Privacy & Security
Learn more about our security and privacy practices.
At Notis, we prioritise the security and privacy of your data. This document outlines the security and privacy practices, as well as the compliance standards of the platforms we use to deliver our services.
Privacy Approach
The privacy of your data is paramount for us. To ensure maintaining it we focus on the following principles:
- We do our best to comply with GDPR standards and only work with providers that comply with GDPR and, in particular, with EU data residency requirements.
- We do not access your data without prior consent and have strict access control to our production environment.
Who can read my conversation with Notis
- Every employees authorized in the production databases of our suppliers.
- That includes Flo. We will always reach out to you to ask for your permission to view your conversations with Notis for debugging purposes and you'll always be free to refuse.
Can my personal data be used to train LLMs?
No, your personal data is not used to train large language models (LLMs). We adhere to strict data processing principles that ensure your conversations and personal information remain private and are not incorporated into AI training datasets. Our LLM providers (primarily OpenAI) have confirmed they do not use customer data shared through their API for training purposes.
Are you GDPR compliant?
Notis is committed to protecting the privacy rights of individuals in accordance with the General Data Protection Regulation (GDPR). We have implemented the following measures:
- Data Processing Agreements (DPAs) with all our service providers
- Mechanisms for data subject access requests
- Data retention policies that limit how long we keep your information
- EU data hosting when available
- Transparency about data processing activities
What’s the deletion policy for my data?
Notis respects your right to have your data deleted. We have implemented a comprehensive data deletion process that ensures your information is properly removed from our systems when requested.
- User-Initiated Deletion: You can request the deletion of your data at any time by contacting us through our live chat.
- Deletion Process: When we receive a deletion request, we will remove your personal data from our active systems within 30 days (most often in a couple of hours).
- Backup Retention: Data may persist in encrypted backups for up to 90 days after deletion from active systems, after which it will be automatically purged.
- Exceptions: We may retain certain information as required by law or for legitimate business purposes, such as fraud prevention, accounting, or legal obligations.
We are committed to making the deletion process as straightforward as possible while maintaining compliance with applicable regulations.
Security Measures
We take your data security very seriously. To ensure the security of your data, we focus on the following principles:
- Strict access controls of our production environment. Only Flo, the founder and creator of Notis has access to them.
- All our suppliers with visibility on your discussions with Notis are requested to be SOC2 or ISO certified — exception made of Telegram.
- Backup systems with encrypted storage.
Secure File Sharing & Link Mechanisms
Notis utilizes Supabase to host and manage all attachments, audio files, and documents shared between users and Notion. Our approach to secure file sharing follows these principles:
- Unique URL Generation: Every shared link or URL contains a unique identifier that includes the user ID and other randomized components, making it practically impossible to guess or brute force.
- Public Bucket Architecture: We use public buckets to enable seamless sharing between channels (WhatsApp, Telegram, email) and Notion, which eliminates the need for complex authentication processes.
- Security Through Obscurity+: While the links are technically accessible without authentication if someone has the exact URL, the complexity and uniqueness of each URL provide a high level of practical security against unauthorized access attempts.
- No Sign-up Required: Recipients can access shared documents directly through the provided links without needing to create accounts or authenticate, improving user experience while maintaining security.
This approach balances security needs with usability considerations. While we do not require authentication for accessing shared files, the mathematical improbability of guessing valid URLs makes this a secure solution for most use cases. For highly sensitive data, we recommend additional security measures such as encrypting the content before sharing or using Notion's native permission controls.
Platform Providers Security Overview
We use the following platform providers to deliver the Notis experience. Bellow you'll find the security and privacy practices of each of our partners.
Platform | Purpose | Encryption | Certifications | GDPR Compliance | Data Residency |
Notion | Insert, update and find documents | TLS 1.2+ in transit and AES-256 at rest | ISO/IEC 27001, 27701, 27017, 27018, and SOC 2 Type 2 | Fully compliant | AWS servers in US (West-2, East-2) |
Supabase | Our main database and file storage | TLS 1.2+ in transit, AES-256 at rest | SOC 2 Type 2 | Committed to compliance | European regions in Frankfurt |
OpenAI | LLM and RAG | TLS (HTTPS) in transit, AES-256 at rest | SOC 2 Type 2, CSA STAR Level 1 | Committed to compliance | EU data centers for enterprise, education, API users |
Render.com | Hosting | HTTPS/TLS in transit, AES-256 at rest | ISO/IEC 27001, SOC 2 Type 2 | Fully compliant | Frankfurt, Germany (AWS eu-central-1) |
Langfuse | Tracing for debugging | TLS in transit, AES-256 at rest | ISO/IEC 27001:2022, SOC 2 Type II | Designed for compliance | AWS eu-west-1 (Ireland) |
WhatsApp via Twilio | WhatsApp integration | TLS 1.2 in transit, AES-256 at rest | ISO/IEC 27001, 27017, 27018, and SOC 2 Type 2 | Compliant | Data centers in Ireland |
Telegram | Telegram integration | Custom MTProto protocol with multi-layer encryption in transit, encrypted in Telegram Cloud | No known ISO certifications or SOC 2 compliance | Asserts compliance, offers data tools | Split encryption keys across servers |
Privacy and Security Contact
If you have any questions about our privacy and security practices or wish to report a security concern, please contact us through our live chat.