// Trust & Security Report
Logseq Inc.
Privacy-first, open-source knowledge base for note-taking and personal knowledge management. Core product includes Logseq (desktop/mobile), Logseq Sync (encrypted cloud sync, BETA), and Whiteboards (BETA). AGPL-3.0 open source.
Certifications held
0
Maturity
Growth
Trains on your data
No
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
> Show 10 unconfirmed / not-held certifications
source: risclens.comRiscLens analysis (March 2026): 'SOC 2 status is not explicitly confirmed. Check their trust center or request compliance documentation.' No confirmed SOC 2 report found in public sources.
source: logseq.comNo public evidence of ISO 27001 certification found across vendor domain or public compliance registers.
source: blog.logseq.comNo public evidence found. Not mentioned in privacy policy, terms of service, or security documentation.
source: blog.logseq.comPrivacy policy states privacy-first design, but no formal DPA, no data residency statement, and no explicit GDPR compliance statement found. Company does not publish data processing agreements.
source: logseq.comNo public evidence of HIPAA certification or compliance framework. Product is consumer/knowledge-base focused, not healthcare-oriented.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Not offered
Data region
Unknown - not specified in privacy policy or terms
No evidence found that Logseq trains models on customer data. Privacy policy makes no mention of AI training. Third-party AI plugins (OpenAI, Ollama) available but optional and user-controlled.
// Security controls
Encryption in Transit
End-to-end encryption for Logseq Sync using age algorithm. Data encrypted on device before transmission to servers.
discuss.logseq.comEncryption at Rest
Local storage encrypted on device. On-disk encryption available but deprecated.
discuss.logseq.comData Decryption
Only user's devices can decrypt synced data using password. Company and Logseq servers cannot access unencrypted content.
privacydefend.comThird-Party Services
Sentry for error logging, Google Play Services for mobile. Users should review those vendors' privacy policies.
blog.logseq.comResponsible Disclosure
Vulnerability disclosure discussion exists on GitHub. However, no formal SECURITY.md policy established.
github.comCode Audit & Open Source
AGPL-3.0 licensed, fully open-source, allowing community code review. Community has audited and found issues.
github.comRecent Security Vulnerabilities
CVE-2024-4367 (pdfjs-dist XSS), CVE-2024-32472 (excalidraw). Data leakage: encrypted folder contents readable in plain text at ~/.logseq/graphs. Disclosed 18/08/2025, patches not available in release 0.13.
gubello.me// Products & data scope
data: Local-first by default. Optional cloud sync via Logseq Sync (BETA). Data stored as Markdown files locally.
Free open-source application. Available for macOS (Intel/Apple Silicon), Linux, Windows. Whiteboards and Live Queries in BETA. 150+ plugins available.
data: iOS & Android apps with optional sync via Logseq Sync. Markdown-based data.
Supports encrypted syncing to other devices. Platform-specific implementations.
data: E2E encrypted sync service for multi-device synchronization. Optional service; local-only use does not require it.
BETA service. Uses age encryption. Password-based E2EE means only user's devices can decrypt.
data: Canvas feature for visual thinking connected to knowledge base. Part of core product.
BETA feature. Allows infinite canvas and visual connections between thoughts.
// What to watch
- OUTDATED LEGAL DOCS: Privacy policy and terms of service both effective July 23, 2020 — 6 years old at time of assessment (2026). No update evidence found despite Logseq Sync launch and product evolution.
- NO TRUST CENTER: Logseq does not publish a dedicated trust center, compliance portal, or security documentation page. Vendor-domain trust info is minimal.
- NO FORMAL DPA: No Data Processing Agreement published or mentioned. Required for enterprise/GDPR-regulated customers but absent.
- RECENT SECURITY VULNERABILITIES: CVE-2024-4367 and CVE-2024-32472 disclosed in 2024-2025. Data leakage vulnerability (graph contents readable in plain text) disclosed 18/08/2025. Latest release (0.13) was unpatched at disclosure time.
- NO SECURITY.MD: No formal vulnerability disclosure policy. GitHub discussion exists but no official SECURITY.md file.
- NO COMPLIANCE CERTIFICATIONS: Zero SOC 2, ISO 27001, GDPR, HIPAA, or other formal certifications. RiscLens compliance score 50/100.
- DATA RESIDENCY UNKNOWN: Privacy policy makes no statement about where data is hosted or stored. Critical for GDPR/regulated use.
- IDENTITY CONFLICT RISK: LOW — Logseq Inc verified across multiple sources (GitHub, LinkedIn, funding announcements, Wikipedia). No conflation risk with other vendors.
// At a glance
Pricing model
Free open-source application with optional paid Logseq Sync service (BETA). No licensing tiers.
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Logseq Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
blog.logseq.com