// Trust & Security Report

    Notion Labs, Inc. logo

    Notion Labs, Inc.

    Notion AI — AI-powered workspace features including Notion Agent, Custom Agents, AI Meeting Notes, Enterprise Search, and core AI capabilities for document generation, summarization, and task automation.

    Certifications held

    10

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    The SOC 2 Type 2 is an audit report performed by an independent third-party certified by the American Institute of Certified Public Accountants (AICPA)

    Verify on notion.com
    ISO 27001
    HELD

    ISO 27001 – Information Security Management System standard

    Verify on notion.com
    ISO 27017
    HELD

    ISO 27017 – Cloud-specific information security controls

    Verify on notion.com
    ISO 27018
    HELD

    ISO 27018 – Privacy controls for cloud services

    Verify on notion.com
    ISO 27701
    HELD

    ISO 27701 – Privacy Information Management System standard

    Verify on notion.com
    BSI C5
    HELD

    BSI C5 – German Federal Office for Information Security cloud computing compliance controls

    Verify on notion.com
    HIPAA
    HELD

    To be eligible to sign Notion's BAA, you must subscribe to our Enterprise Plan. Notion AI enables HIPAA compliance by utilizing LLM provider's zero-retention APIs.

    Verify on notion.com
    PCI DSS
    HELD

    PCI DSS – Payment Card Industry compliance (Merchant Level 2)

    Verify on notion.com
    K-FSI
    HELD

    K-FSI – Korean Financial Security Institute Cloud Service Provider evaluation

    Verify on notion.com
    GDPR
    HELD

    Notion provides a Data Processing Addendum (DPA) that applies when the company processes personal data subject to GDPR on behalf of customers. Uses standard contractual clauses (SCCs) for transfers.

    Verify on notion.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Multi-region; uses AWS infrastructure with SCCs for international transfers. Enterprise plans support zero-retention with LLM providers.

    By default, Notion and its AI Subprocessors do not use Customer Data to train any models. Contractual agreements with AI subprocessors prohibit use of customer data for model training.

    // Security controls

    Encryption in Transit

    TLS 1.2 or greater

    notion.com

    Encryption at Rest

    AES-256

    notion.com

    Data Retention (Enterprise)

    Zero retention for LLM providers; no data stored with AI subprocessors

    notion.com

    Data Retention (Non-Enterprise)

    30 days or fewer retention with LLM providers before deletion

    notion.com

    Embeddings Retention

    Deleted within 60 days of page or workspace deletion

    notion.com

    Authentication

    SAML SSO available for Enterprise; supports standard multi-factor authentication

    notion.com

    Audit Logging

    Comprehensive audit logging capabilities for Enterprise

    notion.com

    Permissions & Access Control

    Notion AI respects existing workspace permissions; granular database permissions available

    notion.com

    Data Loss Prevention

    DLP alerts available for Enterprise plans for sensitive content detection

    notion.com

    Account Segregation

    Individual customer accounts kept separate in production environment

    notion.com

    Subprocessor Vetting

    Third parties undergo security evaluations, attestation reviews, and annual monitoring

    notion.com

    // Products & data scope

    Notion AIAI Writing & Automation

    data: Processes documents, pages, and workspace content

    Included in Plus, Business, and Enterprise plans. No training on customer data.

    Notion AgentAutonomous Agents

    data: Performs automation across Notion databases and connected apps

    Available on Business and Enterprise plans. Can build, edit, and take action within Notion.

    Custom AgentsAutonomous Agents

    data: Custom-configured automation workflows

    Enterprise feature. Can integrate with Slack, Google Drive, GitHub, and other apps.

    AI Meeting NotesMeeting Intelligence

    data: Processes meeting audio and transcripts

    Business and Enterprise plan feature. Generates summaries and actionable items.

    Enterprise SearchSearch & Discovery

    data: Indexes and searches across Slack, Google Drive, GitHub, and other connected apps

    Business and Enterprise feature (in beta). Cross-app unified search.

    // What to watch

    • HIPAA compliance requires Enterprise plan subscription and execution of Business Associate Agreement (BAA) – not available on lower tiers.
    • Beta features (Enterprise Search) are explicitly excluded from BAA coverage and should not be used for PHI processing.
    • SOC 2 Type 2 and ISO certifications are verified via Trust Center downloads (https://trustcenter.notion.com/) – full audit reports not directly accessible via web.
    • Data retention for non-Enterprise plans is 30 days with LLM providers; Enterprise achieves zero-retention by using zero-retention APIs of LLM subprocessors.
    • Model-agnostic architecture allows switching between providers without losing context, but this capability may vary between plan tiers.

    // At a glance

    Pricing model

    Per-member/month subscription (Free, Plus, Business, Enterprise); Notion AI available as trial in Free plan, included in Plus and above. Pay-as-you-go Notion Credits for AI usage.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Notion Labs, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trustcenter.notion.com

    > Browse all vendor trust reports