Guide

How to secure Notion? The actionable guide

Notion is the leading SaaS solution for note-taking and knowledge management

How to secure Notion?

Why should you be careful about your Notion security?

Notion is the leading SaaS solution for note-taking and knowledge management. It’s widely adopted by startups globally and entrusted with data from private employees and businesses. A variety of teams rely on Notion as a business-critical platform, but Notion security is frequently identified as a blindspot by security and IT leaders.

Weekly agendas, data rooms, recruitment information, employee personal information, etc… The list of precious and sensitive data that live in your Notion is long. 

While criminal hacking is often viewed as the most dangerous threat, most security leaders are more concerned about inadvertent and negligent data breaches than malicious ones.

Most employees are not malicious threats or “out to get” their companies. Many data leaks occur as a result of employees who lose sensitive data in public, provide open Internet access to data, or fail to restrict access per organizational policies.

In brief:

  • Notion is a business-critical SaaS application entrusted with sensitive data.
  • Account takeovers and insider threats are difficult to identify.
  • Your security team or IT team doesn’t have insight into or control over Notion. 
  • Limited access to Notion is creating vulnerabilities in your overall SaaS security.

As a business-critical SaaS application entrusted with sensitive data, Notion needs to be brought within your security scope. elba fills the gap in SaaS security, complementing your existing stack to proactively reduce risk and rapidly remediate threats.

Notion security key elements

What Notion says?

https://www.notion.so/help/security-and-privacy

‘’’The following list was last updated August 9, 2021.

  • We have completed both SOC 2 Type 1 and SOC 2 Type 2 reports, certifying that our security policies and controls continuously meet the highest industry standards.
  • We use TLS everywhere, within the data center and out.
  • Your data is encrypted at rest and in transit.
  • We run 100% on the cloud using AWS (US-West) within a virtual private network that cannot be accessed via the public internet, except via our public-facing proxy servers.
  • We have Amazon CloudTrail turned on at all times.
  • We perform quarterly independent security audits using established security firms.
  • We'll notify you within 72 hours of learning about a data breach.
  • All employees receive regular security training.’’’

What does it mean? 

Notion is SOC2. 

This means that the Notion team went through a compliance process. For example, SOC 2 Type II requires 6 months worth of control validation (including pentest, policies review, software reviews, etc…). 

But at the end of the day, a lot of compliance depends on the audit firm and auditor you are working with. They are humans, so there are tons of variables that can influence their work ranging from how their day or week is going, experience levels, or their technical understanding of the application or infrastructure. All these variables factor into the depth of the audit. Compliance is not necessarily equal to security. 

Nevertheless, SOC 2 is the highest standard for software security in the industry and reaching SOC 2 is not achievable with a random security foundation. That proves that Notion is committed to implementing a strong first layer of security, and they have a reasonable security base ground. (more from the Notion team here)

Is my data safe and encrypted?

Notion has encryption in transit & at rest, but they are not proposing end-to-end encryption (E2E).

It means that someone who works at Notion would theoretically have no problem accessing your pages and seeing all your data.

That said, any app or tool that doesn't offer full end-to-end encryption does pose a theoretical privacy risk. Because of that, we don’t recommend storing any potentially sensitive data in Notion, or any other not-fully-encrypted SaaS.

But, no need to panic. Protecting your data is important and you and your team are fully responsible for doing so. So no need to worry about storing your task list in Notion, but think twice before starting a CRM or a financial report in it.

Can Notion employees read your data?

Yes and No.

No one at Notion is reading your data. Unless you give them support access and explicitly ask for help with a document. They're not in the business of selling your private data, and, unless they get acquired, we don't think this will change. 

That being said, it's clear that once Notion has its hands-on workspace content, it stores it, makes it accessible to certain privileged employees, and can share that information with others if compelled via legal means (like law enforcement). Also, interestingly, since they claim they may need to access your data during support interactions, it heavily implies that this data is associated with your account and not anonymised.

Should we ban Notion from our SaaS stack?

No. Notion is still a secure software. You just need to keep in mind that you should not put everything in it. 

Banning employees from using tools that can help them do their job better is not an approach that works in practice.

