Productivity AIGeneral sectorLast reviewed: May 12, 2026

Notion AI

Name: Notion AI — AI Governance Scoring (EFROS Index)
Creator: Stefan Efros
Published: 2026-05-13
License: https://creativecommons.org/licenses/by/4.0/

Notion Labs, Inc. · EFROS US AI Vendor Governance Index entry

By Stefan Efros, CEO & Founder, EFROS

Updated · June 4, 2026

Composite governance score

33/ 100F

F = inadequate posture for any regulated workload. Re-evaluate before procurement.

Axes scored: 8 / 11

Trust-center maturity: 3 / 5

Sector weighting: General sector

About this vendor

AI overlay on Notion's collaborative workspace. Used for summarization, drafting, semantic search, and database automation within Notion content.

Enterprise tier: Notion Business, Notion Enterprise (per-user AI add-on)
Consumer tier: Notion Free, Notion Plus
Vendor homepage: https://www.notion.so/product/ai
Trust center: https://www.notion.so/help/notion-trust

Twelve-axis governance scoring

Each axis is scored Yes / Partial / No / N/A against public evidence — vendor trust portals, BAAs/DPAs, SOC 2 report cover pages, published methodology documents. N/A applies when the axis is structurally inapplicable (foundation models, for example, defer Section 1557 to the downstream healthcare deployer).

Axis	Status	EFROS note	Source
BAA / DPA available	No	Notion does not sign BAAs. Notion has explicitly stated it is not HIPAA-compliant and should not store PHI.	Notion HIPAA support article
Training-data opt-out	Partial	Notion AI does not train on workspace content by default for Business and Enterprise plans. Free and Plus: opt-out toggle available.	Notion AI Privacy
US data residency option	No	No US data residency configuration option as of May 2026. Notion uses AWS US-East default.	Notion Trust Center
SOC 2 Type II report	Yes	SOC 2 Type II report available via Notion Trust Center under NDA. ISO 27001:2022 also held.	Notion Trust
ISO/IEC 42001 attestation	No	No ISO/IEC 42001 attestation.	Public posture review
NIST AI RMF self-attestation	No	No public NIST AI RMF self-attestation.	Public posture review
Colorado AI Act readiness	No	No Colorado AI Act compliance statement.	Public posture review
HHS-OCR Section 1557 readiness	N/A	Not BAA-eligible — Section 1557 use case disqualified by HIPAA gap.	HHS-OCR Section 1557 — deployer scope
FRB SR 11-7 readiness	N/A	SR 11-7 is deployer responsibility for banking use, but the lack of BAA already disqualifies most regulated bank deployments.	FRB SR 11-7 — deployer scope
ABA Formal Op 512 readiness	N/A	ABA Op 512 is practitioner responsibility; no BAA significantly raises the privilege bar for law firm use.	ABA Formal Op 512 — practitioner scope
Subprocessor list public	Yes	Notion subprocessor list public (OpenAI as Notion AI subprocessor, AWS, Stripe, etc.).	Notion Subprocessors

Trust-center maturity

3/ 5

Mature trust portal with SOC 2 + ISO under NDA. AI-specific governance documentation is thin — no Colorado AI Act, no NIST AI RMF, no ISO 42001.

Source: Notion Trust

Deep dive

Overview

Notion AI is one of the most-deployed shadow-AI vectors in the regulated mid-market. The product is good and widely adopted, but the lack of BAA, lack of residency, and thin AI-specific governance documentation make it a poor fit for any regulated workload. Most firms we audit have Notion AI in use and PHI/PII in Notion without realizing the BAA gap.

Strengths

No-train default for Business/Enterprise
Mature SOC 2 + ISO 27001 posture
Public subprocessor list

Weaknesses

No BAA. Not HIPAA-compliant
No US data residency option
No AI-specific governance documentation
Common shadow-AI vector for regulated data

Best-fit use case

Non-regulated workspace use where no PHI, PII, or privileged data enters Notion. Internal-only knowledge management for non-regulated workloads.

Avoid when

Any environment where PHI, regulated financial data, or privileged legal content might enter a Notion workspace. DLP at the email/upload boundary is the right preventive control.

Operator's take

Deploy Notion AI when non-regulated workspace use where no PHI, PII, or privileged data enters Notion. Internal-only knowledge management for non-regulated workloads. The composite score of 33 (grade F) reflects a mixed posture for regulated US workloads. Skip the vendor when any environment where PHI, regulated financial data, or privileged legal content might enter a Notion workspace. DLP at the email/upload boundary is the right preventive control. In every deployment, treat the cells above as a snapshot — the acquisition that gets to production safely is the one that re-verifies the trust-center posture before contract signature and rebuilds the matrix at renewal.

How this scoring is computed

The composite score blends eleven scoreable axes (BAA, training opt-out, US data residency, SOC 2, ISO/IEC 42001, NIST AI RMF, Colorado AI Act, Section 1557, SR 11-7, ABA Op 512, subprocessor transparency) with the trust-center maturity score. Axes marked N/A are excluded from the denominator so vendors are not penalized for sector-inapplicable axes. The vendor's primary sector amplifies the most relevant axes — healthcare vendors weight Section 1557 ×2, legal vendors weight ABA Op 512 ×2, banking vendors weight SR 11-7 ×2 — so the composite reflects what matters in the actual buying context.

Read the full methodology →

Disagree with this scoring?

EFROS publishes scoring rationale per cell with a public source. If you have evidence that a specific axis should score differently — a new BAA, a new certification, a documented policy change — submit a formal challenge below. We re-score and publish the result with the next quarterly edition (or as a mid-quarter changelog entry if the change is material).

Disagree with a score?

Every cell in the EFROS Index is source-cited. If you have a public source that contradicts a score for Notion AI, submit a formal challenge — we re-verify against the source and respond within 14 days.

Similar vendors (same category or sector)

Vendors in the same category as Notion AI, padded with vendors that share its primary sector. All scored on the same twelve axes — useful for head-to-head shortlisting.

B75 / 100

Microsoft 365 Copilot

Microsoft Corporation

View posture →

F25 / 100

Otter.ai

AISense, Inc.

View posture →

C69 / 100

Salesforce Einstein / Agentforce

Salesforce, Inc.

View posture →

C69 / 100

Glean

Glean Technologies, Inc.

View posture →

D53 / 100

OpenAI ChatGPT & API

OpenAI, L.L.C.

View posture →

Where Notion AI shows up in the rest of the Index

Notion AI is scored in every state and (where applicable) sector slice of the Index. Use these views to compare Notion AI against its peers from a state or sector lens rather than category.

Productivity AI sector view →california view →colorado view →new york view →illinois view →texas view →

Disclaimer. Scoring as of 2026-05-13. Posture changes frequently — re-verify with the vendor's trust center before contract. This page is informational; it is not legal advice. EFROS clients get a refreshed posture review as part of the AI Governance Audit.

Take the scoring into production

The Index tells you the posture. These engagements turn the posture into a deployable program — vendor selection, governance policy, sector overlay, audit-ready evidence.

Reserve $5K AI Governance Audit Run AI Risk Score →See full Index →