Notion AI
Enterprise-Ready
The vendor is rated Enterprise-Ready with a score of 79 out of 100. Strongest verified evidence includes confirmed SOC 2 and ISO certifications (ISO 27001, ISO 27017, ISO 27018, ISO 27701) available via the vendor's trust portal. However, the vendor's governance readiness was recently downgraded from Enterprise-Ready to Conditional due to a new, unpatched CVE (CVE-2024-23743), indicating a drop in overall governance posture. The buyer should request the remediation timeline for CVE-2024-23743 and a Data Processing Agreement during procurement.
Readiness Breakdown deterministic · evidence-only
- Independent Certification SOC 2 / ISO certifications confirmed via the vendor's trust portal (ISO 27001, ISO 27017, ISO 27018, ISO 27701). Audit report available under NDA — standard enterprise practice.
- Vendor-Stated Compliance Vendor states (cited, not independently audited): BAA Available (HIPAA), GDPR, HIPAA, ISO 27001, SOC 2.
- Customer-Data Training Enterprise terms: does NOT train on customer data (consumer/free tiers may differ — see breakdown).
- Data Processing Agreement No public DPA located — request one during procurement.
- Breach History No known breaches in Have I Been Pwned.
- Vulnerability Exposure 1 known CVE(s); none currently in CISA KEV.
- Email Spoofing Protection (DMARC) DMARC enforced — domain spoofing mitigated.
- Vulnerability Disclosure Policy Publishes a security.txt disclosure policy (RFC 9116).
- Web TLS Certificate Valid TLS certificate in place.
- Legal Transparency 5 legal/policy documents publicly tracked.
Ask This in Your Security Review 1 open items
- Data Processing AgreementRequest the Data Processing Agreement (DPA) and current sub-processor list.
Compliance Posture vendor-stated · cited
| Framework | Status | Source |
|---|---|---|
| BAA Available (HIPAA) | Stated by vendor | https://www.notion.com/help/enterprise-search-security-and-privacy-practices |
| GDPR | Stated by vendor | https://www.notion.com/help/privacy |
| ISO 27001 | Stated by vendor | https://www.notion.so/security |
| SOC 2 | Stated by vendor | https://www.notion.so/security |
| HIPAA | Not publicly verified | — |
Data & Contract Facts deterministic · cited
| Attribute | Value | Source |
|---|---|---|
| IP / Content Ownership key clause |
True
“Data governance: Your data is yours.”vendor's exact wording |
https://www.notion.com/security |
| Sub-processors (published list) | View document → | https://www.notion.so/notion/Notion-s-List-of-Subprocessors-268fa5bcfa0f46b6bc29436b21676734 |
| Trains on Customer Data key clause |
Free / Pro:
does not train
By default Notion and its AI subprocessors (OpenAI, Anthropic) do not use your data to train models. Non-Enterprise: LLM providers retain data ≤30 days. Only the opt-in AI LEAP Program shares data for training.
cited →
Enterprise:
does not train
Enterprise: zero data retention with LLM providers; contractual prohibition on training by Notion and its subprocessors.
cited →
|
see per-tier citations |
Security Posture authoritative · cited
Security & Compliance Timeline authoritative · dated
- 2024-01-28 CVE CVE-2024-23743 disclosed (LOW · no fix listed)
Certifications Available Under NDA / Trust Center attested · report gated
| Certification | Status | Trust Center |
|---|---|---|
| ISO 27001 | Available via Trust Center | https://notion.com/security |
| ISO 27017 | Available via Trust Center | https://notion.com/security |
| ISO 27018 | Available via Trust Center | https://notion.com/security |
| ISO 27701 | Available via Trust Center | https://notion.com/security |
Common compliance questions
Tracked Legal & Policy Documents
| Document | URL |
|---|---|
| Pricing | https://www.notion.com/pricing |
| Security | https://www.notion.com/security |
| Soc Report | https://www.notion.com/security |
| Trust | https://www.notion.so/security |
| Vuln Mgmt | https://notion.com/security.txt |
How to Obtain Non-Public Documents
These documents were not found at a public URL — which is normal. Many are provided on request, only on enterprise plans, or via the vendor's trust portal. Here is where each lives and what to do to get it.
| Document | Availability | How to obtain |
|---|---|---|
| Data Processing Addendum (DPA) | On request / trust portal | No public DPA link was found. Most vendors provide a DPA on request or let you accept one through their trust/legal portal. Start at the trust center, or email the vendor's privacy team (commonly privacy@<vendor-domain>). Trust center → |
| Sub-processor List | Trust portal / on request | A public sub-processor list was not found. Many vendors publish it behind a trust-portal login or send it on request. Request access through the trust center or from the vendor's privacy/security team. Trust center → |
| Business Associate Agreement (BAA) | On request (HIPAA only) | A BAA is required only when processing PHI under HIPAA and is almost never published publicly. Request one from the vendor's compliance/legal team during enterprise onboarding — it is typically signed under NDA. Trust center → |
| Master Services Agreement (MSA) | Negotiated per contract | The MSA governs enterprise contracts and is negotiated per deal, so there is usually no public link. Self-serve plans are covered by the public Terms of Service instead; for an MSA, ask the vendor's sales team during procurement. Trust center → |
| Service Level Agreement (SLA) | Enterprise tier | A formal uptime/support SLA is generally offered only on enterprise/paid plans and attached to the order form. Ask sales for the SLA exhibit or check the enterprise pricing page; the trust center often summarises uptime commitments. Trust center → |
Continuous Monitoring change-tracking active
6 legal & policy documents under change-monitoring since 2026-06-06. 2 tracked changes detected since baseline.
| Detected | Change | Detail |
|---|---|---|
| 2026-06-08 | Governance Readiness Change |
Governance readiness downgraded: Enterprise-Ready → Conditional. Driven by: 1 new CVE: CVE-2024-23743.
What this means: This vendor's overall governance posture dropped a tier, driven by 1 change this period (see the summary below) — re-check whether it still meets your bar before renewal or expansion.
|
| 2026-06-08 | CVE / Security Incident |
1 new CVE: CVE-2024-23743.
What this means: A newly disclosed vulnerability affects this vendor — ask for the remediation timeline and confirm your exposure.
|
Search the Legal Documents verbatim · cited
Search Notion AI's captured Terms, DPA, Privacy Policy and sub-processor list. Results are the exact clauses from the source documents, each with a link to where it lives. No summary, no interpretation — just the wording on the record. If nothing matches, we say so rather than guess.
Every result is a verbatim clause pulled straight from the linked source document — nothing is paraphrased or generated.
Monitor Notion AI — get alerted when this changes
This brief is a point-in-time snapshot. Vendors quietly revise their DPA, sub-processors, certifications and security posture — and disclose new CVEs. Get a priority email the moment Notion AI changes something that affects your risk. Built for procurement & security teams.