// Trust & Security Report
Notion Labs, Inc.
Notion connected workspace (Docs, Wiki, Projects, Notion AI, Custom Agents, Calendar, Mail, API/Connections)
Certifications held
8
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on notion.com“The SOC 2 Type 2 is an audit report performed by an independent third-party certified by the American Institute of Certified Public Accountants (AICPA) to evaluate a service organization's controls related to the Trust Services Criteria (TSC).”
Verify on notion.com“ISO is an international standard development organization, and Notion has achieved certifications for four ISO standards: ISO 27001, ISO 27701, ISO 27017, and ISO 27018.”
Verify on notion.com“Notion has achieved certifications for four ISO standards: ISO 27001, ISO 27701, ISO 27017, and ISO 27018.”
Verify on notion.com“Notion has achieved certifications for four ISO standards: ISO 27001, ISO 27701, ISO 27017, and ISO 27018.”
Verify on notion.com“Notion has achieved certifications for four ISO standards: ISO 27001, ISO 27701, ISO 27017, and ISO 27018.”
Verify on notion.com“Provided businesses subject to HIPAA leverage the Notion Enterprise-grade security features described in our Help Center article here and sign Notion's Business Associate Agreement they may process PHI within their Notion workspace.”
Verify on notion.com“BSI C5 is a security standard developed by the German Federal Office for Information Security. It outlines baseline security controls for cloud service providers.”
Verify on notion.com“As the GDPR is widely considered to be the most stringent global privacy standard, we have mapped our privacy program to the GDPR and other global privacy regulations.”
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Default US (AWS). Enterprise customers can choose data residency in the EU, Japan, or Korea via the Organization Console.
Notion states use of Notion AI does not grant Notion any right or license to Customer Data to train ML models, and its AI Subprocessors are contractually prohibited from training on Customer Data: 'Our AI Subprocessors are prohibited from using Customer Data to train models.' LLM providers use zero data retention for Enterprise-plan workspaces; for non-Enterprise plans, providers retain Customer Data 30 days or fewer before deletion. Notion Mail's use of Google Workspace API data is not used to develop, improve, or train generalized AI/ML models.
// Security controls
Encryption
Encryption in transit, at rest, and during processing; least privilege access; secure software development
notion.comBug bounty
Public bug bounty program hosted on HackerOne (hackerone.com/notion); paid rewards confirmed (e.g. $2,000 payouts)
hackerone.comEnterprise admin controls
SSO via SAML 2.0, SCIM user provisioning, audit log, granular permission controls and guest management
notion.comUptime / resilience
99.9% guaranteed uptime, multi-zone redundancy, backup program, tested DR/BC; built on AWS and Cloudflare
notion.comPenetration testing / operational security
Continuous security monitoring; third-party attestations (compliance reports available via Trust Center); independent audits underpin SOC 2 / ISO certifications
notion.com// Products & data scope
data: User-submitted Workspace content (Customer Data). Plan-tiered: Free/Personal, Plus, Business, Enterprise.
Core SaaS workspace. Enterprise plan unlocks advanced security controls (SSO, SCIM, audit log, data residency, BAA).
data: Operates over workspace Customer Data; routed to AI Subprocessors (LLM providers) under zero-data-retention (Enterprise) or 30-day-max retention (non-Enterprise).
Subprocessors contractually prohibited from training on Customer Data. Custom Agents can search/act across connected tools (Slack, CrowdStrike, Wiz, etc.).
data: Stores user ID and OAuth token for third-party calendar provider; accesses calendar/event and conferencing data on user authorization.
Integrates with external (Non-Notion) calendar and conferencing services.
data: Receives/sends Gmail message content and processes Google Directory/Workspace/Calendar API data to provide Mail functionality.
Adheres to Google API Services User Data Policy Limited Use; Workspace API data not used to train generalized AI/ML models.
data: Programmatic access to Workspace content via OAuth-scoped integrations.
Third-party integrations governed by their own privacy practices; subprocessors listed on Notion Subprocessor page.
// What to watch
- Compliance/security features (SSO, SCIM, audit log, BAA/HIPAA, data residency, zero data retention for AI) are gated to the Enterprise plan; Free/Plus/Business tiers do not get full enterprise data protections.
- Non-Enterprise plans allow LLM providers up to 30-day retention of Customer Data, vs zero retention on Enterprise.
- Public marketing site (consumer privacy policy) describes advertising/cross-device tracking and third-party ad technologies for website visitors; distinct from in-product Customer Data handling.
- Trust Center compliance reports (SOC 2, ISO, C5) require a request/NDA to obtain; certifications asserted on public security page but report copies are gated.
// At a glance
Pricing model
Freemium SaaS subscription: Free/Personal, Plus, Business, Enterprise tiers; Notion AI add-on/included credits; per-seat billing
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Notion Labs, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
notion.com