Q37
Do you have a current SOC 2 Type II report?
SOC 2 Type II: claimed_with_trust_page
Notion Vendor Risk Assessment — Full Report
Before you share customer data with Notion, your compliance team needs documented proof they can be trusted. ThirdProof investigated Notion across 27 intelligence sources — here's what we found.
⚠ FedRAMP Status: Not found in the FedRAMP Marketplace. Vendors handling government data or CUI must be FedRAMP authorized.
Risk Tier
Tier 4 — Low RiskSOC 2
⚠ Vendor AttestedFedRAMP
— Not AuthorizedLast Assessed
Apr 17, 2026🟡IP Reputation: Abuse score: 24%, 10 reports🟡SSL/TLS: TLSv1.3🟢Infrastructure: 13 open ports, 0 CVEs🟢Sanctions: Clear — No matches found
- FedRAMP Status
- Notion is not listed on the FedRAMP Marketplace as of March 2026.
- SOC 2 Status
- Notion has a SOC 2 claim detected on their trust page. Claim is vendor-attested — no public registry exists for independent verification.
- Sanctions Screening
- Notion returned no matches in OFAC SDN, EU Consolidated, and UN sanctions screening.
- Risk Tier
- ThirdProof assigned Notion a Low Risk tier with 100% confidence across 27 intelligence sources.
27 sources queried. 100% confidence. Every Notion investigation produces both a risk report and an auto-filled security questionnaire — no vendor follow-up required.
Get Notion's Full Report Free →5 free investigations|Risk report + auto-filled questionnaire|Avg. 7 minutes
Certification & Compliance Status
Security Questionnaire — Auto-Filled
52 of 133 questions answered for Notion
Auto-filled from public evidence • 39% complete
Q38
Do you have ISO 27001 certification?
ISO 27001 claim found on trust page (Vendor attested)
Q41
Are you FedRAMP authorized? At what level?
Not found in FedRAMP marketplace
Q40
Are you HIPAA compliant? Do you sign BAAs?
Notion help page confirms Business Associate Agreement (BAA) governs protection of Personal Health Information (PHI) for HIPAA compliance on Enterprise plans.
Q42
Are you GDPR compliant? Do you have a DPA available?
Notion help page on GDPR confirms comprehensive data protection law compliance and security page references Data Processing Addendum for GDPR compliance.
+ 6 more compliance questions answered in the full report
Every investigation produces a full PDF report plus the complete 133-question questionnaire, mapped to SOC 2, HIPAA, PCI DSS, SIG, and more.
Get Notion's Full Report Free →✗Not Listed on FedRAMP Marketplace
Verified against FedRAMP Marketplace API as of March 2026
Organizations with federal compliance requirements should verify this directly at marketplace.fedramp.gov.
Notion is not listed on the FedRAMP Marketplace.
◇27 data sources queried per assessment
◷Reports generated in an average of 7 minutes
◈SHA-256 verified for audit integrity
✓Deterministic risk scoring — no AI guesswork
4Tier
Low Risk
Notion
Vendor Risk Assessment
Confidence Score100%
Based on data availability and source coverage
27
Sources Queried
27
Sources With Data
April 17, 2026
Last Assessed
Executive Summary
AI-generated analysis for Notion
Notion (notion.so) is a SaaS productivity and AI workspace platform assessed at Risk Tier 4 (Low Risk) with 100% confidence, reflecting a strong overall security posture supported by broad independent evidence coverage. The assessment identified several meaningful positive signals across security, privacy, and compliance domains:
Key Findings
- Notion's published AI security practices include a contractual commitment prohibiting AI subprocessors from training on customer data, with zero data retention for Enterprise plan workspaces and a 30-day-or-fewer cap for non-Enterprise plans.
- The vendor publishes a trust and security page documenting AES-256 encryption at rest, TLSv1.3 in transit, MFA enforcement for all employees, least-privilege access controls, annual penetration testing, and a public bug bounty program.
- A Data Processing Agreement (DPA) is publicly available, and Notion explicitly identifies itself as a data processor under GDPR — a meaningful signal of privacy program maturity.
