⏱️

This tool is not currently part of our weekly active audit cycle

You are viewing historical data. We actively monitor only the top 20 enterprise AI tools. If you need a fresh, up-to-date risk intelligence report for Notion, let us know and we'll prioritize it.

01Trust Score

Notion

Week 2026-W17 · 26 Apr 2026 Vendor-Neutral

60 /100 Mixed Signals

↑ 10 vs 2026-W16

★ ★ ★ ★ ★

3.3/5 (2822)

↓ PDF Report

AUDITOR SUMMARY

Strength: Notion offers a highly flexible, AI-integrated workspace for consolidating project management, knowledge bases, and CRM, enhancing productivity through automation and centralized information.

Trust Score 60/100 CONDITIONAL

Est. Annual Cost $35,272/year for 100 users 100 users / yr

Top Risk MED Data Privacy Overall: High

Priority Action Critical Unpatched Vulnerability: Notion Web Clipper Dirty NIB Attack ↓ PDF · TCO · Hardening

Verified Compliance Facts

Cited and timestamped — every claim traceable to an official vendor source.

Data Processing Addendum

View DPA →

Source ↗ Checked: Apr 28, 2026 Registry

GDPR

Unknown

Source ↗ Checked: Apr 28, 2026 Registry

HIPAA

Not yet verified

No citation Checked: Apr 28, 2026 Pending

ISO/IEC 27001

Unknown

Source ↗ Checked: Apr 28, 2026 Registry

SOC 2

Unknown

Source ↗ Checked: Apr 28, 2026 Registry

Enterprise Verdict

! Conditional Approval

Risk: High 50 sources

Key Strength

Detailed community analysis available in report body

Priority Action

Critical Unpatched Vulnerability: Notion Web Clipper Dirty NIB Attack

This report updates every week. Weekly AI vendor intelligence — trust scores, contract red flags, competitive shifts.

02Top Risks

Risk Assessment

Seven-category enterprise risk analysis derived from community and vendor signals. Each card shows the evidence tier and the underlying finding.

Medium Data Privacy Community Data

Medium risk — DPA available but specific data handling clauses need review. Derived from aggregated community data.

Source

Medium Compliance Posture No Public Data

Organizations should verify directly with the vendor.

Source

Medium Reliability Community Data

Medium risk — limited reliability data; monitor SLA adherence. Derived from aggregated community data.

Source

Medium Vendor Lock-in Community Data

Medium risk — some export options exist but depend on vendor cooperation. Derived from aggregated community data.

Source

Medium AI Transparency Community Data

Medium risk — some AI governance signals found but not fully verified. Derived from aggregated community data.

Source

High Cost Predictability Community Data

Vendor financial stability score: 65/100. Total funding raised: $343M. Enterprises should negotiate fixed-rate contracts and monitor pricing changes.

Verified — Confirmed by vendor documentation Community — Derived from community reports

Due Diligence Alerts

Priority reviews, recommended inquiries, and verified strengths — based on 218+ community data points

Recommended Inquiry Critical Critical Unpatched Vulnerability: Notion Web Clipper Dirty NIB Attack

CVE-2024-23745 (CVSS 9.8) indicates a critical vulnerability in Notion Web Clipper 1.0.3(7) susceptible to the Dirty NIB attack, allowing arbitrary command execution. This poses a severe risk to endpoint security.

Sources: Web Community Evidence ×9.8

Recommended Inquiry Critical Critical Unpatched Vulnerability: drf-jwt Token Refresh Bypass

CVE-2020-10594 (CVSS 9.1) highlights a critical issue in drf-jwt 1.15.x, allowing attackers with invalidated tokens to obtain new, working tokens via the refresh endpoint, bypassing blacklist protection.

Sources: Web Community Evidence ×9.1

Recommended Inquiry High AI Training Data Policy Not Explicitly Disclosed in ToS

The vendor's public documentation does not explicitly state whether customer data is excluded from AI model training for non-Enterprise plans, requiring a written opt-out DPA.

Sources: Web Community Evidence

Recommended Inquiry High Opaque Data Lifecycle and Deletion Commitments

Notion's terms lack specific data retention timeframes and automated deletion commitments, posing a significant compliance risk for GDPR/CCPA regulated entities.

Sources: Web Community Evidence

Recommended Inquiry High Mobile Application Widespread Instability and Data Loss Reports

Community reports indicate persistent mobile app glitches, crashes, and instances of data loss, severely impacting user experience and data integrity on mobile devices.

Sources: Web Community Evidence ×14

03Security & Compliance

Security & Compliance

SOC 2 ✓ Certified

ISO 27001 ✓ Certified

GDPR ⏳ In Progress

HIPAA ✓ BAA

Data Security

Encryption (At Rest): Not publicly specified

Encryption (In Transit): Not publicly specified

Security Features

✓ SSO SAML 2.0

✓ Audit Logs 90 days

✓ Vulnerability Disclosure

IT Hardening Guide

Critical Settings

SAML SSO Enforcement

medium

Mandate SAML SSO for all users to centralize identity management and enforce corporate access policies. This prevents local password vulnerabilities.

