Shared Responsibilities Model

Notion is a single space where you can think, write, and plan. As an all-in-one space that allows users to build their own tools for doing their best work, users entrust Notion with professional and personal information.

A Shared Responsibilities Model (SRM) is a framework that outlines the division of responsibilities between a service provider (e.g., Notion) and its users. It clearly defines which security and operational tasks are handled by each party.

This document outlines the responsibilities that Notion and Notion users (Users) share in protecting & maintaining the security of Notion, Notion’s systems, Notion’s user accounts, and Notion’s workspaces.

The Notion SRM provides clarity both for Notion and its users on which party is responsible for each type of security. This allows Notion to focus on, and take responsibility for, areas where we can best support the security of Notion’s systems, while demonstrating where Notion users are better suited to secure their accounts. Overall this will enhance security & efficiency in protecting Notion systems and accounts.

Additionally, the SRM promotes transparency in how Notion services are delivered, and who is responsible for maintaining access to which Notion systems. This also ensures Notion and its users maintain compliance with applicable local, regional, national, and international regulations.

In short: Notion is responsible for maintaining, upgrading, and protecting the systems which underpin Notion, while Notion users are responsible for protecting their account access credentials, managing workspace access for members & guests, and adhering to the Content & Use policy and other relevant Terms.

Notion is responsible for maintaining and upgrading its systems, including Notion’s servers, software, and corporate hardware. Notion is also responsible for protecting access to its core systems, and ensuring the security of its data. It is also Notion’s responsibility to implement and manage network security across its systems.

Users are responsible for protecting their login credentials, and restricting access to Notion workspaces to known & trusted collaborators. Users are expected to adhere to Notion’s policies regarding data storage and management, including by only storing appropriate materials in Notion, and maintaining data in-product securely. Additionally, Users are expected to comply with Notion’s Terms and other relevant policies at all times.

Users have the ability to implement granular permissions for shared content, in addition to general account access. Users are expected to regularly review and update access permissions across their workspaces. Users who choose to access Notion with a password are expected to use strong, unique passwords to access the services and avoid credential proliferation through re-use on other services. Users should also update login credentials in accordance with their own internal policies and as relevant when external login credential breaches are discovered.

We expect Users not to share login information with other Users or interested parties. Where possible, Users are strongly encouraged to implement two-factor authentication methods to further secure their accounts. Users are expected to maintain individual accounts, not shared accounts. Users may manage team member access to grant additional collaborators access to relevant pages and workspaces, and are able to granularly manage permissions to ensure proper access is granted to each member.

Users are also expected to monitor member activity act appropriately upon discovering suspicious activity, including revoking unauthorized or outdated user sessions (available via Enterprise plan). When a User’s team member is departing their team or workspace, Users are expected to revoke access for that member and all associated accounts.

Users are expected to use Notion's systems responsibly and within their intended capacity. This includes avoiding actions that could overload or strain system resources. Users must not attempt to circumvent or test system limitations or security measures. If Users become aware of potential security vulnerabilities or witness system misuse, they should promptly report these incidents to Notion.

Users are responsible for maintaining proper data management practices, including creating regular backups of important information, following established data retention policies, and ensuring the timely and secure deletion of sensitive information when it is no longer required. Users are expected to submit complete and accurate Account Data to Notion. If a User discovers that incorrect data has been submitted, they are expected to promptly correct the information submitted.

By adhering to this Shared Responsibilities Model, both Notion and its users contribute to a secure, efficient, and productive workspace environment.