- The domain carries a clean threat reputation with no blacklist entries, no Malware detection service flags, and no adverse media in the past 12 months.
- Automated questionnaire coverage reached 61% (81 of 133 questions) from external signals alone, with 28 high-confidence answers — indicating strong external visibility for a SaaS vendor. Three areas warrant follow-up attention before this vendor is considered fully cleared for enterprise use. First, three security-relevant Hacker News discussions surfaced during the assessment period: a July 2025 report alleging Notion Desktop was monitoring audio and network traffic (430 points), a January 2026 report of an unpatched AI data exfiltration vulnerability (206 points), and a September 2025 analysis of AI agent web search tool abuse enabling data exfiltration (183 points). These are community-sourced signals and their current resolution status is not confirmed in the evidence — procurement teams should request vendor clarification. Second, SOC 2 Type II and ISO 27001/27017/27018 certifications are claimed on Notion's security page but could not be independently verified through public registries — the ISO 27001 claim specifically produced a registry non-match (contra-finding). Third, the TLS certificate for notion.so expires in approximately 32 days, warranting confirmation of automated renewal. Overall, Notion presents a credible, well-documented security posture appropriate for a medium data-access SaaS deployment. The certification discrepancy and AI-related vulnerability reports are the primary items requiring active follow-up before or shortly after onboarding.
Independence Statement
All evidence in this assessment was independently sourced from external data providers, public registries, threat intelligence feeds, and open-source signals without vendor participation or notification.
Investigation Findings
5 findings identified for Notion
1 high3 medium1 low
high
Tech Community Discussion: security
3 Hacker News stories about "Notion" related to security. Top story: "Tell HN: Notion Desktop is monitoring your audio and network" (430 points).
medium
Missing Security Headers
notion.so is missing 2 recommended security headers: Content-Security-Policy, X-Frame-Options.
Source:Domain Analysisdns.google →
medium
Domain Not Found in RDAP
The domain "notion.so" was not found in any RDAP registry. This may indicate a very new, non-standard, or unregistered domain.
medium
Multiple Certificate Issuers (36)
notion.so has certificates from 36 different Certificate Authorities. This may indicate inconsistent certificate management practices.
low
No Email Infrastructure
notion.so has no MX records, meaning it cannot receive email directly.
Source:Domain Analysisdns.google →
✓
Security Strengths
28 positive signals verified
✓
Legal Entity Actively Registered
Business Registration →✓
No Sanctions Matches Found
Sanctions & Watchlist Screening →✓
No Adverse Media Found
Adverse Media Scan →✓
No Adverse Media Signals
Adverse Media Scan (Fallback) →✓
Firmographic Data Available
Company Intelligence →✓
Valid SSL Certificate
Domain Analysis →✓
13 Open Ports Detected
Infrastructure Exposure →✓
Clean domain reputation
Threat Intelligence →✓
Vendor Commits to Not Training on Customer Data
AI Data Usage Policy →✓
AI Data Retention Policy Not Specified
AI Data Usage Policy →✓
Deep Document Crawler Results
Deep Document Analysis →✓
HTTP Security Grade: B
HTTP Security Scan →✓
Large Certificate Footprint (72 subdomains)
Certificate Transparency →✓
Established Web Presence (10+ years)
Web Archive History →✓
Domain in 25 Threat Intelligence Pulses
Threat Intelligence (OTX) →✓
Low Abuse Score: 24% (10 reports)
IP Reputation →✓
Clean Safe Browsing Status
Malware & Phishing Check →✓
Clean Website Security Scan
Website Security Scan →✓
Certification Claimed: SOC 2
Trust & Compliance Page Scan →✓
Certification Claimed: ISO 27001
Trust & Compliance Page Scan →✓
Certification Claimed: ISO 27017
Trust & Compliance Page Scan →✓
Certification Claimed: ISO 27018
Trust & Compliance Page Scan →✓
3 Subprocessors Identified
Supply Chain & Subprocessor Discovery →✓
Not Found as FDIC-Insured Institution
FDIC Institution Check →✓
No SEC Enforcement Filings Found
SEC Filing Search →✓
No Historical Adverse Media Found
Historical Media Search →✓
HITRUST Directory Match — Manual Verification Required
Certification Registry Verification →✓
SOC 2 Compliance Claimed on Trust Page
Certification Registry Verification →Recommended Actions
Steps to address findings for Notion
- 1
Request Notion's current SOC 2 Type II report and bridge letter — contact Notion's security team directly or check their trust portal at https://www.notion.com/security. Many enterprise vendors make SOC 2 reports available under NDA within 1–3 business days. Retain the report as evidence for your own SOC 2 audit under CC9.2.
