Security Measures and Commitments for Notion Services
Overall Score
Risk by Category
Notion's Security Exhibit outlines comprehensive security measures including encryption, access controls, certifications, incident response, and compliance with standards like SOC 2 Type II and ISO 27001. It details how Notion protects customer data through technical, organizational, and physical safeguards, with strong emphasis on confidentiality, integrity, and availability. The document is designed for enterprise customers, particularly under data processing agreements, and demonstrates mature security practices with minimal risks.
Relies on third-party subprocessors like AWS and Google Cloud, which may introduce supply chain risks.
Some logs retained for compliance without fixed deletion timelines.
Annual audits covering security, availability, processing integrity, confidentiality, and privacy.
TLS 1.3 in transit and AES-256 at rest for all customer data.
Mandatory MFA for admins, role-based access, and just-in-time privileges.
Spotify collects the following categories of personal data. High Risk categories are used for advertising profiling or involve sensitive personal information.
Pages, databases, and files uploaded by users.
IP addresses, device info, and interaction logs for security and analytics.
Your data serves the following purposes. Mandatory purposes cannot be disabled without canceling the service. Opt-out available purposes allow some user control.
Data used solely to provide Notion services, with no use for training AI models.
Aggregated anonymized data for service improvement and security monitoring.
Spotify shares data with several categories of third parties. Sharing with advertising partners is extensive and represents the primary commercial use of your behavioral data.
Cloud hosts (AWS, Google Cloud) and analytics (Amplitude) under strict DPAs.
No sharing with advertisers; limited to essential subprocessors.
The following rights may be available to you depending on your region. EU/EEA users have the broadest protections under GDPR. Non-EU users have more limited guarantees.
Full export via API and account deletion removes user content within 30 days.
Supports DSARs with response within 30 days per GDPR/CCPA.
Data is retained for different periods depending on category, and security disclosures vary in depth. The policy highlights the following retention and transparency points.
Retention Periods
Customer data deleted within 30 days of account termination.
Retained for 7 years to meet legal requirements.
Indefinite retention after anonymization.
Security & Transparency
End-to-end encryption in transit (TLS 1.3) and at rest (AES-256).
Notification within 48 hours of confirmed breach affecting customer data.
SOC 2 Type II, ISO 27001, annual penetration testing.
Source Text
Details personnel screening, encryption, firewalls, and IDS/IPS.
Interpretation
Strong baseline security controls aligned with NIST.
Source Text
Defined process with root cause analysis and customer notification.
Interpretation
Proactive and transparent incident handling.
Source Text
Approved list with change notifications.
Interpretation
Transparency but dependency on vendors.
SOC 2 Type II, ISO 27001, and regular third-party audits.