Security practices

Access monitoring: Notion has enabled logging on all critical systems. Logs include failed/successful logs, application access, administrator changes, and system changes. Logs are ingested by our observability and security incident event management (SIEM) solution for log ingestion and automated logging/alerting capabilities.

Backups enabled: Notion is hosted by AWS and stores customer data using a combination of databases. By default, AWS provides durable infrastructure to store important data and is designed for durability of 99.9% of objects. Automated backups of all customer and system data is enabled, and data is backed up daily at minimum. The backups are encrypted in the same way as live production data, and are monitored and alerted.

Data erasure: Notion customers are Controllers of their data. Each customer is responsible for the information they create, use, store, process and destroy. Notion customers have the ability to request data deletion or self-serve their own deletion, when data is not subject to regulatory or legal retention periodicity requirements. Please refer to our Privacy Policy and Data Processing Addendum for more information.

Encryption at rest: Customer data is encrypted at rest using AES-256. Customer data is encrypted when on Notion’s internal networks, at rest in Cloud storage, database tables, and backups.

Encryption in transit: Data sent in-transit is encrypted using TLS 1.2 or greater.

Physical security: Notion leverages Amazon Web Services (AWS) to host our application, and defers all data center physical security controls to them. Please refer to AWS’s physical security controls here.

Responsible disclosure: Notion maintains a bug bounty program. Please refer to our Responsible Disclosure Policy.

Code analysis: Notion security and development teams conduct threat modeling and secure design reviews for new releases and updates. After code completion for significant feature launches, we perform code audits, code reviews, and conduct security scans for our codebase.

Software Development Lifecycle (SDLC): Notion uses a defined SDLC to ensure that code is written securely. During the design phase, security threat modeling and secure design reviews are performed for new releases and updates. After code completion for significant feature launches, we perform code audits, work with vendor companies or drive an internal penetration test, and conduct security scans for our codebase. After launch, we host bug bounties and have a vulnerability management program to address severe security issues.

Credential management: Notion uses a third party Key Management Services (KMS) that automatically manages key generation, access control, secure storage, backup, and rotation of keys. Cryptographic keys are assigned to specific roles based on least privilege access and keys are automatically rotated yearly. Usage of keys is monitored and logged.

Vulnerability & patch management: Notion performs vulnerability scanning and package monitoring on all infrastructure related hosts, and the company product continuously. Externally and internally-facing services are patched on a regular schedule. Any issues that are discovered are triaged and resolved according to the severity within Notion’s environment.

Web Application Firewall (WAF): All public endpoints leverage a managed Web Application Firewall to deter attempts to exploit common vulnerabilities.

Data Access Level: Internal (i.e. Notion employees will only ever access your data for the purposes of troubleshooting problems or recovering content on your behalf. )

Third Party Dependence: Yes - please refer to our list of subprocessors here.

Hosting: Notion is hosted on one Amazon Web Services (AWS), one of the major cloud service providers.

Recovery Time Objective: Estimated at 2 hours

Recovery Point Objective: Estimated at 24 hours

Employee training: Security training is required during the employee onboarding process, and annually thereafter. Employees also must read and acknowledge Notion’s Code of Conduct and the Security policy.

HR security: Notion performs background checks on employees when they are hired in accordance with local laws and regulations.

Incident response: Notion has an incident management plan which contains steps for preparation, identification, containment, investigation, eradication, recovery, and follow-up/postmortem that is reviewed and tested annually at least.

Internal assessments: Internal security audits are performed at least annually at Notion.

Internal SSO: Multi-factor authentication (MFA) is required for all Notion employees to log into Notion’s identity provider.

Data access: Notion internally leverages the principle of Least Privilege for access. Access is granted based on job function, business requirements, and a need to know basis. Access reviews are conducted on a set frequency to ensure continued access to critical systems are still required.

Logging: Notion leverages a SIEM solution for log ingestion and automated logging/alerting capabilities. Logs are ingested from critical systems and alerting rules are utilized to ensure security event alerts are generated where/when necessary.

Password Security: Notion requires MFA to be enabled for any and all systems that provide the option for MFA). When such delegation is not possible, Notion maintains a stringent internal password management policy including complexity, and length.

Anti-DDoS: Notion leverages third party applications for DDoS protection.

Data Center: Notion is hosted on AWS, who handles physical security to data centers. Please refer to AWS’s security documentation here.

Infrastructure Security: Notion’s infrastructure is hosted in a fully redundant, secured environment. Notion’s customer data is hosted by AWS. AWS maintains a list of reports, certifications, and third party assessments to ensure best security practices. For more information on AWS compliance, please see here.
AWS infrastructure is housed in an Amazon controlled data centers throughout the world, and the data centers themselves are secured with a variety of physical controls to prevent unauthorized access. More information on AWS data centers and their security controls can be found here.

Separate Production Environment: Customer data is never stored in non-production environments. Customer accounts are logically separated in our production environment. We have separate development, testing and production environments.

Disk Encryption: Employee laptops have disk encryption enabled for protection

Endpoint Detection & Response: All endpoints have detection software installed. Additionally, Notion has implemented multiple security controls to ensure the security of customer data and solutions. These controls ensure we have ongoing visibility of what our end point is doing, that we can detect and react quickly to any tampering or threats as well as, logging and enforcement controls.

Mobile Device Management: Employee devices and their software configuration are managed remotely by members of the IT and security team via MDM software.

Threat Detection: Notion utilizes a third party endpoint protection software for dedicated threat detection. The endpoint software detects intrusions, malware, and malicious activities on endpoints and assists in rapid response to eliminate and mitigate the threats.

Firewall: Notion office networks are configured with a network firewall. WAN-accessible network services are not to be hosted within the office environment.

IDS/IPS: Notion utilizes a mix of both network and host-based IDS/IPS type systems part of a broader defense-in-depth approach to securing the organization. This includes monitoring for suspicious activity through a combination of signature-based and anomaly-based detections.

Security Information and Event Management (SIEM): Notion utilizes a SIEM solution for incident and event management. Event notifications are communicated to our security staff in real-time.

Wireless Security: Notion offices use strong encryption for office wireless networks. Notion does not maintain any wireless networks with impacts on customer data or production systems.

Domain Management: Domain refers to the email address domain associated with a Notion account. Domain verification allows workspace owners to claim ownership over a domain, which will unlock domain management settings.

SAML Single Sign-On (SSO): Notion provides Single Sign-On (SSO) functionality for Business and Enterprise customers to access the app through a single authentication source.

SCIM Provisioning and Revoking: Notion workspace with the System for Cross-domain Identity Management (SCIM) API standard.

Audit Log: Notion gives Workspace owners access to detailed information about security and safety-related activity. This can include identifying potential security issues, investigating suspicious behavior, and troubleshooting access.

2FA (MFA): Notion provides 2-step verification to add an extra layer of protection to your Notion account. This feature is available to all plan types and can be set up easily in your account settings.

Manage Permissions: Notion allows owners to control their permission levels to ensure that users are viewing and interacting with your content exactly the way you want them to.

Manage Team Spaces: Workspace owners can get an overview of all teamspaces in the workspace, modify their settings, and access additional management tools.