Notion Enterprise security provisions

Your wikis, docs, and projects live side by side in Notion, a connected workspace where all teams can collaborate and track work.

Since Notion is the hub for your most valuable intellectual property, you need to know that your data is secure and all the necessary protections are in place to make sure you operate in compliance.

In this guide, you’ll learn how Notion’s security and compliance features for Enterprise plans allow you to have complete enterprise-grade experience and keep your company data safe.

Workspace owners have full control over the Notion workspace security settings, which you can find in the Security tab in your workspace settings.

To secure your workspace, you can make use of the following settings:

• Disable public page sharing — this will disable the Share to web option in the Share menu on every page in this workspace.

• Disable guests — this prevents anyone from inviting people outside the workspace to any page. However, even with “Disable guests” turned on for the workspace, workspace owners can enable members to send guest invite requests to provide more granular access for external collaborators or guests.

• Disable moving or duplicating pages to other workspaces — this prevents data from leaving the workspace via the Move to or Duplicate actions.

• Disable export — this prevents anyone from exporting page and database content as PDF, HTML, Markdown & CSV.

Disabling all these options will put the tightest lockdown on your content and prevent your content from being shared, downloaded or moved out of the workspace.

For more information on admin controls and user management, check out our Enterprise Guide.

You can build wikis, organize documentation, take meeting notes, manage tasks and projects, and more in Notion.

This means your workspace likely contains sensitive information, like company and employee info in your wikis, client information in docs and meeting notes, and intellectual property in your project management.

You’ll need to protect that information regardless of what industry you’re in, but it’s even more vital if your company is in a regulated industry such as healthcare or e-commerce.

That’s why we have pre-built integrations with selected SIEM and DLP security and compliance partners so you can confidently store your data in Notion.

SIEM (Security Information and Event Management) combines SIM (security information management) + SEM (security event management) into one system that helps organizations detect, analyze, and respond to security threats.

SIEM integrations collect event log data from various sources, identify unusual activity in real time, and allow configurable, off-the-shelf alerts, reports, and dashboards. By integrating a SIEM solution with Notion, you can bring Notion audit log information into a shared platform where you monitor the rest of your SaaS apps for better analysis, searches, and correlations.

Without a SIEM solution, workspace owners are limited to manually auditing activity for suspicious behavior in the workspace and risk that this activity goes unnoticed.

Integrating with a SIEM solution allows you to configure alerts on unusual activity, provide reports, and build dashboards to support incident investigation. These tools enable automated alerts, but do not trigger automated actions in Notion.

Notion integrates with Splunk, SumoLogic, Panther, and Datadog.

Data Loss Protection (DLP) tools prevent users from storing sensitive data in unauthorized platforms or with unauthorized external or internal audiences. These tools use libraries of patterns to identify different types of sensitive data and personally identifiable information (PII).

DLP integrations detect the use of sensitive data and take automated action to remediate data breaches quickly — this could be by alerting workspace owners, redacting content, or restricting page access.

Without a DLP integration, Workspace owners don’t have a way to quickly detect the creation or overexposure of sensitive content in their Notion workspace and take action to resolve it. The result is that sensitive content can be created and goes unnoticed. Or, sensitive content can be overexposed if an employee shares it with guests or publishes it to the web.

When you integrate a DLP solution in Notion, you can identify different types of sensitive information stored in Notion and take action to remove them.

Notion will be classified and tagged by DLP tools using natural language processing. So, for example, it can recognize sensitive customer information like credit card numbers, Personal Health Information (PHI), secret codes such as passwords and API keys.

You can create alerts to notify workspace owners about sensitive content and trigger automated actions to redact sensitive content from the workspace immediately to help reduce the time of overexposure with manual intervention.

You can also alert workspace owners if content is published to the web or shared externally with guests, and set up automated actions that restrict page permissions to prevent data leaks with unauthorized audiences.

Notion integrates with DLP tools Nightfall AI and Polymer (coming soon).

Using these integrations, Workspace owners can manage and monitor Notion in their centralized DLP/SIEM platforms along with all the other tools your company uses.

On Notion’s Enterprise plan, Workspace owners can access additional data and reporting to get deeper insights into how team members interact with content and use the workspace overall.

Here are some of the most impactful data and reporting features currently in Notion Enterprise:

Enterprise Workspace owners can export a list of all members under Settings & members > Settings > Export Members as CSV. This CSV export will contain a list of all members in the workspace, including their name, email address, role, what groups they belong to, and their unique Notion user ID.

To help with legal and compliance backups, Enterprise workspace owners can export the workspace in multiple file formats, including CSV, Markdown & PDF. Go to Setting & members > Settings > Export all workspace content. An email from Notion will be sent with a link to download the file(s). The link will expire after 7 days.

Enterprise workspace owners have access to an Audit Log (under Settings & members) which gives an overview of a large range of events that have occurred in the workspace. This can be especially helpful for identifying potential security issues, investigating suspicious behavior, and troubleshooting access.

You can drill down using the filter options and export all Audit Log events as a CSV file for a given date range for additional analyses.

Content search provides Enterprise workspace owners with visibility into workspace content to improve governance of the workspace and resolve page access issues:

• View who has access to a page

• Modify the permissions of a page

• Discover and re-assign abandoned pages from former employees (including private pages)

Within Content Search, you can search for a page by its title or ID. Alternatively, if you don’t know a page’s title or ID, you can use the built-in filters to narrow your results. In addition to the sharing settings (Private, Shared Internally, Shared Externally, Shared to the Web), you can also see:

• Page creator and creation date

• Last edited by and edited date

• With whom the page was shared

• Page location (i.e., teamspace)

For our customers with stricter regulations around content shared externally, you can filter to see all pages shared externally (with guest access) and pages shared to the web. This provides a comprehensive birds-eye-view of all pages so workspace owners can govern their workspaces more effectively.

As a workspace owner, there may be some cases where help is needed with page permissions on a restricted page or a page that’s been shared inappropriately. For these cases, in the page view under Content Search, you will see the option to Change permissions in the ... menu to the right of each page.

All content on a Notion Enterprise workspace is owned by your company. You can share this article with your employees if they have questions about what data is accessible to Enterprise workspace owners when using a verified domain on Notion.

Notion maintains a comprehensive security and privacy program designed to protect your data in accordance with various regulatory and industry standards.

Notion’s certifications include:

• SOC2

• SOC3

• ISO27001

To support our customers that are subject to HIPAA, Notion has also completed the HIPAA compliance audit so that you may process PHI within your Enterprise workspace, provided that you enable the security features described in our Help Center article and sign Notion’s Business Associate Agreement (BAA).

As Notion continues to build an AI-connected workspace, our customer’s security and compliance needs are an integral part of our product strategy. Notion does not use your Customer Data or permit others to use your Customer Data to train the machine learning models used to provide the Notion AI Writing Suite. Your use of the Notion AI Writing Suite does not grant Notion any right or license to your Customer Data to train our machine learning models. For more information, see our FAQs.

If you’re ready to complete your Notion Security Review, follow these steps:

1. Head over to our Whistic Portal where you can review all of Notion’s security practices, protocols, and tooling, including our audit reports, certifications, penetration testing results, and security questionnaires.

2. Read our Security and Privacy policies and Security practices to understand how Notion will protect your data.

3. Reach out to our Sales team to evaluate Notion’s Enterprise plan and work through your security requirements, or inquire about our BAA.