Security & privacy
We know you've entrusted us with valuable data, and we take its security very seriously. Below, we've provided a deep dive into our security practices, protocols and tooling 🔒
The following list was last updated August 9, 2021.
We have completed both SOC 2 Type 1 and SOC 2 Type 2 reports, certifying that our security policies and controls continuously meet the highest industry standards. You can read more about this here →
We use TLS everywhere, within the data center and out.
Your data is encrypted at rest and in transit.
We run 100% on the cloud using AWS (US-West) within a virtual private network that cannot be accessed via the public internet, except via our public-facing proxy servers.
We have Amazon CloudTrail turned on at all times.
We perform quarterly independent security audits using established security firms.
We'll notify you within 72 hours of learning about a data breach.
All employees receive regular security training.
We work with certain companies and tool systems to provide our services to you. They've been carefully vetted for best-in-class security practices. For more information, see our List of Subprocessors.
Amazon VPC (Virtual Private Cloud) allows Notion to implement granular network control and security measures.
Amazon CloudTrail helps Notion with the governance, compliance, operational auditing, and risk auditing of our AWS account.
The folks we work with at Latacora are the global experts in cyber security and risk mitigation. They help us with services such as penetration testing, overall software security, security training, and vulnerability protection.
SOC 2 is a security report based on AICPA's Trust Services Criteria.
This page is for informational purposes only. Notion may update or change this page at any time.
FAQs
Will other people be able to see my pages?
Your data is safe in Notion! If someone tries to navigate to your workspace without having access, they’ll see a page that lets them know that they do not have the correct permission state to access that content.
If you enable Share to web in the Share menu at the top right of a page, it will publish that page to the web so that anyone with the link can access it. This is always turned off by default.
If you’re sharing a workspace with others, some pages will be visible to everyone in the workspace, or specific groups of people — this is based on the permissions you see in the Share menu at the top right of the page.
Please note, if you are using an account in an enterprise workspace, your content may be accessed by the workspace’s workspace owner. Learn more in Our Terms of Service
To learn more about sharing & permissions, read this article from our Help Center.
Can I opt out of Notion's tracking/analytics?
Yes you can! This will also disable Intercom, who powers our in-app support chat, but you can still reach out to us for help at team@makenotion.com.
Just send a message to our support team at that address and we'll opt you out.
Why can I still access my uploaded files via the AWS URL without being logged in?
Your files are secure! You're looking at a signed URL that will expire after 24 hours.
Any files uploaded to Notion will remain secure private files. You'll notice they point to a URL that has secure.notion-static.com inside it.
For workspace exports, the link we email you will expire after 7 days.
My browser alerted me that Notion is using trackers. What do these trackers do?
We use tracking code in order to effectively run ads (for example, tracking a visit to our marketing site). We isolate this to a sandboxed iframe on a subdomain (aif.notion.so) — it's never activated on user pages.
No user content is exposed to any third-party service.
