// Trust & Security Report
Deepnote, Inc.
Collaborative Data Notebook / AI-powered Analytics Platform
Certifications held
5
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on security.deepnote.com“SOC 2 Type I listed as compliant on Deepnote Trust Center alongside SOC 2 Type II, GDPR, CCPA, HIPAA”
Verify on security.deepnote.com“SOC 2 Type II listed as a resource on Trust Center; security docs state 'SOC 2 Type II certified (third-party validated)' and the trust center lists the report as a downloadable resource”
Verify on security.deepnote.com“HIPAA listed as compliant on Trust Center; pricing page states HIPAA compliance is available on Enterprise plan only, and Terms of Service require a signed BAA before submitting PHI”
Verify on security.deepnote.com“GDPR listed as compliant on Trust Center; DPA is publicly available at deepnote.com/data-processing-addendum with EU Standard Contractual Clauses for international transfers”
Verify on security.deepnote.com“CCPA listed as compliant on Trust Center; DPA also covers CPRA and VCDPA”
> Show 1 unconfirmed / not-held certifications
source: security.deepnote.comNot mentioned anywhere on Deepnote's Trust Center, security docs, or pricing pages
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
United States (AWS primary); flexible deployment including single-tenancy and region-specific options available on Enterprise plan on request
Deepnote explicitly states: 'No, Deepnote does not use customer data to train, fine-tune, or otherwise improve any AI or ML models.' AI features send data to LLM sub-processors (OpenAI, Anthropic) under enterprise agreements that prohibit training. Anthropic has a zero-retention agreement; OpenAI may retain context data up to 30 days for safety monitoring before automatic deletion. Admins can disable Deepnote AI entirely via Settings & Members to prevent any data transmission to LLM providers.
// Security controls
Infrastructure
AWS (primary compute and storage), Google Cloud Platform (secondary/supporting)
security.deepnote.comPenetration testing
Regular third-party penetration testing performed; listed under Product Security controls on Trust Center
security.deepnote.comBug bounty
Private bug bounty program maintained; no public HackerOne or Bugcrowd listing found
deepnote.comSSO / SAML / OIDC
Supported via SAML or OIDC connections; directory sync available on Enterprise plan
deepnote.comRBAC
Three-layer access model: user roles, data access, and project access; workspace admin controls
deepnote.comData deletion on offboarding
Customer data deleted upon leaving; stated in Trust Center controls and DPA
security.deepnote.comCybersecurity insurance
Maintained; listed under Internal Security Procedures controls on Trust Center
security.deepnote.comDPA / SCCs
DPA publicly available; EU SCCs and UK Addendum included for international transfers
deepnote.comBring Your Own LLM
Supported on Enterprise plan; allows organizations to connect their own LLM instead of shared OpenAI/Anthropic endpoints
deepnote.comSingle-tenancy / Private cloud
Available on Enterprise plan; private VPC and dedicated deployments offered
deepnote.com// Products & data scope
data: User notebooks, code, and data uploads stored on Deepnote's shared multi-tenant AWS infrastructure. AI features limited to 10 code completions and 5 AI calls per month; data processed by OpenAI/Anthropic but not used for model training. No compliance certifications (HIPAA, SOC 2 audit reports) included at this tier.
Up to 3 editors, 5 projects, 7-day revision history. Not appropriate for regulated or sensitive data.
data: Same multi-tenant AWS infrastructure as Free. Enhanced AI access. Access controls and RBAC included. No HIPAA compliance or SSO at this tier.
$39 per editor per month (billed yearly). Includes access controls, shared datasets, premium warehouse integrations (Snowflake, BigQuery, Redshift, Databricks). SOC 2 applies at the platform level but HIPAA BAA is not available.
data: Single-tenant or private cloud deployment available. HIPAA compliance with BAA. SOC 2 Type II certified. Full SSO and directory sync. Audit logs. Bring Your Own LLM to keep AI processing in-house. Custom data residency on request.
Custom pricing. Targeted at banks, healthcare, and Fortune 500 customers. Includes dedicated success manager, custom machines, private Docker images, SSH tunnels, and volume discounts.
// What to watch
- HIPAA compliance is Enterprise-tier only and requires a signed Business Associate Agreement (BAA) before submitting PHI; the Terms of Service explicitly prohibit submitting PHI without a BAA
- AI features route notebook content (code, variable metadata, schema) through OpenAI and Anthropic APIs; zero-retention applies to Anthropic but OpenAI retains context for up to 30 days for safety monitoring
- Bug bounty program is private; no public HackerOne or Bugcrowd listing was found as of assessment date
- ISO 27001 certification not held or claimed; SOC 2 Type II is the primary third-party audit
- Data residency outside the US requires Enterprise plan and a sales conversation; the default multi-tenant deployment is US-based
// At a glance
Pricing model
Freemium with paid Team ($39/editor/month billed annually) and Enterprise (custom) tiers
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Deepnote, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
security.deepnote.com