Why should you be careful about Notion security ?
With over 30 million users by 2023, including 4 million paying users, Notion is widely used, especially in the startup world.
Indeed, Notion has created all the ideal features for an all-in-one workspace that allows users to organise their notes, tasks, projects, databases, wikis and more in one place.
It is designed to be a flexible and customisable tool that can be tailored to the needs of individuals, teams and organisations.
As a result, companies bring all their documentation together in one tool, where all members can collaborate and exchange.
The concentration of very important business information within a SaaS application attracts the attention and concern of many security teams, and rightly so, as they have very little control over what goes on inside.
Trout Software will guide you on how to secure and control Notion to ensure the safety of your business’ critical data.
Is Notion secure ?
Due to the multiplicity and criticality of the data in Notion, a legitimate question arises: How secure is Notion ?
Notion puts in place several elements to provide these users with the most secure experience possible :
Data encryption
Notion uses TLS 1.2 to encrypt network traffic between users' browsers and the corporate platform, it also uses AES-256 bit encryption to secure database login credentials and data stored at rest.
Secure, reliable infrastructure
Notion uses Amazon Web Services (AWS) data centres to host user data to ensure maximum security. “We run 100% on the cloud using AWS (US-West) within a virtual private network that cannot be accessed via the public internet, except via our public-facing proxy servers.”
Commited to compliance
Notion meets GDPR standard , they provide all the details about the Data Processing Addendum, Data portability & management tools, Data transfers, and Subprocessors in their website.
The company is also ISO27001 certified and meets the requirements for SOC2 certification Type 1 & Type 2 , so Notion hits the highest industry standard for keeping information safe.
Within the framework of these certifications, Notion has put in place internal training and awareness policies on the subjects of information security and data confidentiality. The company also has risk management policies in place with their suppliers to ensure that they themselves comply with applicable regulations.
Why don’t these measures make Notion fully safe and secure ?
No End-to-end encryption
Notion, does not use end-to-end encryption when storing data .
Using end-to-end encryption allows no one, not even Google or a third party organisations to read your data when it is transferred from one system, device or another.
Notion does not have this measure in place as it is very complex and makes it difficult to provide certain features. Indeed, one of Notion's value propositions is real-time collaboration, with end-to-end data encryption this would be much more difficult and at least slower.
Risks can comes from employees
Unintentional employees can cause data security damage by using Notion:
Sharing sensitive information : Notion allows users to share pages or databases with others, which could lead to accidental sharing of sensitive information with unauthorised people.
Lack of control : Within the tool, users can create pages and databases without the supervision or approval of IT or security teams, which could lead to the creation of insecure or non-compliant data storage structures (particularly in relation to the GDPR standard).
Risks of misconfigurations
Workspace configuration Notion, can often be underestimated however configuration problems can lead to significant security problems :
Improper permissions : The all-in-one workspace and productivity tool allows users to set permissions for pages and databases, but misconfigured permissions can result in unauthorized access to sensitive information.
Insecure integrations : Notion integrates with several third-party tools, such as Slack and Google Drive, but misconfigured integrations can result in data leakage or unauthorized access.
Lack of monitoring : Notion has several features that can be used to monitor user activity and detect suspicious behavior, but if these features are not properly enabled or configured, suspicious behavior could go unnoticed.
Moreover, Notion is not a tool designed for activity monitoring, so the functionalities offered are minimal and often insufficient.
How to secure your Notion ?
1 / Set up the access and permissions of users
Since your Notion environment contains all of your company's information, not all users need to access 100% of the data.
Moreover, it is a security issue, it would be inappropriate and dangerous for a trainee to have access to all the company's financial data or strategies for example.
You should therefore give separate access to parts of Notion depending on the tasks and status of each person.
You can also create groups of people, for example by departments, to manage access by group and not by person, this can be more efficient.
Below is a tutorial by Notion that explains step by step how to set up permissions in your workspace :
2 / Monitor Notion Users
Monitoring your Notion’s users is important in order to detect any unauthorized access attempts, new users and to take appropriate action.
To do so, you can every week or month perform a manual check.
Are you telling me to add one more manual task to my to-do list ?🤯
At Trout Software we have created a playbook that allows you to monitor all your Notion users ✨AUTOMATICALLY✨
This playbook will list all your users in your Notion workspace.
Either correlate the list of users to your oauth provider, or create a list of known users and receive an alert when a new user appears.
You can do it in 5 key steps within Security Hub :
A / Connect your Notion to Security Hub
In order to connect you just have to fill in the required information in our Notion connector which will automatically import your Notion data into a Playbook.
B / Create your playbook
Once your data is imported, you will be able to make pivots to create the rule.
Once the rule is created, you will have to automate the control.
C / Schedule your playbook
After configuring your notebook, you need to schedule it in order to automate the controls. To do so, you just have to go to the Security hub scheduler, select the playbook you just created and then program the control. To program the control, several parameters must be set: the data of the first control, the number of repetitions of the controls and the time between each control. After having programmed this, you just have to click on "Schedule". Then you will see the results of your checks on the scheduler, for each green bar back the check is respected, the red bar means the opposite.
3 / Include in the company's security policy the data that doesn’t have to be stored in Notion
As you can see, the productivity tool meets industry safety standards but is not 100% secure. Therefore, it is better to be preventive on your side and avoid storing highly sensitive data inside the tool.
To do this, write down in your security policy the data you do not want employees to store in Notion.
We advise you not to store financial data, passwords and banking data inside Notion.
To store this data, we encourage you to find alternative solutions. For example, for password management of common tools used by your team you can use more secure tools like LastPass.
4 / Set up the 2FA
We strongly recommend that you set up double authentication on Notion, as this will only increase the security of your data.
Since 25 April 2023, and following numerous requests from users, Notion has implemented double authentication directly in the software.
To set it up go to the "My account" tab, then click on "2-step verification" and follow the instructions given by Notion.
Notion also makes double authentication via Google possible, if you prefer.
5 / Perform regular backups
More and more, especially in the world of startups, the notion of the company has become the real wiki of the company centralising all knowledge. Being a real gold mine of information, it is necessary to protect yourself against potential inadvertent data deletion. For this, Notion keeps a back up of your data allowing it to restore any page written in the last 30 days.
In addition, we recommend that you make regular backups of your data so that you have them in-house and are not dependent on a third party.
Then think about storing this data, for example in the cloud.
Frenquently Asked Question :
Can Notion employees read your data ?
Notion employees can only access your data after receiving a request for help from you either by email or via in-app support. If you request help from Notion staff you must give them access to your data via your settings. For the time being, please ensure that this setting is not activated.
Should we ban Notion from our SaaS stack ?
Notion is a very powerful collaborative tool that should not be banned from your tool stack. You just need to use it knowingly, put in place a maximum of security measures to increase the security level of your workspace and use a tool like Trout Software to monitor the tool especially on the issue of access management.
How does Notion compare to other apps ?
If we compare Notion to some of its competitors on the security aspect here is what we can take away: Room Research : No end-to-end encryption, but it is possible to encrypt specific texts or blocks. Evernote : No end-to-end encryption, you have to select the text that you want to encrypt manually Secure Note : End-to-end encryption Apple Note : No end-to-end encryption
What data is included in the Notion logs ?
According to Security.Org the data included in the Notion logs are the following : Name, email address, password, role on team, profile photo, payment information, information inputted into interactive features on the site, IP address, user settings, cookies, mobile carrier, mobile advertising, browser, operating system, location information, Internet service provider, referring links, and pixel tags
Want to learn more about cybersecurity ?
You can read our other blog posts such as :