// Trust & Security Report
Ginger Labs, Inc.
Notability - a digital note-taking app with AI-powered features (summaries, quizzes, flashcards, transcription). Editions: consumer (iOS/Web), Business (MDM-enabled for enterprises/education).
Certifications held
1
Maturity
Growth
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on prnewswire.com“Notability has achieved SOC 2 Type II compliance, verified by Johanson Group LLP. The certification confirms alignment with AICPA Trust Services Criteria across Security, Availability, and Confidentiality.”
> Show 4 unconfirmed / not-held certifications
source: notability.comNo public evidence or mention of ISO 27001 certification on vendor domain.
source: notability.comVendor complies with GDPR requirements and has Data Privacy Framework certifications (EU-U.S., UK-U.S., Swiss-U.S.), but is not GDPR-certified. Privacy policy states: 'Residents of the European Union, United Kingdom, Lichtenstein, Norway or Iceland may have additional rights under GDPR with respect to their Personal Data.'
source: notability.comExplicitly not HIPAA-compliant. Terms of Use prohibit submission of 'protected health information or personal health data (e.g. medical records or an individual's health care claim information)'. Product explicitly states: 'Prohibited Data' includes health data, and violation is grounds for account termination.
source: notability.comNo public evidence or mention of PCI DSS certification. Payment processing delegated to Apple iTunes Services and Stripe (third-party processors).
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
United States
Notability explicitly states input content and transcripts are NOT used for AI model training by Ginger Labs. Privacy policy: 'we do not use nor share the Input Content with any third parties for any other purposes (such as for training AI/ML models), except for sharing to or from AI Providers for their performance of services to us or where as required to fulfill our legal obligations.' Audio transcriptions are deleted after processing. Optional features (transcription, study materials generation) are entirely opt-in.
// Security controls
Data Storage Location
U.S.-based servers. Synced data replicated on servers maintained in the United States. Users can choose to store locally on device or in iCloud.
notability.comSynced Data Access
Ginger Labs personnel cannot access synced data without explicit user permission or legal requirement. Privacy policy: 'No one at Ginger Labs can view Synced Data unless you expressly give permission or it's necessary to comply with obligations'.
notability.comAudio Transcription Security
Optional feature. Audio recordings temporarily processed and stored for transcription only, then deleted. Privacy policy: 'we follow industry practice to delete the audio recordings once the transcription process is complete.'
notability.comEncryption in Transit
Privacy policy states 'no data transmission method is completely secure' and references 'appropriate physical, technical, organizational and administrative security measures' but specific encryption methods (e.g. TLS/SSL version, cipher suites) not disclosed.
notability.comAuthentication & Account Security
Users responsible for protecting account credentials. Password-protected accounts. Registration-based account creation for Notability Accounts.
notability.comMDM Controls
Notability for Business supports Apple MDM, allowing administrators to restrict cloud backup to corporate domains, disable AirDrop, email sharing, and link sharing.
blog.notability.com// Products & data scope
data: User notes, handwriting, audio recordings (optional), synced to optional iCloud storage.
Stores notes with optional encryption via device/iCloud. AI features (transcription, study materials) optional. Prohibits health data, financial account numbers, government IDs, COPPA-regulated children's data.
data: Notes, recordings, generated study materials. MDM-managed deployment on organizational devices.
Supports MDM enrollment. Administrators can enforce data residency (local or corporate cloud). Restricts account creation for users under 16 in MDM mode. COPPA-compliant. Enterprise SOC 2 Type II certified.
data: Note content (text, handwriting, audio transcripts, PDFs) uploaded for AI processing to generate summaries and quizzes.
Optional feature. Input content processed via third-party AI Providers. Input deleted after processing. Generated content stored for user reference. Not used for AI training by Ginger Labs without explicit consent.
// What to watch
- No ISO 27001 certification despite SOC 2 Type II maturity - may indicate certification is planned but not yet pursued.
- Data stored on U.S. servers creates data residency concerns for EU/UK users under GDPR; vendor mentions Data Privacy Frameworks but does not claim GDPR certification.
- Trust Center (trust.notability.com) exists but full SOC 2 Type II report requires NDA access - limited public transparency on audit details.
- Third-party AI Providers involved in Notability Learn feature - specific vendors and their data handling practices not disclosed publicly.
- Support article on Note Security (security details) blocked by 403 Forbidden - some security documentation not publicly accessible.
- Product explicitly prohibits health data uploads, limiting use in healthcare/HIPAA contexts despite strong privacy controls.
// At a glance
Pricing model
Freemium (consumer), subscription (Notability+), volume licensing (business). Per-seat licensing available for enterprises.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Ginger Labs, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.notability.com