If you ban popular tools like Notion, people could be moving their work to personal devices and accounts. Then, you'll have less visibility into what's happening which can quickly turn into an IT and security nightmare…

If you are wondering : 

  • How many documents are shared outside my organization ? 
  • What kind of documents are shared (task list or our latest financial report ) ? 
  • Who has access to what ? 
  • How vulnerable is my organization ? 

We can help you at elba… 

Book a call with our experts directly on our website: elba.security 

Our checklist to secure your Notion

1. Do not store passwords and do not store sensitive data on Notion

Why? 

Notion is not encrypted End to End (E2E). Someone who works at Notion would theoretically have no problem accessing your pages and seeing all your notes or anything you’ve added.

Some information is sensitive enough to require more active measures.  

The best practice would be to remove all your sensitive personal data (ID card, driving license, etc…), financial data (credit cards, bank accounts, etc…) and technical data (API keys, AWS secrets, etc…), and confidential data (cap table, customer information, etc…)

The risk of a rogue employee at Notion stealing your data is quite absurd but not impossible. However, the biggest risk for your data is human error. For example you could have created a shared link, and accidentally allowed the recipient access to a whole branch of notes. 

That is the biggest security risk. 

How?

  • Be careful of what you and your colleagues are writing in Notion. You should refer to your cyber policy internally to find out what is allowed and what is not allowed to share.

(need help to write and distribute your company policy, we have what you need here)

  • Review your workspace to find sensitive data.
  1. Know what personal information you have in your files and on your computers.
  2. Keep only what you need for your business.
  3. Protect the information that you keep.
  4. Properly dispose of what you no longer need.

It can take some time, but ultimately it will be crucial for you and your team. 

2. Do backups (regularly)

Why? 

For many companies, Notion works as a second brain and internal wiki.. Data losses can occur in many forms, from hard drive failures to ransomware attacks and even human error or physical theft.

It would be a nightmare to lose all your data, because you or someone in your team accidentally (or maliciously) deleted your workspace.

No matter the misfortune, a data backup could be the respite you’re looking for to restore the data stored on your devices. It’s typically stored in a secure, separate location from an original device, such as a cloud. But a backup strategy isn’t something to focus on just one day of the year. It should be a part of your cyber hygiene. The longer the span of time you leave between your data backups, the more data you might lose. So, back up regularly and often.

It is also important to do backup for compliance reasons. Audits (like SOC2 or ISO27001) require that you guarantee the “demonstrable recovery” of customer data.

And FYI Notion keeps backups of your database, which allows them to restore a snapshot of any page in the past 30 days if you need it.

How? 

Manually, you’ll have to go on your workspace settings and you must be an admin.

  • Go to Settings & Members at the top of your left-hand sidebar. Select Settings in the sidebar of that window.
  • Scroll down and click the Export all workspace content button.

You'll receive an email from Notion with a link to download your file(s). The link will expire after 7 days.

Now, where to store your backup securely ?

The backup is key, absolutely, but a new vulnerability can appear if you don't store the backup itself safely. 

At elba, we recommend to store your backup : 

  • In your secure cloud (Google Drive, Dropbox,...) for easy access
  • In a external hard drive 

If you believe that your Notion database is essential and critical for your business, you should automate this process. 

And you should probably have more than one copy of your backup files and store each copy using a different storage method.

More information here: https://www.notion.so/help/back-up-your-data

3. Review access and permissions - Check the workspace guest

Why? 

When was the last time you checked whether members of your team have access to data they do not need? And that’s a problem. Not knowing which employees have access to what increases the risk of data theft and insider threats, as well as making it easy for hackers to exploit old accounts and permissions to gain access to your system. 

Have you heard the tale of the intern who has more access rights than the company executive? Well, it’s not as far-fetched as it seems.

While most organizations have policies in place for assigning new access rights, they tend to neglect the fact that these rights need to be revoked once they have become obsolete. Not only are excess permissions risky from a cybersecurity perspective, they can also violate compliance regulations.

At elba we recommend to: 

  • Perform company access reviews every 2 months 
  • Ask a manager to review key document access every 4 weeks 
  • Use SCIM Notion API (for enterprise users only)

How?

