<aside> 💡

Dear Notion customer,

Thank you for considering Notion as your connected workspace platform. At Notion we have found that many of our customers have the same questions and concerns when reviewing Notion’s customer agreement. As we are big believers in always being as transparent as possible with our customers, we have prepared this FAQ to help explain how our service works and why the terms that govern its use are constructed in the way that they are.

This FAQ document is for informational purposes only and does not form part of any contract between you or your organization and Notion.

</aside>

What is Notion’s governing contract structure for the Notion Services?

Notion’s standard customer agreement consists of the following:

  1. The Order Form, which sets the commercial terms (price, seats, Notion Credits, subscription length, subscription plan, etc.) for your specific subscription to the Notion Services.
  2. The Master Subscription Agreement, which contains the legal terms and conditions that govern our overall relationship, including confidentiality, terms of use, security, data processing (including DPA), liability, and indemnification.
  3. Any Supplementary Terms applicable to certain features or functionality of the Notion Services.
  4. Professional Services Addendum, which contains the legal terms applicable to any Statement of Work you may enter into for professional services from Notion (such as configuration assistance or data migration technical guidance).

Will Notion accept my company’s form agreement instead of Notion’s?

The Notion MSA is purposefully drafted and tailored to describe exactly how we provide, support and maintain the Notion platform, which is a cloud-based (software-as-a-service) platform that serves all customers, large and small, globally. Because Notion is a standardized cloud-based SaaS platform, we cannot adopt customer-specific operational, privacy, security, or remedial processes or requirements that conflict with how the Notion platform is provided across our global customer base.

Our standard agreement is drafted to be balanced, fair, and reflective of industry-standard SaaS terms. This allows us to move customers through procurement quickly without bespoke, protracted negotiations over terms that do not align with the service they are actually purchasing, allowing customers to get up and running faster.

We are happy to answer any questions that our customers might have about the MSA and the unique features and functionality of the Notion platform, but we are unable to accept customers’ form of agreement.

Ok, but do I retain ownership of my data and is it protected?

Yes. As between Notion and a customer, a customer retains all ownership rights in its Customer Data, including Notion AI inputs and outputs (we also use the term “User Content” in some policies to refer to the same thing). Notion only requires a license to your Customer Data to be able to provide the Notion platform, ensure proper operation of it, and to perform Notion’s obligations under the MSA. Notion processes Customer Data that is personal data as a data “processor,” which means we only use such data pursuant to the instructions you provide, as further described in the DPA. In other words, we do not use your workspace data for any purposes that are not mentioned in the MSA and DPA.

What are Notion’s data processing and security obligations, and will Notion agree to our data processing and security requirements?

Our Data Processing Addendum (DPA), which is incorporated by reference into the MSA, describes exactly how Notion processes any Customer Personal Data that you upload to your workspace. For example, the DPA details how Notion handles notifications, audits, data transfers, and sub-processing activities in compliance with applicable data privacy legislation, including the GDPR, UK Data Protection Act and the CCPA/CPRA. Our subprocessor list can be found here.

Our Security Standards, also incorporated into the MSA, outline the technical measures that we take to safeguard your workspace. For example, we use AES-256 encryption for Customer Data at rest and TLS 1.2 or greater for Customer Data in transit. We also host Customer Data within AWS, leveraging AWS’s physical security and redundancy. We are also happy to make available our SOC 2 Type II report, among other generally available security and compliance documentation, which can be found at https://trustcenter.notion.com (requires an NDA).

Notion’s one-to-many cloud model means that every customer is subject to the same privacy and security protections. Since we deploy the same security and data privacy program for all of Notion’s customers, we cannot adopt customer-specific security programs, controls, obligations, and notification frameworks that differ from our standard model. Likewise, while Notion does offer advanced security controls for different subscription plans, we are unable to provide customer-specific security standards as the Notion Services are not constructed to accommodate customization on a per-customer basis.

Do you train any ML/AI models on my Customer Data?

Customers are right to be wary of AI systems using their data for training purposes, which risks both data leakage (your information surfacing in another customer’s output) and misappropriation of your proprietary information. By default, Notion does not, and does not allow any third parties (including its AI service providers) to, use Customer Data (including inputs and outputs) to train any artificial intelligence or machine learning models. We make this commitment in our Notion AI and Notion Credit Supplementary Terms.

Members vs Guests