// Trust & Security Report

    Ginger Labs, Inc. logo

    Ginger Labs, Inc.

    Notability - a digital note-taking app with AI-powered features (summaries, quizzes, flashcards, transcription). Editions: consumer (iOS/Web), Business (MDM-enabled for enterprises/education).

    Certifications held

    1

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Notability has achieved SOC 2 Type II compliance, verified by Johanson Group LLP. The certification confirms alignment with AICPA Trust Services Criteria across Security, Availability, and Confidentiality.

    Verify on prnewswire.com
    > Show 4 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No public evidence or mention of ISO 27001 certification on vendor domain.

    source: notability.com
    GDPR
    NOT CONFIRMED

    Vendor complies with GDPR requirements and has Data Privacy Framework certifications (EU-U.S., UK-U.S., Swiss-U.S.), but is not GDPR-certified. Privacy policy states: 'Residents of the European Union, United Kingdom, Lichtenstein, Norway or Iceland may have additional rights under GDPR with respect to their Personal Data.'

    source: notability.com
    HIPAA
    NOT CONFIRMED

    Explicitly not HIPAA-compliant. Terms of Use prohibit submission of 'protected health information or personal health data (e.g. medical records or an individual's health care claim information)'. Product explicitly states: 'Prohibited Data' includes health data, and violation is grounds for account termination.

    source: notability.com
    PCI DSS
    NOT CONFIRMED

    No public evidence or mention of PCI DSS certification. Payment processing delegated to Apple iTunes Services and Stripe (third-party processors).

    source: notability.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    United States

    Notability explicitly states input content and transcripts are NOT used for AI model training by Ginger Labs. Privacy policy: 'we do not use nor share the Input Content with any third parties for any other purposes (such as for training AI/ML models), except for sharing to or from AI Providers for their performance of services to us or where as required to fulfill our legal obligations.' Audio transcriptions are deleted after processing. Optional features (transcription, study materials generation) are entirely opt-in.

    // Security controls

    Data Storage Location

    U.S.-based servers. Synced data replicated on servers maintained in the United States. Users can choose to store locally on device or in iCloud.

    notability.com

    Synced Data Access

    Ginger Labs personnel cannot access synced data without explicit user permission or legal requirement. Privacy policy: 'No one at Ginger Labs can view Synced Data unless you expressly give permission or it's necessary to comply with obligations'.

    notability.com

    Audio Transcription Security

    Optional feature. Audio recordings temporarily processed and stored for transcription only, then deleted. Privacy policy: 'we follow industry practice to delete the audio recordings once the transcription process is complete.'

    notability.com

    Encryption in Transit

    Privacy policy states 'no data transmission method is completely secure' and references 'appropriate physical, technical, organizational and administrative security measures' but specific encryption methods (e.g. TLS/SSL version, cipher suites) not disclosed.

    notability.com

    Authentication & Account Security

    Users responsible for protecting account credentials. Password-protected accounts. Registration-based account creation for Notability Accounts.

    notability.com

    MDM Controls

    Notability for Business supports Apple MDM, allowing administrators to restrict cloud backup to corporate domains, disable AirDrop, email sharing, and link sharing.

    blog.notability.com

    // Products & data scope

    Notability (Consumer)Digital Note-Taking

    data: User notes, handwriting, audio recordings (optional), synced to optional iCloud storage.

    Stores notes with optional encryption via device/iCloud. AI features (transcription, study materials) optional. Prohibits health data, financial account numbers, government IDs, COPPA-regulated children's data.

    Notability for BusinessEnterprise Productivity / Education

    data: Notes, recordings, generated study materials. MDM-managed deployment on organizational devices.

    Supports MDM enrollment. Administrators can enforce data residency (local or corporate cloud). Restricts account creation for users under 16 in MDM mode. COPPA-compliant. Enterprise SOC 2 Type II certified.

    Notability LearnAI-Powered Study Materials

    data: Note content (text, handwriting, audio transcripts, PDFs) uploaded for AI processing to generate summaries and quizzes.

    Optional feature. Input content processed via third-party AI Providers. Input deleted after processing. Generated content stored for user reference. Not used for AI training by Ginger Labs without explicit consent.

    // What to watch

    • No ISO 27001 certification despite SOC 2 Type II maturity - may indicate certification is planned but not yet pursued.
    • Data stored on U.S. servers creates data residency concerns for EU/UK users under GDPR; vendor mentions Data Privacy Frameworks but does not claim GDPR certification.
    • Trust Center (trust.notability.com) exists but full SOC 2 Type II report requires NDA access - limited public transparency on audit details.
    • Third-party AI Providers involved in Notability Learn feature - specific vendors and their data handling practices not disclosed publicly.
    • Support article on Note Security (security details) blocked by 403 Forbidden - some security documentation not publicly accessible.
    • Product explicitly prohibits health data uploads, limiting use in healthcare/HIPAA contexts despite strong privacy controls.

    // At a glance

    Pricing model

    Freemium (consumer), subscription (Notability+), volume licensing (business). Per-seat licensing available for enterprises.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Ginger Labs, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.notability.com

    > Browse all vendor trust reports