  • Go to Settings & Members at the top of your left-hand sidebar.
  • Select the Members tab in the sidebar of that window.
  • Scroll to see all the users in your workspace
  • You can also review the access page by page by clicking on the top right ‘share’ 

Page by page 

4. Create group access

Why? 

Your company likely has layers of information and your employees need different types of access to that information based on their role, team, assignments, etc.

For example, engineers might need the ability to edit a feature spec, while marketing only needs to view and comment on that page. And there’s probably only a small group of people you want editing, say, your benefits information. But you want everyone else to be able to read it.

Information structure can get complicated as your company increases in size.

How? 

Only workspace admins can create or edit groups. Given that's the case, here's what to do:

  • Go to Settings & Members at the top of your left-hand sidebar.
  • Select the Members tab in the sidebar of that window.
  • You'll see a list of all your members. To the right of the header Members, click Groups.
  • Click Create a group. Name and choose an icon for your group ✨
  • Under your new group, click + Add a member.
  • Add as many members as you want to any group.
  • You can also click Remove to the right of any group member.

More here:

https://www.notion.so/help/guides/restrict-access-to-pages-with-permission-groups

5. Toggle off Notion employee access

Why? 

Notion employees will only ever access your data for the purposes of troubleshooting problems or recovering content on your behalf, after hearing from you via email or in-app support chat with a request for help. Be sure that this option is disable.

How? 

To revoke access at any time:

  • Navigate to Settings & Members at the top of your left-hand sidebar, then My account.
  • Scroll down to the Support access section and click Revoke access.

6. Sign in with Google Auth and activate the 2FA

Why? 

Two-factor authentication (2FA) means that whatever application or service you’re logging in to is double-checking that the request is really coming from you by confirming the login with you through a separate venue.

2FA is essential to security because it immediately neutralizes the risks associated with compromised passwords. If a Notion password is hacked, guessed, or even phished, that’s no longer enough to give an intruder access: without approval at the second factor, a password alone is useless. And you don't want an intruder to have access to your Notion. 

Unfortunately Notion does not offer 2FA natively. The only way to activate it is to use the Google sign in. 

How? 

As illustrated below 

  • Log out of Notion 
  • And re-log with the button “Continue with Google”

 And Activate 2FA 

  • Open your Google Account. 
  • In the navigation panel, select Security. 
  • Under “Signing in to > Google,” select 2-Step Verification and then Get started.
  • Follow the on-screen steps.

Directly here : https://myaccount.google.com/security

7. Review connected apps

Why? 

To help you safely share your data, Notion lets you give third-party apps and services access to different parts of your Notion workspace. Third-party apps and services are created by companies or developers that aren’t Notion.

How? 

For individuals 

As an individual user, you can manage your account authentications for connected apps at any time.

  • Navigate to the Settings & Members menu in the sidebar. 
  • Then, click My connected apps. 
  • Here, you'll see all of the apps you've authenticated for link previews or embeds, as well as other apps that you haven't connected yet!
  • Click Show all at the top right to see additional app options.
  • Now, you can Disconnect an existing account

For an entire workspace:

To manage app connection settings on a workspace level, admins will need to restrict permissions directly with each platform's settings. 

8. Consider switching to an enterprise account on Notion :

Why? 

The Notion enterprise plan includes advanced permission and security features to manage and secure your workspace.

Key security features like:

  • SSO
  • Prevent sharing publicly
  • Disable guest
  • Disable members workspace export

Conclusion

If you've made it this far, you realize that there are many ways to secure your Notion workspace, but even if you enable them all ways to secure your Notion projects, it will never be enough. These configurations are the foundations on which you build your security policy, you can only make it truly effective by 1. train your collaborators to solve their own security issues. 

And if you are wondering : 

  • How many documents are shared outside my organization ? 
  • What kind of documents are shared (task list or our latest financial report ) ? 
  • Who has access to what ? 
  • How vulnerable is my organization ? 

We can help you at elba… 

Book a call with our experts on our website: elba.security 

Empower your employees,
protect your company.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.