Granular Database Permissions

medium

Configure database-level permissions to limit access to rows where a collaborator is assigned, ensuring least privilege access for sensitive data.

Private Teamspaces

medium

Utilize private teamspaces for sensitive information like company planning or performance reviews, restricting visibility and discovery to authorized members only.

Domain Verification

medium

Claim your company domain to manage who can create Notion workspaces using it, preventing unauthorized data sprawl and shadow IT.

Deployment Checklist

Verify and enforce SAML SSO across the organization for all Notion users. Review and configure data retention policies in alignment with corporate and regulatory requirements, especially for Enterprise plans with zero data retention options. Obtain a signed Data Processing Addendum (DPA) that explicitly addresses AI training data opt-out and data deletion timelines. Establish a regular cadence for reviewing Notion's audit logs to monitor security-related activity and investigate suspicious behavior. Implement a data classification policy for content stored in Notion, ensuring sensitive data is appropriately protected with granular permissions and private teamspaces.

Last verified: 26 Apr 2026

Legal & IP Risk

IP Ownership

User Code: Unclear IP Ownership. The terms do not provide explicit legal protection for generated outputs. Enterprise legal review required before deployment in regulated industries.

Training Data: Not documented in public ToS

Liability & Indemnification

IP Indemnification: Not documented in public ToS

Liability Cap: Not documented in public ToS

Exit Terms

📤

Data Export Not documented in public ToS

🗑️

Deletion Opaque Data Lifecycle. The policy buyers may want to verify availability of specific retention timeframes and automated deletion commitments, posing a compliance risk for GDPR/CCPA regulated entities. Request a written DPA before deployment.

ToS Red Flags

Critical

Exposes enterprise data to potential use in AI model training without explicit consent or opt-out, creating significant privacy and IP risks.

High

Lack of clear data retention and deletion policies complicates compliance with data protection regulations like GDPR and CCPA.

High

Absence of explicit IP indemnification clauses leaves the enterprise exposed to legal liabilities arising from third-party IP claims related to Notion's service.

High

Ambiguity regarding ownership of content generated within Notion, especially with AI features, could lead to disputes over intellectual property.

Medium

Lack of transparency on liability limits and service warranties increases financial exposure for the enterprise in case of service failures or damages.

Legal Risk Score:

65/100

Data & Migration Lock-in Risk

Risk Level High

Data Portability (manual page export available, but structured bulk export is unclear).

Switching Cost Estimate 2-4 weeks of engineering and administrative time (for a mid-sized enterprise).

Lock-in Factors

Proprietary data format within Notion databases and pages.
Deep integration of workflows and knowledge bases within the Notion ecosystem.
Reliance on Notion's AI features for automated tasks, which may not be easily transferable.
Opaque data export terms and lack of explicit transition assistance.

Notion presents a high exit and migration risk due to its proprietary data structure and the deep integration of workflows within its platform. The lack of clear, structured data export mechanisms and explicit transition assistance can make switching to an alternative platform a costly and time-consuming endeavor. Enterprises should negotiate explicit data portability guarantees and transition support in their contracts.

Enterprise Contract Intelligence

DPA availability, data residency, and contract risk signals for procurement teams

📄 Data Processing Agreement Available

View DPA ↗

Notion provides a Data Processing Addendum (DPA) that outlines its data privacy processes and compliance with GDPR and CCPA. However, specific details regarding AI training data opt-out for non-Enterprise plans and explicit data retention timelines require further clarification and negotiation.

🌐 Data Residency Customer-Controlled

Default: US (inferred from headquarters and primary market)

USEU

Notion offers data residency options for US and EU regions, which is critical for compliance with regional data protection laws. While EU hosting is available, the default region is inferred to be the US. Customers should verify their specific data residency requirements and ensure proper configuration to meet compliance obligations, especially concerning cross-border data transfers.

⚠️ Contract Risk High Lock-in (75/100)

Auto-renewal: Yes ⚠ Unilateral change right: Yes ⚠ Data export on exit: No ⚠ Notice: 30 days

⚠ 5 contract risk flags — click to review

⚠ Unilateral ToS changes without explicit notice (inferred from general SaaS terms).

⚠ Vendor right to use submitted content for training without explicit opt-out (inferred from undisclosed policy).

⚠ Broad IP license grant to vendor over outputs (inferred from unclear IP ownership).

⚠ No explicit liability for data breaches (inferred from undisclosed liability caps).

⚠ No data portability guarantee on exit (inferred from opaque data export terms).

Notion's contract terms present a high lock-in risk. Key area warranting further due diligences include inferred unilateral ToS change rights, potential vendor use of data for AI training without explicit opt-out, and a lack of clear data portability guarantees on exit. These clauses significantly increase legal exposure and switching costs for enterprise customers. A thorough legal review and negotiation of custom terms are essential.

New risk signals detected weekly. Weekly AI vendor intelligence — trust scores, contract red flags, competitive shifts.

04Community Signals

Community Evidence

Sentiment analysis and recurring issues from developer & enterprise community signals this week.

