Standard Notes

E2E encrypted note-taking with zero-knowledge sync across devices.

Open source

Strong

https://standardnotes.com · Reviewed 2026-04-02 · Editorial assessment by Mike Schneider — based on public security research and audits

What should journalists know about Standard Notes?

Standard Notes does one thing well: encrypted notes that sync everywhere. The free tier is genuinely useful — unlimited notes, unlimited devices, E2E encryption, no catch. Your notes are encrypted client-side before leaving your device using XChaCha20-Poly1305, a modern cipher recommended by Cloudflare and Google as the successor to AES-256. Keys derive from your password via Argon2, which is resistant to GPU brute-force attacks. Proton AG acquired Standard Notes in April 2024 (not 2022 as sometimes reported — the partnership was announced in 2022, formal acquisition closed April 2024). That strengthens the privacy alignment: Proton has a track record of fighting government data requests from Switzerland. The app is deliberately simple, which is a feature for security-conscious users. But the free tier's plaintext-only limitation is a real constraint — no formatting, no images, no markdown without paying $90/year. Obsidian gives you local-first markdown for free (no E2E sync though). Joplin gives you E2E sync with your own cloud storage for free. Standard Notes' advantage is that encryption is default, zero-config, and audited. Freedom of the Press Foundation lists Standard Notes among its five recommended secure note-taking apps for journalists. The Super editor (paid) is a capable block-based editor, but it still lags behind Obsidian's plugin ecosystem by a wide margin. Development velocity slowed significantly after the Proton acquisition — no iOS releases for 9+ months in 2024-2025 — but the team shipped incremental fixes throughout 2025 and published a roadmap. Worth watching, not abandoning.

Best for

Encrypted interview notes and source materials. Story drafts that must stay private. Journalists who want zero-knowledge sync without configuring their own server. Quick capture across phone and laptop with encryption by default.

Not for

Collaborative editing (no shared documents, no real-time co-authoring). Rich multimedia notebooks on the free tier (plaintext only). Plugin-heavy knowledge management workflows (Obsidian is better). Users who want local-only storage with no cloud dependency (Obsidian again). Teams that need shared workspaces.

Security & Privacy

Encryption in transit Yes

Data is scrambled while being sent to their servers

Encryption at rest Yes

Data is scrambled when stored on their servers

Data jurisdiction Servers in the US and EU. Owned by Proton AG (Geneva, Switzerland) since April 2024. All note content is E2E encrypted client-side before upload — Standard Notes and Proton cannot read your notes regardless of server location or jurisdiction. Self-hosting is available via Docker for users who want full server control (AGPL-3.0 licensed, though Proton has signaled potential future license change to Creative Commons non-commercial).

Where servers are located — affects which governments can request your data

Security rating Strong

Zero-knowledge encryption. Standard Notes cannot access note content, tags, or file attachments. Only account metadata (email, subscription status) is stored in readable form. No analytics in the app. No ads. No tracking. Proton's Swiss jurisdiction provides strong legal privacy protections — Switzerland's Federal Act on Data Protection (FADP) is among the strictest in Europe.

How to protect yourself:

Use a strong, unique account password — it directly derives your encryption keys. If you forget it, your notes are unrecoverable by design. Enable two-factor authentication (TOTP). Export encrypted backups regularly (paid plans include daily encrypted email backups). Use the passcode lock feature for on-device protection (separate from account password). On mobile, enable biometric unlock but understand it stores a local key — if your device is seized unlocked, notes are accessible. For maximum protection, use a self-hosted server instance.

Open-source clients and server (AGPL-3.0), E2E encryption with XChaCha20-Poly1305 and Argon2 key derivation, zero-knowledge architecture, independent audits by Cure53 (penetration test) and Trail of Bits (cryptography audit) in 2021 with all findings resolved. Proton ownership adds organizational credibility — Swiss jurisdiction, track record of resisting government data requests. Freedom of the Press Foundation recommends it for journalists. No business incentive to weaken encryption. Rating would be higher if audits were more recent and development velocity were stronger post-acquisition.

Who Owns This

Owner Proton AG (Geneva, Switzerland). Acquired Standard Notes in April 2024. Proton is a private company founded in 2014 by CERN scientists. Also operates Proton Mail, Proton VPN, Proton Drive, and Proton Calendar. Standard Notes was originally created by Mo Bitar in 2017.

Funding Part of the Proton ecosystem. Proton has raised $100M+ (including a 2022 round led by Fidelity), but Standard Notes was bootstrapped and self-sustaining before acquisition. Proton is not VC-dependent — revenue-positive across its product suite.

Business model Freemium SaaS. Free tier with unlimited encrypted plaintext notes. Revenue from Productivity ($90/year) and Professional ($120/year) plans that add rich text editors, file storage, and advanced features. Standard Notes maintains its own pricing and subscription separate from Proton's bundle offerings. No affiliate programs, no advertising, no data monetization.

Known issues

Development velocity concern: After the April 2024 Proton acquisition, releases slowed dramatically. No iOS update for 9+ months. A GitHub issue titled 'Is the project dead?' gained traction in the community. The team responded with a 2025 roadmap and shipped incremental updates, but the cadence remains slower than pre-acquisition. Licensing uncertainty: Standard Notes server code is AGPL-3.0, but Proton has discussed changing to Creative Commons non-commercial license, which would restrict self-hosting for commercial use and weaken the open-source commitment. Super editor bugs: Users report undo (CTRL-Z) failures on Linux, tables jumping to document top, formatting inconsistencies between desktop and mobile, and paste issues from Google Docs (bold always applied). Import problems: Markdown imports can fragment tables and produce random HTML artifacts. Free tier limitation: Plaintext only — no formatting, images, or markdown — pushes users toward paid plans for basic note-taking features that competitors offer free. Security audits are aging: The Cure53 penetration test and Trail of Bits cryptography audit were conducted in 2021. No public audit since the Proton acquisition. Trail of Bits found the protocol robust with strong cryptographic primitives, but a 4+ year gap without a fresh audit is a gap worth noting.

Pricing

Free plan: $0 (unlimited plaintext notes, unlimited devices, E2E encryption, sync, tags, passcode lock, biometric unlock). Productivity plan: $90/year (~$7.50/month) — adds Super rich text editor, markdown, spreadsheets, daily encrypted email backups, 100+ editors and themes. Professional plan: $120/year ($10/month) — adds 100GB encrypted file storage, maximum note version history, family sharing (up to 5 accounts). All paid plans include 2FA. 14-day refund on Productivity, 90-day refund on Professional.

This is an editorial assessment based on publicly available information as of 2026-04-02, using our published methodology. Independent security review is pending. Security posture can change at any time. This is not a guarantee of safety.

Something wrong or outdated? Report it.