Data Security & Compliance
Trust Ideanote to keep your data secure and meet your compliance requirements.
Ideanote supports SSO through SAML 2.0, SCIM provisioning, domain claiming, and device management integrations so only approved users and trusted devices ever reach your workspace.
All customer data in Ideanote is encrypted both in transit and at rest by default. Enterprise admins gain additional visibility and control with audit logs, advanced permission settings, and integrations with audit log aggregators to safeguard your information.
Features such as global retention policies, export controls, and audit trails help organizations manage compliance obligations and maintain oversight across the full lifecycle of their ideas.
Ideanote offers standard cloud hosting, regional data residency, dedicated single‑tenant deployments, and fully self‑managed on‑premise installations—giving you control over where and how your data is hosted.
.png)
Trust Speaks Louder than Words
With a 98% score on SecurityScorecard, Ideanote ranks among the most secure platforms worldwide. This top-tier rating confirms our strong defenses, continuous monitoring, and low-risk profile.
Download the Ideanote SecurityScorecard >
Visit our Security Report
Ideanote has been audited against and found compliant with SOC 2 security, availability, and confidentiality principles by an independent auditor.
You can confirm our current security report on our trust center.
.png)
Security
We take a security-by-design approach to protect your data. Our infrastructure, policies, and processes are continuously monitored by Drata to ensure compliance with industry standards.
Encryption Everywhere
All data that flows through Ideanote is encrypted using strong cryptography both when it is sent across the internet (TLS 1.2+) and when it is stored in our databases or file systems (AES-256). This ensures that your data is protected against unauthorized access, whether it’s moving between systems or sitting at rest in storage.
Least-Priviledge Access
Access to customer data is granted only when strictly necessary and always limited to the minimum required. Every employee has unique accounts, multi-factor authentication is enforced, and terminated accounts are automatically removed within one business day. This prevents unnecessary exposure and reduces risk in case of human error or malicious intent
Continous Monitoring
With Drata, our infrastructure, endpoints, and policies are monitored around the clock. Automated alerts and daily evidence collection ensure that security controls are active and effective every single day.
Secure Development Lifecycle
Our software development lifecycle (SDLC) includes multiple safeguards. Every code change undergoes peer review, automated testing, and security scans before release. Dependencies are continuously checked for vulnerabilities, and builds are validated in separate development, staging, and production environments. MFA is enforced for all code repositories, deployment systems, and pipelines, ensuring secure practices from code creation to deployment.
Clear Reporting Structure
We maintain documented internal processes and external contacts so vulnerabilities and incidents can be reported and addressed quickly and transparently.
Secure Authentication
Ideanote supports multiple enterprise‑grade authentication methods, including SAML 2.0, SCIM, JWT, OpenID and more. These options give organizations strong control over identity management and provide secure, streamlined access for their teams.
Privacy
Your data stays yours. We design our platform and policies to ensure confidentiality, transparency, and compliance with global standards.
How we Handle your Data
Our team is dedicated to developing and maintaining data privacy safeguards that align with industry best practices. We provide ongoing training to ensure our employees are up to date with evolving legislation and privacy standards. Every employee and contractor signs confidentiality and non-disclosure agreements, and vendors handling personal data must meet the same strict requirements.
Agreements
The Ideanote Terms and Data Processing Addendum describe in detail our data privacy practices, standards, and safeguards. These agreements are regularly reviewed and updated to ensure compliance with GDPR, CCPA, and other global data protection laws.
Data Governace
We apply policies and procedures that govern the entire data lifecycle from collection and processing to distribution, storage, and deletion. This ensures your information remains secure, private, accurate, and accessible throughout its use.
Security infrastructure
Ideanote’s infrastructure is designed with layers of protection to help ensure your data is secure while transmitted, stored, or processed. Protections include but are not limited to encryption, least privilege access, secure software development.
Compliance
We align with leading frameworks and undergo independent audits to provide assurance that your data is handled responsibly.