- 2
Resolve the ISO 27001 discrepancy within 30 days: ask Notion's security team for the ISO 27001 certificate number, issuing certification body, and validity dates. Verify directly with the issuing body's public certificate lookup tool (e.g., BSI's certificate directory or Bureau Veritas's public registry) rather than relying on the vendor's own page.
- 3
Follow up on the three Hacker News security reports: (1) Desktop audio/network monitoring (July 2025), (2) Unpatched AI data exfiltration (January 2026), and (3) AI agent web search abuse (September 2025). Ask Notion's security team for their official response, patch status, and any relevant security advisories. Reference the specific HN threads at https://news.ycombinator.com/item?id=44594790, https://news.ycombinator.com/item?id=46531565, and https://news.ycombinator.com/item?id=45307095.
- 4
Confirm TLS certificate renewal is automated: contact Notion's infrastructure team or check via https://www.SSL/TLS analysis service.com/ssltest/analyze.html?d=notion.so within the next 10 business days given the 32-day expiry window. If using Cloudflare-managed certificates, renewal is typically automatic, but written confirmation is advisable for audit documentation.
- 5
If your organization is on a Notion Business or lower plan (not Enterprise), review the AI data retention policy at https://www.notion.com/help/notion-ai-security-practices — Enterprise plans have zero LLM retention, while non-Enterprise plans allow up to 30 days of LLM provider retention. Upgrade to Enterprise if zero-retention is a compliance requirement.
- 6
Request a complete subprocessor list covering all data-processing third parties, not just AI connectors. The page at https://www.notion.com/help/notion-ai-connectors covers AI-specific subprocessors only. Ask Notion's privacy or legal team for the full Article 28 subprocessor register, and confirm which subprocessors may have access to your organization's workspace data.
- 7
Document complementary user entity controls (CUECs) if Notion is in scope for your SOC 2 boundary. Key CUECs to document include: user access provisioning/deprovisioning, workspace permission configuration, SSO enforcement for enterprise users, and DLP integration (available on Enterprise plan). Retain this document alongside the Notion SOC 2 report for your auditor.
Intelligence Sources Queried
27 sources in this assessment
27of 27 sources returned data
IP Reputation
AI Data Usage Policy
Threat Intelligence (OTX)
Adverse Media Scan
Certification Registry Verification
Certificate Transparency
Deep Document Analysis
Domain Analysis
FDIC Institution Check
Business Registration
Historical Media Search
Tech Community Sentiment
Company Intelligence
Adverse Media Scan (Fallback)
HTTP Security Scan
Sanctions & Watchlist Screening
AI Research Agent
Malware & Phishing Check
SEC Filing Search
Infrastructure Exposure
SSL/TLS Analysis
Supply Chain & Subprocessor Discovery
Trust & Compliance Page Scan
Website Security Scan
Threat Intelligence
Web Archive History
Domain Registration
Data Coverage Notes
Some data sources may have had limited availability during this assessment. This does not reflect negatively on the vendor.
- WHOIS/RDAP registration data for the .so (Somalia) top-level domain was not available — the RDAP lookup returned a 404 response. Domain age is instead estimated from Web archive service archive data (first snapshot: January 23, 2016).
- The subprocessor page discovered (notion.com) appears to list only AI connector subprocessors (Slack, Microsoft Teams, Linear) rather than Notion's complete subprocessor list. A broader subprocessor inventory covering all data-processing third parties may exist at a separate URL and was not fully captured in this assessment.
