// Trust & Security Report

    Dynalist Inc. logo

    Dynalist Inc.

    Obsidian is a local-first knowledge management and note-taking application with optional paid services: Sync (multi-device synchronization with E2E encryption), Publish (static website publishing), and Canvas (visual workspace). Core application is free for personal use.

    Certifications held

    1

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    Third-Party Security Audits
    HELD

    Cure53 conducted penetration testing and source code review in October 2024; Trail of Bits conducted Sync security assessment in December 2025. Both audits covered API, server, and cryptography. All identified issues have been remediated.

    Verify on obsidian.md
    > Show 6 unconfirmed / not-held certifications
    SOC 2 Type 1
    NOT CONFIRMED

    no public evidence

    source: obsidian.md
    SOC 2 Type 2
    NOT CONFIRMED

    no public evidence

    source: obsidian.md
    ISO 27001
    NOT CONFIRMED

    Obsidian lacks ISO 27001, NIST, or comparable certifications but offers third-party security audits

    source: obsidian.md
    GDPR
    NOT CONFIRMED

    Privacy policy references Canadian Personal Information Protection and Electronic Documents Act but does not explicitly address GDPR compliance

    source: obsidian.md
    HIPAA
    NOT CONFIRMED

    no public evidence

    source: obsidian.md
    PCI DSS
    NOT CONFIRMED

    no public evidence

    source: obsidian.md

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Not offered

    Data region

    Mixed: local (on user device) for core app; Sync/Publish services may be processed and stored outside Canada

    No evidence of AI training on customer data. Obsidian's design philosophy is local-first; user data is stored on user devices and not sent to Obsidian servers unless user opts into Sync or Publish services.

    // Security controls

    Local Data Storage

    Core application stores all data locally on user device by default. No account required, no telemetry collected.

    obsidian.md

    Encryption in Transit

    HTTPS/TLS for all connections (Sync, Publish, account management)

    obsidian.md

    Encryption at Rest

    Sync service uses AES-256 end-to-end encryption. Publish data is encrypted.

    obsidian.md

    Sync Infrastructure

    All data including file names is end-to-end encrypted in Sync service. If subscription expires, data retained for 1 month; upon cancellation, deleted immediately.

    obsidian.md

    Plugin/Theme Security

    Community plugins and themes in official directory undergo automated scanning for vulnerabilities, code quality, and malware. Popular and flagged items receive manual review.

    obsidian.md

    Account Protection

    2FA available for Obsidian accounts. No SSO support. Users of Sync/Publish must confirm 2FA on first login if enabled.

    obsidian.md

    Third-Party Processors

    Payment processors: Stripe, WeChat Pay, Alipay, PayPal. Service providers may be located outside Canada.

    obsidian.md

    // Products & data scope

    Obsidian (Desktop & Mobile)Note-taking / Knowledge Management

    data: Local-first; user controls all data on device

    Free for personal use. Commercial use requires per-user license ($50/year). No sign-up required; no telemetry.

    Obsidian SyncCloud Synchronization

    data: Encrypted multi-device sync; E2E encrypted on servers

    Optional paid service ($4-$8/month). Data encrypted end-to-end. Audited by Cure53 (Oct 2024) and Trail of Bits (Dec 2025).

    Obsidian PublishStatic Web Publishing

    data: Hosted on Obsidian servers; content published as static site

    Optional paid service ($8-$16/month). Allows users to publish notes as web-accessible digital gardens.

    Obsidian CanvasVisual Workspace

    data: Stored locally; optionally synced via Sync service

    Infinite visual space for brainstorming and diagramming within local notes.

    // What to watch

    • No formal certifications (SOC 2, ISO 27001, HIPAA, PCI DSS) - vendor relies on third-party audits instead
    • Privacy policy does not explicitly address GDPR compliance; vendor is Canadian but handles international data
    • Data residency for Sync/Publish not specified; only note that service providers may be outside Canada
    • No Data Processing Agreement (DPA) mentioned; may be issue for GDPR-regulated organizations
    • No SSO support for base application; requires email-based account management for Sync/Publish

    // At a glance

    Pricing model

    Freemium: free personal use; optional paid services for Sync ($4-$8/mo), Publish ($8-$16/mo), and commercial use licenses ($50/year)

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Dynalist Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    obsidian.md

    > Browse all vendor trust reports