The knowledge base problem
Notion occupies a unique position in the compliance landscape because of what organizations put into it. Unlike a communication tool (where data is transactional) or a file storage tool (where data is discrete files), Notion becomes an organization's structured knowledge base. It contains: internal processes and procedures, employee handbooks and HR policies, strategy documents and roadmaps, client project documentation, meeting notes with names and decisions, onboarding materials with role-specific information, and often, links to or embeds of other sensitive documents.
The cumulative intelligence stored in an organization's Notion workspace is often more revealing than any single document. A CLOUD Act order against Notion could produce a comprehensive map of an organization's operations, personnel, and strategic direction.
No data residency, no customer encryption
Notion stores all data in the United States. There is no Canadian data region, no region selection capability, and no customer-managed encryption. Notion encrypts data at rest and in transit using Notion-managed keys, but Notion can access all workspace content — and can be compelled to produce it under US legal process.
This places Notion in the same category as Slack and Dropbox: full US jurisdictional exposure with no technical mitigation options beyond not putting sensitive data in the tool.
Notion AI and data processing
Notion AI provides writing assistance, summarization, and search across workspace content. When Notion AI processes a page, it sends that content to AI models (currently powered by providers including OpenAI and Anthropic) for processing. Notion states that customer data is not used for model training, but the processing itself occurs on third-party infrastructure that may be distinct from Notion's own servers.
This creates a layered jurisdictional question: data stored by Notion (US) is processed by AI providers (also US) on infrastructure that may be operated by yet another US cloud provider. Each layer is CLOUD Act exposed. For organizations concerned about AI processing of their workspace content, Notion AI can be disabled at the workspace level.
The guest access expansion
Notion allows external guests to access specific pages and databases. When a Canadian organization shares Notion pages with clients, partners, or contractors, the shared content — along with the guest's email address and access logs — flows through US infrastructure. For organizations subject to Law 25, guest access that involves personal information of Quebec residents constitutes a cross-border transfer requiring assessment.
Compliance requirements
The TIA for Notion should document: US incorporation and CLOUD Act status, US-only data storage, absence of customer encryption options, whether Notion AI is enabled, and what data categories are stored in the workspace. The practical remediation options are limited: restrict personal information from Notion, disable AI features for sensitive workspaces, and document the accepted risk.
For organizations that rely heavily on Notion for internal documentation, the assessment should consider whether the cumulative intelligence value of the workspace warrants a higher level of jurisdictional protection than any individual document would suggest.
Notion is US-incorporated and subject to the CLOUD Act. BC public bodies using Notion with sensitive personal information must complete a FIPPA privacy impact assessment. Notion stores data in the US with no Canadian data residency option, making it higher risk under the FIPPA assessment framework. Read the full FIPPA SaaS compliance guide → · Download PIA template →