- The Hacker News security discussions (Desktop monitoring, AI data exfiltration, AI agent abuse) represent community-reported signals. The current resolution status of these issues — whether Notion has patched, disclosed, or disputed them — could not be confirmed from publicly available evidence at the time of this assessment.
- ISO 27001 registry verification via IAF CertSearch returned no match. This may reflect registry lag, use of a non-IAF-affiliated certification body, or an actual certification gap — the evidence is insufficient to distinguish between these scenarios without vendor documentation.
- Firmographic data (employee headcount, founding year, company type) was not available from the business intelligence source consulted. Notion is a private company and this is expected.
- The AI data retention evidence for non-AI product data retention (outside of AI/LLM processing) was not explicitly specified in the sources retrieved. The 30-day LLM retention figure applies only to AI processing workflows.
183+
Vendors assessed
98%
Average confidence
<2 min
Time to report
Security & Compliance Profile
39% complete · 52/133 questions answered from public sourcesAre you Notion? Claim this profile to complete your security record. Buyers are reviewing this profile now.
Claim this profile →What a ThirdProof assessment covers↓
Sanctions Screening
Is Notion on any OFAC, EU, or UN sanctions list? Are any officers or affiliates flagged?
Cyber Risk Assessment
What is Notion's security posture? Threat intelligence scanning, known vulnerabilities, and security header analysis.
Business Registration
Is Notion a legitimately registered business entity? Corporate status, jurisdiction, and officer verification.
Adverse Media Analysis
Has Notion appeared in negative news coverage? Data breaches, lawsuits, regulatory actions, and complaints.
Domain & Infrastructure
Is Notion's website secure? TLS configuration, DNS hygiene, security headers, and domain age analysis.
Company Intelligence
What are Notion's firmographics? Employee count, industry classification, technology stack, and corporate structure.
Trust & Compliance Verification
Does Notion claim SOC 2, ISO 27001, HITRUST, or FedRAMP? ThirdProof scans trust pages for certification claims and cross-references the FedRAMP public registry for independent verification.
Supply Chain & Subprocessor Discovery
Who does Notion depend on? ThirdProof discovers subprocessors from vendor-published pages and runs sanctions screening and safe browsing checks against each one.
Regulatory & Financial Filings
Has Notion appeared in SEC enforcement filings? Is it associated with any FDIC bank failures? ThirdProof searches regulatory databases with entity verification to confirm attribution.
Full methodology, rule engine, and AI disclosure: /methodology
Compliance Resources
→ SOC 2 Vendor Assessment: What Your Auditor Actually Reviews→ SOC 2 CC9.2 Vendor Management with ThirdProof→ HIPAA Vendor Risk Assessment with ThirdProof→ ABA Model Rule 1.6 Vendor Due Diligence for Law Firms→ FedRAMP Authorized Vendor List→ FedRAMP Vendor Authorization Status Guide→ Sanctions Screening for Vendor Due Diligence→ Vendor Due Diligence Checklist→ All 27 Intelligence Sources
Seeing this in an audit? ThirdProof lets you investigate Notion and every other vendor in your stack — average report time: 7 minutes. Get Notion's Full Report Free →
Frequently asked about Notion
Is Notion FedRAMP authorized?+
Notion is not currently listed on the FedRAMP Marketplace as of April 2026.
Does Notion have SOC 2 Type II?+
Yes — Notion holds SOC 2 (Type II not confirmed). Rated Low Risk — 13 open ports detected. See all 7 findings →
Is Notion on the OFAC sanctions list?+
Notion returned no matches in ThirdProof's OFAC SDN, EU Consolidated, and UN sanctions screening as of April 2026.
What is Notion's vendor risk tier?+
ThirdProof assigned Notion a risk tier of Low Risk with 100% confidence based on assessment across 27 intelligence sources as of April 2026.