SOC2 Type II
Our systems and controls are audited against the AICPA Trust Services Criteria, verifying that Ideanote maintains effective safeguards over security, availability, and confidentiality over time. Ideanote is proud to be SOC 2 Type II certified by an independent third-party auditor, ensuring customers that our security controls have been attested and validated. We are constantly looking for ways to not only improve security for our product but also with how we conduct business on a daily basis.
GDPR Compliance
As the GDPR is considered the most stringent global privacy framework and because Ideanote is based in the EU we map our privacy program to its requirements and other international regulations. Customers have rights to access, correct, delete, and restrict the use of their personal data in accordance with GDPR.
Data Residency Options
Data residency for Ideanote lets organizations choose the country or region where they want to store their encrypted data at rest. Ideanote supports the EU, US, CA and AE regions out of the box. It gives customers the flexibility to comply with regional regulations like the Canadian Provincial Privacy Regulation, the Australian Privacy Act of 1988 or the KSA Data Sovereignty Policy.
On-Premise Hosting
For organizations with strict compliance or security mandates, Ideanote also offers fully self‑managed installations that provide maximum control over data location, infrastructure, and operational policies. With Ideanote you can keep all company ideas behind your firewall.
Reliability
Innovation requires a platform you can depend on. Ideanote is built with resilience and continuity in mind.
Automatic Load Balancing
Load balancing and a clustered architecture ensure high availability for our webapp and API. Ideanote's system scales automatically with demand and can handle traffic peaks for global campaigns without a problem.
Backup and Retention
All databases are backed up daily, with versioned storage and defined retention periods. This ensures data can be restored reliably and quickly.
Cloud Monitoring and Alerts
Core infrastructure, including databases and messaging queues, is continuously monitored. Automated alerts escalate issues before they impact availability.
Business Continuity
A tested disaster recovery and business continuity plan ensures services can be restored quickly in case of incidents. Lessons learned from testing feed into continuous improvements.
AI Governance
AI in Ideanote is built to help you work smarter without adding risk or complexity. We follow a clear governance model that protects your data, respects privacy and gives you control over how AI is used. You can adopt AI knowing the essentials are handled for you.
No Training on Customer Data
Your content stays yours. Ideanote does not use customer content to train AI models.
We also require that our subprocessors refrain from using your data for model training.
Microsoft confirms that Azure OpenAI does not use customer data to train. Learn more >
Regional AI And Data Residency
If you use Ideanote in a regional deployment, your AI processing stays in-region alongside your workspace data. This helps you meet internal and regulatory expectations around data residency—without additional setup or maintenance from your side.
For example, Microsoft’s EU Data Boundary keeps eligible data stored and processed within the EU. Learn more >
Enterprise Security And Isolation
Your AI data is processed in infrastructure designed for confidentiality and compliance, with encryption and isolation built in by default.
Azure OpenAI uses AES-256 encryption and logical data isolation.
Learn more >
Zero Logging And Zero Retention
We have you covered on the basics so you don’t need to worry:
- We have disabled logging of prompts and completions
- We enforce zero retention, so prompts and completions are not stored
- No human review of customer content
- No data is held for training, monitoring or auditing purposes
Azure OpenAI supports deployments with no logging and no retention after approval. Learn more >
Fine-Grained Control
AI is optional and configurable. You can turn all AI features off, disable specific capabilities or limit access to selected users. This gives teams the benefits of AI without exceeding internal policies.
BYOK and Customer Endpoints
Ideanote is open to BYOK approaches for AI where requests are sent to your own cloud AI providers for even more control. While this is not enabled in our interface we can work with you to enable AI your way.
Frequently Asked Questions
Ideanote believes anonymity should be clear and consistent for users. Ideanote offers three levels of anonymity on the platform.
- Visible Ownership - where the full name is visible to everyone who can see the idea.
- Partly Anonymous Ownership - where the full name is visible for people with editing rights to the idea collection, including admins.
