// Trust & Security Report

    Logseq Inc. logo

    Logseq Inc.

    Privacy-first, open-source knowledge base for note-taking and personal knowledge management. Core product includes Logseq (desktop/mobile), Logseq Sync (encrypted cloud sync, BETA), and Whiteboards (BETA). AGPL-3.0 open source.

    Certifications held

    0

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    > Show 10 unconfirmed / not-held certifications
    SOC 2 (Type I or II)
    NOT CONFIRMED

    RiscLens analysis (March 2026): 'SOC 2 status is not explicitly confirmed. Check their trust center or request compliance documentation.' No confirmed SOC 2 report found in public sources.

    source: risclens.com
    ISO 27001
    NOT CONFIRMED

    No public evidence of ISO 27001 certification found across vendor domain or public compliance registers.

    source: logseq.com
    ISO 27017 (Cloud Security)
    NOT CONFIRMED

    No public evidence found. Not mentioned in privacy policy, terms of service, or security documentation.

    source: blog.logseq.com
    ISO 27018 (Personal Data in Cloud)
    NOT CONFIRMED

    No public evidence found.

    source: blog.logseq.com
    ISO 27701 (Privacy Management)
    NOT CONFIRMED

    No public evidence found.

    source: blog.logseq.com
    GDPR Compliance (regulatory posture)
    NOT CONFIRMED

    Privacy policy states privacy-first design, but no formal DPA, no data residency statement, and no explicit GDPR compliance statement found. Company does not publish data processing agreements.

    source: blog.logseq.com
    HIPAA
    NOT CONFIRMED

    No public evidence of HIPAA certification or compliance framework. Product is consumer/knowledge-base focused, not healthcare-oriented.

    source: logseq.com
    PCI DSS
    NOT CONFIRMED

    No public evidence. Not applicable to knowledge base product.

    source: logseq.com
    FedRAMP
    NOT CONFIRMED

    No public evidence found.

    source: logseq.com
    CSA STAR
    NOT CONFIRMED

    No public evidence found.

    source: logseq.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Not offered

    Data region

    Unknown - not specified in privacy policy or terms

    No evidence found that Logseq trains models on customer data. Privacy policy makes no mention of AI training. Third-party AI plugins (OpenAI, Ollama) available but optional and user-controlled.

    // Security controls

    Encryption in Transit

    End-to-end encryption for Logseq Sync using age algorithm. Data encrypted on device before transmission to servers.

    discuss.logseq.com

    Encryption at Rest

    Local storage encrypted on device. On-disk encryption available but deprecated.

    discuss.logseq.com

    Data Decryption

    Only user's devices can decrypt synced data using password. Company and Logseq servers cannot access unencrypted content.

    privacydefend.com

    Third-Party Services

    Sentry for error logging, Google Play Services for mobile. Users should review those vendors' privacy policies.

    blog.logseq.com

    Responsible Disclosure

    Vulnerability disclosure discussion exists on GitHub. However, no formal SECURITY.md policy established.

    github.com

    Code Audit & Open Source

    AGPL-3.0 licensed, fully open-source, allowing community code review. Community has audited and found issues.

    github.com

    Recent Security Vulnerabilities

    CVE-2024-4367 (pdfjs-dist XSS), CVE-2024-32472 (excalidraw). Data leakage: encrypted folder contents readable in plain text at ~/.logseq/graphs. Disclosed 18/08/2025, patches not available in release 0.13.

    gubello.me

    // Products & data scope

    Logseq (Desktop/Web)Knowledge Base & Note-Taking

    data: Local-first by default. Optional cloud sync via Logseq Sync (BETA). Data stored as Markdown files locally.

    Free open-source application. Available for macOS (Intel/Apple Silicon), Linux, Windows. Whiteboards and Live Queries in BETA. 150+ plugins available.

    Logseq MobileMobile App

    data: iOS & Android apps with optional sync via Logseq Sync. Markdown-based data.

    Supports encrypted syncing to other devices. Platform-specific implementations.

    Logseq SyncCloud Synchronization Service

    data: E2E encrypted sync service for multi-device synchronization. Optional service; local-only use does not require it.

    BETA service. Uses age encryption. Password-based E2EE means only user's devices can decrypt.

    Logseq WhiteboardsCollaborative Canvas

    data: Canvas feature for visual thinking connected to knowledge base. Part of core product.

    BETA feature. Allows infinite canvas and visual connections between thoughts.

    // What to watch

    • OUTDATED LEGAL DOCS: Privacy policy and terms of service both effective July 23, 2020 — 6 years old at time of assessment (2026). No update evidence found despite Logseq Sync launch and product evolution.
    • NO TRUST CENTER: Logseq does not publish a dedicated trust center, compliance portal, or security documentation page. Vendor-domain trust info is minimal.
    • NO FORMAL DPA: No Data Processing Agreement published or mentioned. Required for enterprise/GDPR-regulated customers but absent.
    • RECENT SECURITY VULNERABILITIES: CVE-2024-4367 and CVE-2024-32472 disclosed in 2024-2025. Data leakage vulnerability (graph contents readable in plain text) disclosed 18/08/2025. Latest release (0.13) was unpatched at disclosure time.
    • NO SECURITY.MD: No formal vulnerability disclosure policy. GitHub discussion exists but no official SECURITY.md file.
    • NO COMPLIANCE CERTIFICATIONS: Zero SOC 2, ISO 27001, GDPR, HIPAA, or other formal certifications. RiscLens compliance score 50/100.
    • DATA RESIDENCY UNKNOWN: Privacy policy makes no statement about where data is hosted or stored. Critical for GDPR/regulated use.
    • IDENTITY CONFLICT RISK: LOW — Logseq Inc verified across multiple sources (GitHub, LinkedIn, funding announcements, Wikipedia). No conflation risk with other vendors.

    // At a glance

    Pricing model

    Free open-source application with optional paid Logseq Sync service (BETA). No licensing tiers.

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Logseq Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    blog.logseq.com

    > Browse all vendor trust reports