// Trust & Security Report
Dynalist Inc.
Obsidian is a local-first knowledge management and note-taking application with optional paid services: Sync (multi-device synchronization with E2E encryption), Publish (static website publishing), and Canvas (visual workspace). Core application is free for personal use.
Certifications held
1
Maturity
Growth
Trains on your data
No
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on obsidian.md“Cure53 conducted penetration testing and source code review in October 2024; Trail of Bits conducted Sync security assessment in December 2025. Both audits covered API, server, and cryptography. All identified issues have been remediated.”
> Show 6 unconfirmed / not-held certifications
source: obsidian.mdObsidian lacks ISO 27001, NIST, or comparable certifications but offers third-party security audits
source: obsidian.mdPrivacy policy references Canadian Personal Information Protection and Electronic Documents Act but does not explicitly address GDPR compliance
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Not offered
Data region
Mixed: local (on user device) for core app; Sync/Publish services may be processed and stored outside Canada
No evidence of AI training on customer data. Obsidian's design philosophy is local-first; user data is stored on user devices and not sent to Obsidian servers unless user opts into Sync or Publish services.
// Security controls
Local Data Storage
Core application stores all data locally on user device by default. No account required, no telemetry collected.
obsidian.mdEncryption at Rest
Sync service uses AES-256 end-to-end encryption. Publish data is encrypted.
obsidian.mdSync Infrastructure
All data including file names is end-to-end encrypted in Sync service. If subscription expires, data retained for 1 month; upon cancellation, deleted immediately.
obsidian.mdPlugin/Theme Security
Community plugins and themes in official directory undergo automated scanning for vulnerabilities, code quality, and malware. Popular and flagged items receive manual review.
obsidian.mdAccount Protection
2FA available for Obsidian accounts. No SSO support. Users of Sync/Publish must confirm 2FA on first login if enabled.
obsidian.mdThird-Party Processors
Payment processors: Stripe, WeChat Pay, Alipay, PayPal. Service providers may be located outside Canada.
obsidian.md// Products & data scope
data: Local-first; user controls all data on device
Free for personal use. Commercial use requires per-user license ($50/year). No sign-up required; no telemetry.
data: Encrypted multi-device sync; E2E encrypted on servers
Optional paid service ($4-$8/month). Data encrypted end-to-end. Audited by Cure53 (Oct 2024) and Trail of Bits (Dec 2025).
data: Hosted on Obsidian servers; content published as static site
Optional paid service ($8-$16/month). Allows users to publish notes as web-accessible digital gardens.
data: Stored locally; optionally synced via Sync service
Infinite visual space for brainstorming and diagramming within local notes.
// What to watch
- No formal certifications (SOC 2, ISO 27001, HIPAA, PCI DSS) - vendor relies on third-party audits instead
- Privacy policy does not explicitly address GDPR compliance; vendor is Canadian but handles international data
- Data residency for Sync/Publish not specified; only note that service providers may be outside Canada
- No Data Processing Agreement (DPA) mentioned; may be issue for GDPR-regulated organizations
- No SSO support for base application; requires email-based account management for Sync/Publish
// At a glance
Pricing model
Freemium: free personal use; optional paid services for Sync ($4-$8/mo), Publish ($8-$16/mo), and commercial use licenses ($50/year)
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Dynalist Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
obsidian.md