Note: Notion is aware of the Log4Shell vulnerability (CVE-2021-44228, also known as the log4j vulnerability) and has proactively put a mitigation in place as soon as we learned of it.
While we're continuing to investigate, we wanted to let our customers know that at this time we have no evidence of any successful malicious activity to Notion or our sub-processors. We will continue to provide updates if anything changes or as more information is made available.
The following list was last updated August 9, 2021.
We have completed both SOC 2 Type 1 and SOC 2 Type 2 reports, certifying that our security policies and controls continuously meet the highest industry standards. You can read more about this here →
We use TLS everywhere, within the data center and out.
Your data is encrypted at rest and in transit.
We run 100% on the cloud using AWS (US-West) within a virtual private network that cannot be accessed via the public internet, except via our public-facing proxy servers.
We have Amazon CloudTrail turned on at all times.
We perform quarterly independent security audits using established security firms.
We'll notify you within 72 hours of learning about a data breach.
All employees receive regular security training.
We work with the following companies and tool systems to store, analyze, and transmit data for our users. They've been carefully vetted for best-in-class security practices.
Amazon VPC (Virtual Private Cloud) allows Notion to implement granular network control and security measures.
Amazon CloudTrail helps Notion with the governance, compliance, operational auditing, and risk auditing of our AWS account.
The folks we work with at Latacora are the global experts in cyber security and risk mitigation. They help us with services such as penetration testing, overall software security, security training, and vulnerability protection.
SOC 2 is a security report based on AICPA's Trust Services Criteria.
- Will other people be able to see my private notes and data?
Your data is safe in Notion! Only you will have access to your private notes.
If someone tries to navigate to your workspace without having access, they'll see a page that lets them know that they do not have the correct permission state to access that content.
If you enable
Share to the webin the
Sharemenu at the top right of a page, it will publish that page to the web so that anyone with the link can access it. This is always turned off by default.
If you're sharing a workspace with others, any notes in the
Workspacesection of your sidebar will be visible to everyone in the workspace. You can store your private notes in the
Privatesection of the sidebar for shared workspaces — no one else will be able to access these pages, even admins. If your sidebar doesn't have those sections, you're the only person in your workspace, and all your notes are private!
- Can I opt out of Notion's tracking/analytics?
Yes you can! This will also disable Intercom, who powers our in-app support chat, but you can still reach out to us for help at email@example.com.
Just send a message to our support team at that address and we'll opt you out.
- Why can I still access my uploaded files via the AWS URL without being logged in?
Your files are secure! You're looking at a signed URL that will expire after 24 hours.
Any files uploaded to Notion will remain secure private files. You'll notice they point to a URL that has
For workspace exports, the link we email you will expire after 7 days.
- My browser alerted me that Notion is using trackers. What do these trackers do?
We use tracking code in order to effectively run ads (for example, tracking a visit to our marketing site). We isolate this to a sandboxed iframe on a subdomain (aif.notion.so) — it's never activated on user pages.
No user content is exposed to any third-party service.