Can I get an auto-filled security questionnaire for Notion?+
Yes. Every ThirdProof investigation of Notion produces two deliverables: an audit-ready risk report and a 133-question security questionnaire pre-filled with evidence from 27 independent sources. The questionnaire is mapped to SIG, SOC 2, HIPAA, PCI DSS and 9 other frameworks — answered without sending Notion a single email or waiting for a vendor response.
Is Notion safe to use as a vendor?+
Notion is a productivity vendor that handles organizational documents and communications. Safety depends on their current security posture, certification status, and how they handle your specific data. ThirdProof automates this evaluation across 27 intelligence sources — sanctions databases (OFAC, EU, UN), business registration verification, adverse media scanning, and cyber risk assessment — producing a deterministic risk tier with confidence score plus an auto-filled security questionnaire. Run a free investigation to see Notion's full risk profile.
Does Notion have SOC 2 certification?+
Yes — Notion holds SOC 2 + 3 other certs. Rated Low Risk — 13 open ports detected. See all 7 findings →
Has Notion had any data breaches?+
Data breach history is an important signal for any vendor, particularly productivity platforms like Notion that handle organizational documents and communications. ThirdProof's adverse media analysis searches multiple news APIs and public records for data breaches, security incidents, lawsuits, regulatory enforcement actions, and financial distress signals. Each finding is linked to its original source with severity classification.
Is Notion on any sanctions lists?+
Sanctions screening is standard due diligence for productivity vendors. ThirdProof screens Notion against OFAC SDN, consolidated international sanctions lists, and PEP databases. The screening uses entity name verification to reduce false positives. If Notion or any associated officers appear on a sanctions list, this triggers automatic escalation to the highest risk tier.
How do I assess Notion for vendor risk?+
Assessing Notion as a productivity vendor involves verifying SOC 2 Type II and FedRAMP compliance, reviewing their subprocessor chain, and checking sanctions exposure. ThirdProof automates this across 27 intelligence sources in an average of 7 minutes — no questionnaires or vendor participation required. Your first 5 investigations are free.
How long does a ThirdProof assessment take?+
A ThirdProof assessment completes in an average of 7 minutes. 27 intelligence sources are queried in parallel — sanctions databases, business registries, threat intelligence feeds, certificate transparency logs, and more. The result is a deterministic risk tier with confidence score and audit-ready PDF report.
Is ThirdProof free?+
ThirdProof offers 5 free vendor assessments with no credit card required. Each assessment includes the full report — risk tier, confidence score, individual findings, executive summary, and PDF export. Paid plans start at $399/month for teams that need ongoing vendor monitoring.
Can I use a ThirdProof report as SOC 2 audit evidence?+
Yes. ThirdProof reports are designed to satisfy SOC 2 CC9.2 (vendor risk management) requirements. Each report includes SHA-256 integrity verification, methodology disclosure, source attribution for every finding, and AI content labeling. Auditors can independently verify the report's authenticity and trace each finding to its original source.
How is ThirdProof different from a security questionnaire?+
Security questionnaires require vendor participation, take weeks, and produce self-reported answers. ThirdProof queries 27 independent intelligence sources — no vendor involvement needed. Risk tiers are assigned by a deterministic rules engine (not AI opinion), and every finding links to its original source. You get an audit-ready report in an average of 7 minutes instead of waiting weeks for a questionnaire response.
Also investigate these vendors
Notion is in your vendor stack. Can you prove you assessed them?
SOC 2 CC9.2, HIPAA, PCI-DSS, and CMMC all require documented vendor due diligence — not just knowing the answer, but having audit-ready evidence you verified it. Most compliance teams can't produce that documentation on demand.
ThirdProof investigates Notion across 27 intelligence sources in an average of 7 minutes — sanctions screening, cyber posture, SOC 2 verification, FedRAMP status, and more. Every investigation produces two deliverables: an audit-ready risk report and an auto-filled security questionnaire your prospects and auditors expect to see.
✓ 5 free investigations✓ Risk report + auto-filled questionnaire✓ No credit card required✓ Average report time: 7 minutes
Replaces $600–$900 in manual compliance consulting time per vendor assessed.