// Trust & Security Report

    Notion Labs, Inc. logo

    Notion Labs, Inc.

    Notion connected workspace (Docs, Wiki, Projects, Notion AI, Custom Agents, Calendar, Mail, API/Connections)

    Certifications held

    8

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    The SOC 2 Type 2 is an audit report performed by an independent third-party certified by the American Institute of Certified Public Accountants (AICPA) to evaluate a service organization's controls related to the Trust Services Criteria (TSC).

    Verify on notion.com
    ISO 27001
    HELD

    ISO is an international standard development organization, and Notion has achieved certifications for four ISO standards: ISO 27001, ISO 27701, ISO 27017, and ISO 27018.

    Verify on notion.com
    ISO 27701
    HELD

    Notion has achieved certifications for four ISO standards: ISO 27001, ISO 27701, ISO 27017, and ISO 27018.

    Verify on notion.com
    ISO 27017
    HELD

    Notion has achieved certifications for four ISO standards: ISO 27001, ISO 27701, ISO 27017, and ISO 27018.

    Verify on notion.com
    ISO 27018
    HELD

    Notion has achieved certifications for four ISO standards: ISO 27001, ISO 27701, ISO 27017, and ISO 27018.

    Verify on notion.com
    HIPAA (BAA available)
    HELD

    Provided businesses subject to HIPAA leverage the Notion Enterprise-grade security features described in our Help Center article here and sign Notion's Business Associate Agreement they may process PHI within their Notion workspace.

    Verify on notion.com
    BSI C5
    HELD

    BSI C5 is a security standard developed by the German Federal Office for Information Security. It outlines baseline security controls for cloud service providers.

    Verify on notion.com
    GDPR
    HELD

    As the GDPR is widely considered to be the most stringent global privacy standard, we have mapped our privacy program to the GDPR and other global privacy regulations.

    Verify on notion.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Default US (AWS). Enterprise customers can choose data residency in the EU, Japan, or Korea via the Organization Console.

    Notion states use of Notion AI does not grant Notion any right or license to Customer Data to train ML models, and its AI Subprocessors are contractually prohibited from training on Customer Data: 'Our AI Subprocessors are prohibited from using Customer Data to train models.' LLM providers use zero data retention for Enterprise-plan workspaces; for non-Enterprise plans, providers retain Customer Data 30 days or fewer before deletion. Notion Mail's use of Google Workspace API data is not used to develop, improve, or train generalized AI/ML models.

    // Security controls

    Encryption

    Encryption in transit, at rest, and during processing; least privilege access; secure software development

    notion.com

    Bug bounty

    Public bug bounty program hosted on HackerOne (hackerone.com/notion); paid rewards confirmed (e.g. $2,000 payouts)

    hackerone.com

    Enterprise admin controls

    SSO via SAML 2.0, SCIM user provisioning, audit log, granular permission controls and guest management

    notion.com

    Uptime / resilience

    99.9% guaranteed uptime, multi-zone redundancy, backup program, tested DR/BC; built on AWS and Cloudflare

    notion.com

    Penetration testing / operational security

    Continuous security monitoring; third-party attestations (compliance reports available via Trust Center); independent audits underpin SOC 2 / ISO certifications

    notion.com

    // Products & data scope

    Notion (Docs, Wiki, Projects, Knowledge Base)Connected workspace / productivity

    data: User-submitted Workspace content (Customer Data). Plan-tiered: Free/Personal, Plus, Business, Enterprise.

    Core SaaS workspace. Enterprise plan unlocks advanced security controls (SSO, SCIM, audit log, data residency, BAA).

    Notion AI / Notion Agent / Custom AgentsAI assistant / agentic automation

    data: Operates over workspace Customer Data; routed to AI Subprocessors (LLM providers) under zero-data-retention (Enterprise) or 30-day-max retention (non-Enterprise).

    Subprocessors contractually prohibited from training on Customer Data. Custom Agents can search/act across connected tools (Slack, CrowdStrike, Wiz, etc.).

    Notion CalendarCalendar

    data: Stores user ID and OAuth token for third-party calendar provider; accesses calendar/event and conferencing data on user authorization.

    Integrates with external (Non-Notion) calendar and conferencing services.

    Notion MailEmail client

    data: Receives/sends Gmail message content and processes Google Directory/Workspace/Calendar API data to provide Mail functionality.

    Adheres to Google API Services User Data Policy Limited Use; Workspace API data not used to train generalized AI/ML models.

    Notion API / Connections / IntegrationsDeveloper platform

    data: Programmatic access to Workspace content via OAuth-scoped integrations.

    Third-party integrations governed by their own privacy practices; subprocessors listed on Notion Subprocessor page.

    // What to watch

    • Compliance/security features (SSO, SCIM, audit log, BAA/HIPAA, data residency, zero data retention for AI) are gated to the Enterprise plan; Free/Plus/Business tiers do not get full enterprise data protections.
    • Non-Enterprise plans allow LLM providers up to 30-day retention of Customer Data, vs zero retention on Enterprise.
    • Public marketing site (consumer privacy policy) describes advertising/cross-device tracking and third-party ad technologies for website visitors; distinct from in-product Customer Data handling.
    • Trust Center compliance reports (SOC 2, ISO, C5) require a request/NDA to obtain; certifications asserted on public security page but report copies are gated.

    // At a glance

    Pricing model

    Freemium SaaS subscription: Free/Personal, Plus, Business, Enterprise tiers; Notion AI add-on/included credits; per-seat billing

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Notion Labs, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    notion.com

    > Browse all vendor trust reports