Calendar; Notion's HIPAA page directs customers to enable HIPAA compliance via Google Workspace for Notion Mail and Notion Calendar.

    // What to watch

    • VENDOR IDENTITY: Cron Calendar no longer exists as an independent product. It was acquired by Notion in June 2022 and rebranded as Notion Calendar in January 2024. The assessment is for the current Notion Calendar product, which inherits Notion's security posture.
    • HIPAA: Notion's HIPAA help page does not extend Notion's own Business Associate Agreement to Notion Calendar; instead it instructs customers to 'enable HIPAA compliance with Google Workspace' for Notion Mail and Notion Calendar. Notion Calendar is therefore not independently BAA-covered by Notion, and any PHI handling depends on the underlying Google Workspace configuration. (The prior draft's proof quote naming Notion Calendar in the BAA-exclusion sentence was fabricated; the literal page only excludes Beta Services.)
    • HISTORICAL CRON: The pre-acquisition Cron Calendar (2021-2022) was a startup product with no publicly disclosed security certifications or formal compliance framework. No evidence of SOC 2, ISO, or HIPAA compliance prior to Notion acquisition.
    • PRODUCT INTEGRATION: Notion Calendar is now fully integrated into Notion's platform rather than a standalone service. Security and compliance posture is entirely dependent on Notion, not independent.
    • TRUST CENTER VERIFICATION: Notion's trust center was verified in June 2026, confirming current compliance status.

    // At a glance

    Pricing model

    Included in Notion subscription (free, Plus, Business, Enterprise tiers)

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Notion Labs, Inc. (acquired Cron in June 2022; product rebranded as Notion Calendar in January 2024)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trustcenter.notion.com

    > Browse all vendor trust reports