- Fully Anonymous Ownership - where not even admins can see that you submitted an idea.
Fully Anonymous Ownership hides your name for other people from anywhere in the user interface including lists, statistics, integrations, notifications and exports. While anonymous ideas are also not counted in statistics and not shown on your profile, it might still be possible to identify or approximate an idea submitter identity via metadata like the location of a user, custom JavaScript code added to the platform by the administrator or process loopholes like only letting one person submit an idea at a time while knowing who a link was sent to.
Ideanote is also forced to provide a "data dump" export of all data on a workspace on request by the Workspace Owner for compliance reasons. While these requests are rate, the data might contain ways to uncover anonymity. Ideanote does not reveal the identity of anonymous ideas on request. In cases of suspected gross negligence Ideanote reserves the right to send notifications to users suspected to be victims of a breach of their anonymity.
We take security very seriously. Your data is protected with HTTPS enforcement and Transport Layer Security (TLS) 1.3 with SHA-256 hashing and RSA-2048 signing to keep them private during transit. At rest they are kept safe and encrypted in our SOC2 compliant Google Cloud Kubernetes Datacenter.
On top of the security features of our datacenter we have:
- 128-bit SSL encryption of all data transfer in our platform.
- Daily backups of all your data, in case anything goes wrong.
- Security protocols where we work.
For up to date information on our SLAs please see https://ideanote.io
- We guarantee an uptime of 99.9%
- Ideanote’s RTO is 1 hour
- Ideanote’s RPO is 24 hours
- Ideanote MTPOD is 8 days
Yes, you Content and PII is encrypted at rest on Google Cloud databases using KEK. Industry standard, FIPS compliant encryption is used (AES 256).
The Google Cloud Platform encrypts customer data stored at rest by default. Data in Google Cloud Platform is broken into subfile chunks for storage, and each chunk is encrypted at the storage level with an individual encryption key. The key used to encrypt the data in a chunk is called a data encryption key (DEK). Because of the high volume of keys at Google, and the need for low latency and high availability, these keys are stored near the data that they encrypt. The DEKs are encrypted with (or “wrapped” by) a key encryption key (KEK).
For more information see https://cloud.google.com/docs/security/encryption/default-encryption
Ideanote is protected against vulnerabilities and threats with a range of
- Ideanote is protected against DDOS attacks with the Google Cloud Armor WAF (Web Application Firewall).
- Ideanote follows secure development lifecycle and secure development environment practices.
- Ideanote tests against OWASP 10 vulnerabilities and develops with OWASP 10 in mind.
- Ideanote conducts a vulnerability assessment by an independent third party on an annual basis and remediates any findings.
- Any security findings are prioritized and addressed on a running basis.
- Ideanote has separate development, staging and production environments and does not use production data during development.
- Customer data is encrypted at rest and in transit.
- Industry standard encryption methods (AES 256) is used to protect customer data.
- Code dependencies are automatically checked for vulnerabilities.
- Automated tests are run to ensure authentication and authorization methods are secure.
- Ideanote endpoints are hardened, encrypted and protected against malware.
Yes, Ideanote complies with globally applicable privacy regulation and makes it easy for customers to comply.
You can find more information about GDPR (EU and UK) compliance in the Ideanote DPA at https://ideanote.io/legal/dpa
You can find more information about Californian CCPA compliance in the CCPA Notice at https://ideanote.io/legal/ccpa-notice
You can find more information about Chinese PIPL compliance in the Ideanote PIPL Notice at https://ideanote.io/legal/pipl-notice
For questions regarding compliance with other local privacy laws, please contact us at legal@ideanote.io
Yes, we have in place written Data Processing Agreements (“DPA”) with all of Our Sub-Processors. Ideanote imposes data protection terms on each Sub-Processor regarding their security controls and applicable regulations for the protection of personal data. Before engaging a Sub-Processor, we perform extensive due diligence, including detailed security and legal analysis. We do not engage a Sub-Processor unless our quality standards are met.