This 1‑pager summarizes the technical and organizational measures that Notion maintains to protect Customer Data under a shared responsibility model.
1. Purpose
This Security Exhibit forms part of the Master Subscription Agreement (the “Agreement”) between Notion Labs, Inc. ("Notion") and Customer, and summarizes the technical and organizational measures that Notion maintains to protect Customer Data under a shared responsibility model, focusing on Notion’s responsibilities.
2. Scope & Relationship to MSA / DPA
- This Exhibit applies to Notion's provision of the Services and Notion's processing of Customer Data.
- This Exhibit is intended to supplement, and not replace, the security and privacy commitments set out in the Agreement and the Data Processing Addendum ("DPA").
3. Information Security Program
- Notion maintains a comprehensive information security program designed to protect the confidentiality, integrity, and availability of Customer Data.
- Notion's information security program is designed to protect Customer Data processed by Notion in connection with the Services, taking into account the nature and sensitivity of such data.
- The program includes administrative, technical, and physical safeguards consistent with general industry-standard practices.
- The program is reviewed and updated periodically to address changes in laws, regulations, industry standards, and risk.
4. Access Control & Identity Management
Access to production systems containing Customer Data is limited and controlled as follows:
- Access is granted on a least‑privilege, business‑need‑to‑know basis.
- Access to such systems is provisioned and de‑provisioned through documented processes and is reviewed periodically.
- Administrative access to production systems is protected by strong authentication controls, including multi‑factor authentication where supported.
5. Encryption
- In transit: Customer Data transmitted over public networks is protected using industry‑standard encryption protocols (such as TLS 1.2 or higher).
- At rest: Customer Data stored in production systems is encrypted at rest using industry‑standard algorithms (currently including AES‑256 for primary data stores and backups).
6. Network Security
- Production environments supporting the Services are protected through network segmentation, firewalls, and other security controls designed to limit and monitor access to systems processing Customer Data.
- Systems are configured according to hardening guidelines and are regularly updated and patched based on the severity and risk of identified vulnerabilities.
- Network segmentation is implemented to logically isolate production environments and restrict traffic between network zones to limit lateral movement.
7. Logging, Monitoring & Detection
- Notion collects and retains security‑relevant logs from critical systems supporting the Services.
- Security‑relevant logs from such systems are aggregated into a centralized security information and event management (SIEM) solution to support detection and investigation of potential security incidents.
- Logs and alerts are monitored, and detected events are triaged and handled in accordance with Notion's documented incident response procedures.
8. Vulnerability Management
- Notion maintains a vulnerability management program that includes regular vulnerability scanning of production infrastructure and remediation of identified vulnerabilities based on severity and risk.
- Where appropriate, Notion engages independent third parties to perform security assessments or penetration tests over in‑scope systems.
9. Security Incident Management
- Notion maintains a documented security incident response plan that defines roles, responsibilities, and escalation paths for responding to security incidents.
- In the event of a Security Incident affecting Customer Data, Notion will:
- investigate the incident and take reasonable steps to contain and remediate its effects; and
- notify Customer without undue delay in accordance with the Agreement and/or the DPA, including information reasonably available to Notion at the time of notification.
10. Business Continuity & Disaster Recovery
- Notion maintains business continuity and disaster recovery plans for the Services and reviews them on a periodic basis.
- Customer Data is backed up on a regular basis, and backup and restore procedures are tested periodically to help verify that Customer Data can be recovered in accordance with Notion’s internal standards.
- Notion performs automated backups of Customer Data at least daily and stores such backups in encrypted form, separate from primary production systems.