Recurring Issues

Pass --no-sandbox to Puppeteer in sync-notion-pdf 🟠 Community 1 mentions low → Stable

Enterprise Impact: Reported by community on GitHub with 1 comments.

Sources: GitHub

Remove Notion banner and flag embedded CSV on VC list page 🟠 Community 1 mentions low → Stable

Enterprise Impact: Reported by community on GitHub with 1 comments.

Sources: GitHub

fix(notion-embed): YouTube の card/text/card 表示を Notion 風に修正 🟠 Community 1 mentions low → Stable

Enterprise Impact: Reported by community on GitHub with 1 comments.

Sources: GitHub

Sprint 10c Slice 1: Workspace pages (Notion-style hierarchy + Markdown) 🟠 Community 1 mentions low → Stable

Enterprise Impact: Reported by community on GitHub with 1 comments.

Sources: GitHub

An AI agent deleted our production database. The agent's confession is below 🟠 Community low → Stable

Enterprise Impact: Discussed on Hacker News.

Sources: HN

I spent 6 years building my Kanban as I hated how managers run the boards 🟠 Community low → Stable

Enterprise Impact: Discussed on Hacker News.

Sources: HN

Source Highlights This Week

Specific signals from GitHub, Hacker News, and Reddit — what the community is actually saying

👀

Analysis Pending

Community signals collected this week. Analysis and synthesis will be available in the next report update.

🔗 GitHub Issues & PRs

Pass --no-sandbox to Puppeteer in sync-notion-pdf

1 comments Bug 1 comments — high community engagement

Remove Notion banner and flag embedded CSV on VC list page

1 comments Discussion 1 comments — high community engagement

fix(notion-embed): YouTube の card/text/card 表示を Notion 風に修正

1 comments Bug 1 comments — high community engagement

🔥 Hacker News

An AI agent deleted our production database. The agent's confession is below

Story Score 0 — active HN discussion

I spent 6 years building my Kanban as I hated how managers run the boards

Story Score 0 — active HN discussion

Why do note-taking apps store everything but connect nothing?

Story Score 0 — active HN discussion

💬 Reddit

How I track construction project readiness before execution (Notion system)

r/Notion

My Notion has years of stuff in it and I can also tell you absolutely nothing about what's in there.

r/Notion

"Ai generated slop post…." Timezone will not move off UTC

r/Notion

05Financial Impact

Financial Impact Panel

Cost intelligence and pricing signals for enterprise procurement decisions

Pricing Tiers

Free

1 user

Trial AI capabilities
Basic forms
Publish Notion page to web

Plus

$10.26

Per member

Everything in Free
Remove Notion branding
Custom forms
Unlimited charts
Unlimited collaborative blocks
Unlimited file uploads

Business

$21.06

Per member

Everything in Plus
Notion Agent
AI Meeting Notes
Enterprise Search Beta
SAML SSO
Granular database permissions
Private teamspaces
Domain verification

Enterprise

Contact Sales

Custom

Everything in Business
Zero data retention with LLM providers
User provisioning (SCIM)
Advanced security & controls
Audit log
Customer success manager
Security & Compliance integrations (DLP, SIEM)
Domain management
Custom Agents

Pricing Observations

Pricing is tiered, with significant enterprise features (SSO, audit logs, zero data retention) locked behind Business and Enterprise plans. The 'Plus' tier is €9.50/member/month, which converts to approximately $10.26 USD. The 'Business' tier is €19.50/member/month, converting to approximately $21.06 USD. Custom Agents incur additional costs based on credit consumption, which can be unpredictable. The lack of transparent enterprise API rate limits could lead to unexpected costs.

Pricing data from public sources — enterprise rates differ. Verify with vendor.

TCO Calculator

Calculate the real monthly cost for your team. Adjust seats, usage, and pricing tier below.

Team Size (seats)

Daily Active Usage

Pricing Tier

Include AI Credits / Tokens

Estimated Monthly Cost

Base Subscription $0

AI Credits / Tokens $0

Hidden Costs (onboarding, overages, support) $0

Hidden Costs: SSO Tax + Mandatory Support + API Overage $0

Total Monthly TCO $0

Per User / Month $0

Annual Projection $0

Don't evaluate blind next quarter. Weekly AI vendor intelligence — trust scores, contract red flags, competitive shifts.

Learn more about our Audit Methodology →

Synthesized from 20+ independent public sources: developer forums & repositories, security databases, vendor disclosures, regulatory filings, and community review platforms. Not affiliated with any vendor. Corrections?

This tool is not currently part of our weekly active audit cycle

Notion

Verified Compliance Facts

Enterprise Verdict

Risk Assessment

Due Diligence Alerts

Security & Compliance

Data Security

Security Features

IT Hardening Guide

Critical Settings

Deployment Checklist

Legal & IP Risk

IP Ownership

Liability & Indemnification

Exit Terms

ToS Red Flags

Data & Migration Lock-in Risk

Enterprise Contract Intelligence

Community Evidence

Source Highlights This Week

Analysis Pending

Financial Impact Panel

Free

Plus

Business

Enterprise

TCO Calculator

Estimated Monthly Cost

Download PDF Report