// Trust & Security Report

    Deepnote, Inc. logo

    Deepnote, Inc.

    Collaborative Data Notebook / AI-powered Analytics Platform

    Certifications held

    5

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type I
    HELD

    SOC 2 Type I listed as compliant on Deepnote Trust Center alongside SOC 2 Type II, GDPR, CCPA, HIPAA

    Verify on security.deepnote.com
    SOC 2 Type II
    HELD

    SOC 2 Type II listed as a resource on Trust Center; security docs state 'SOC 2 Type II certified (third-party validated)' and the trust center lists the report as a downloadable resource

    Verify on security.deepnote.com
    HIPAA
    HELD

    HIPAA listed as compliant on Trust Center; pricing page states HIPAA compliance is available on Enterprise plan only, and Terms of Service require a signed BAA before submitting PHI

    Verify on security.deepnote.com
    GDPR
    HELD

    GDPR listed as compliant on Trust Center; DPA is publicly available at deepnote.com/data-processing-addendum with EU Standard Contractual Clauses for international transfers

    Verify on security.deepnote.com
    CCPA
    HELD

    CCPA listed as compliant on Trust Center; DPA also covers CPRA and VCDPA

    Verify on security.deepnote.com
    > Show 1 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    Not mentioned anywhere on Deepnote's Trust Center, security docs, or pricing pages

    source: security.deepnote.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    United States (AWS primary); flexible deployment including single-tenancy and region-specific options available on Enterprise plan on request

    Deepnote explicitly states: 'No, Deepnote does not use customer data to train, fine-tune, or otherwise improve any AI or ML models.' AI features send data to LLM sub-processors (OpenAI, Anthropic) under enterprise agreements that prohibit training. Anthropic has a zero-retention agreement; OpenAI may retain context data up to 30 days for safety monitoring before automatic deletion. Admins can disable Deepnote AI entirely via Settings & Members to prevent any data transmission to LLM providers.

    // Security controls

    Encryption at rest

    AES-256

    deepnote.com

    Encryption in transit

    TLS 1.2 or higher

    deepnote.com

    Infrastructure

    AWS (primary compute and storage), Google Cloud Platform (secondary/supporting)

    security.deepnote.com

    Penetration testing

    Regular third-party penetration testing performed; listed under Product Security controls on Trust Center

    security.deepnote.com

    Bug bounty

    Private bug bounty program maintained; no public HackerOne or Bugcrowd listing found

    deepnote.com

    SSO / SAML / OIDC

    Supported via SAML or OIDC connections; directory sync available on Enterprise plan

    deepnote.com

    RBAC

    Three-layer access model: user roles, data access, and project access; workspace admin controls

    deepnote.com

    Audit logs

    Enterprise plan only

    deepnote.com

    Data deletion on offboarding

    Customer data deleted upon leaving; stated in Trust Center controls and DPA

    security.deepnote.com

    Cybersecurity insurance

    Maintained; listed under Internal Security Procedures controls on Trust Center

    security.deepnote.com

    DPA / SCCs

    DPA publicly available; EU SCCs and UK Addendum included for international transfers

    deepnote.com

    Bring Your Own LLM

    Supported on Enterprise plan; allows organizations to connect their own LLM instead of shared OpenAI/Anthropic endpoints

    deepnote.com

    Single-tenancy / Private cloud

    Available on Enterprise plan; private VPC and dedicated deployments offered

    deepnote.com

    SSH tunnels

    Enterprise plan only

    deepnote.com

    // Products & data scope

    Free PlanCollaborative data notebook

    data: User notebooks, code, and data uploads stored on Deepnote's shared multi-tenant AWS infrastructure. AI features limited to 10 code completions and 5 AI calls per month; data processed by OpenAI/Anthropic but not used for model training. No compliance certifications (HIPAA, SOC 2 audit reports) included at this tier.

    Up to 3 editors, 5 projects, 7-day revision history. Not appropriate for regulated or sensitive data.

    Team PlanCollaborative data notebook for data teams

    data: Same multi-tenant AWS infrastructure as Free. Enhanced AI access. Access controls and RBAC included. No HIPAA compliance or SSO at this tier.

    $39 per editor per month (billed yearly). Includes access controls, shared datasets, premium warehouse integrations (Snowflake, BigQuery, Redshift, Databricks). SOC 2 applies at the platform level but HIPAA BAA is not available.

    Enterprise PlanSecure, enterprise-grade collaborative data platform

    data: Single-tenant or private cloud deployment available. HIPAA compliance with BAA. SOC 2 Type II certified. Full SSO and directory sync. Audit logs. Bring Your Own LLM to keep AI processing in-house. Custom data residency on request.

    Custom pricing. Targeted at banks, healthcare, and Fortune 500 customers. Includes dedicated success manager, custom machines, private Docker images, SSH tunnels, and volume discounts.

    // What to watch

    • HIPAA compliance is Enterprise-tier only and requires a signed Business Associate Agreement (BAA) before submitting PHI; the Terms of Service explicitly prohibit submitting PHI without a BAA
    • AI features route notebook content (code, variable metadata, schema) through OpenAI and Anthropic APIs; zero-retention applies to Anthropic but OpenAI retains context for up to 30 days for safety monitoring
    • Bug bounty program is private; no public HackerOne or Bugcrowd listing was found as of assessment date
    • ISO 27001 certification not held or claimed; SOC 2 Type II is the primary third-party audit
    • Data residency outside the US requires Enterprise plan and a sales conversation; the default multi-tenant deployment is US-based

    // At a glance

    Pricing model

    Freemium with paid Team ($39/editor/month billed annually) and Enterprise (custom) tiers

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Deepnote, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    security.deepnote.com

    > Browse all vendor trust reports