Data Security & Compliance

Trust Ideanote to keep your data secure and meet your compliance requirements.

Book a DemoTry Free
decorative
Secure Access

Ideanote supports SSO through SAML 2.0, SCIM provisioning, domain claiming, and device management integrations so only approved users and trusted devices ever reach your workspace.

Easy Compliance

All customer data in Ideanote is encrypted both in transit and at rest by default. Enterprise admins gain additional visibility and control with audit logs, advanced permission settings, and integrations with audit log aggregators to safeguard your information.

Information Control

Features such as global retention policies, export controls, and audit trails help organizations manage compliance obligations and maintain oversight across the full lifecycle of their ideas.

Hosting Options

Ideanote offers standard cloud hosting, regional data residency, dedicated single‑tenant deployments, and fully self‑managed on‑premise installations—giving you control over where and how your data is hosted.

g2_awards_for_idea_enterprise_idea_management
SECURITY SCORECARD

Trust Speaks Louder than Words

With a 98% score on SecurityScorecard, Ideanote ranks among the most secure platforms worldwide. This top-tier rating confirms our strong defenses, continuous monitoring, and low-risk profile.


Download the Ideanote SecurityScorecard >

FLEXIBLE CONTROL

Visit our Security Report

Ideanote has been audited against and found compliant with SOC 2 security, availability, and confidentiality principles by an independent auditor.

You can confirm our current security report on our trust center.

View Ideanote Trust Center Report >

illustration of the ideanote platform ui elements including secure sso

Security

We take a security-by-design approach to protect your data. Our infrastructure, policies, and processes are continuously monitored by Drata to ensure compliance with industry standards.

safe icon

Encryption Everywhere

All data that flows through Ideanote is encrypted using strong cryptography both when it is sent across the internet (TLS 1.2+) and when it is stored in our databases or file systems (AES-256). This ensures that your data is protected against unauthorized access, whether it’s moving between systems or sitting at rest in storage.

Least-Priviledge Access

Access to customer data is granted only when strictly necessary and always limited to the minimum required. Every employee has unique accounts, multi-factor authentication is enforced, and terminated accounts are automatically removed within one business day. This prevents unnecessary exposure and reduces risk in case of human error or malicious intent

Continous Monitoring

With Drata, our infrastructure, endpoints, and policies are monitored around the clock. Automated alerts and daily evidence collection ensure that security controls are active and effective every single day.

Secure Development Lifecycle

Our software development lifecycle (SDLC) includes multiple safeguards. Every code change undergoes peer review, automated testing, and security scans before release. Dependencies are continuously checked for vulnerabilities, and builds are validated in separate development, staging, and production environments. MFA is enforced for all code repositories, deployment systems, and pipelines, ensuring secure practices from code creation to deployment.

Clear Reporting Structure

We maintain documented internal processes and external contacts so vulnerabilities and incidents can be reported and addressed quickly and transparently.

Secure Authentication

Ideanote supports multiple enterprise‑grade authentication methods, including SAML 2.0, SCIM, JWT, OpenID and more. These options give organizations strong control over identity management and provide secure, streamlined access for their teams.

Privacy

Your data stays yours. We design our platform and policies to ensure confidentiality, transparency, and compliance with global standards.

lock icon

How we Handle your Data

Our team is dedicated to developing and maintaining data privacy safeguards that align with industry best practices. We provide ongoing training to ensure our employees are up to date with evolving legislation and privacy standards. Every employee and contractor signs confidentiality and non-disclosure agreements, and vendors handling personal data must meet the same strict requirements.

Agreements

The Ideanote Terms and Data Processing Addendum describe in detail our data privacy practices, standards, and safeguards. These agreements are regularly reviewed and updated to ensure compliance with GDPR, CCPA, and other global data protection laws.

Data Governace

We apply policies and procedures that govern the entire data lifecycle from collection and processing to distribution, storage, and deletion. This ensures your information remains secure, private, accurate, and accessible throughout its use.

Security infrastructure

Ideanote’s infrastructure is designed with layers of protection to help ensure your data is secure while transmitted, stored, or processed. Protections include but are not limited to encryption, least privilege access, secure software development.

Compliance

We align with leading frameworks and undergo independent audits to provide assurance that your data is handled responsibly.

SOC2 Type II

Our systems and controls are audited against the AICPA Trust Services Criteria, verifying that Ideanote maintains effective safeguards over security, availability, and confidentiality over time. Ideanote is proud to be SOC 2 Type II certified by an independent third-party auditor, ensuring customers that our security controls have been attested and validated. We are constantly looking for ways to not only improve security for our product but also with how we conduct business on a daily basis.


GDPR Compliance

As the GDPR is considered the most stringent global privacy framework and because Ideanote is based in the EU we map our privacy program to its requirements and other international regulations. Customers have rights to access, correct, delete, and restrict the use of their personal data in accordance with GDPR.

Data Residency Options

Data residency for Ideanote lets organizations choose the country or region where they want to store their encrypted data at rest. Ideanote supports the EU, US, CA and AE regions out of the box. It gives customers the flexibility to comply with regional regulations like the Canadian Provincial Privacy Regulation, the Australian Privacy Act of 1988 or the KSA Data Sovereignty Policy.

On-Premise Hosting

For organizations with strict compliance or security mandates, Ideanote also offers fully self‑managed installations that provide maximum control over data location, infrastructure, and operational policies. With Ideanote you can keep all company ideas behind your firewall.

Reliability

Innovation requires a platform you can depend on. Ideanote is built with resilience and continuity in mind.

Automatic Load Balancing

Load balancing and a clustered architecture ensure high availability for our webapp and API. Ideanote's system scales automatically with demand and can handle traffic peaks for global campaigns without a problem.

Backup and Retention

All databases are backed up daily, with versioned storage and defined retention periods. This ensures data can be restored reliably and quickly.

Cloud Monitoring and Alerts

Core infrastructure, including databases and messaging queues, is continuously monitored. Automated alerts escalate issues before they impact availability.

Business Continuity

A tested disaster recovery and business continuity plan ensures services can be restored quickly in case of incidents. Lessons learned from testing feed into continuous improvements.

AI Governance

AI in Ideanote is designed to empower users, not compromise security or privacy. Our governance model ensures safe, transparent, and user‑centric AI features.

No Training on Customer Data

Ideanote does not use Content to train AI or similar systems. Ideanote also ensures that it has contracts in place with any third-party subprocessors involved that prevent them from using customer content to train their models.

Regional AI

For our Data Regions, AI is also kept inside the local cluster. This ensure that your customer data stays within geographic boundaries and you can stay compliant.

Fine-Grained Control

With Ideanote you have the option to turn all or some AI features off for your workspace. You decide where AI comes into play and who has access to it.

Bring-your-own-Key

Ideanote is open to BYOK approaches for AI where requests are sent to your own cloud AI providers for even more control. While this is not enabled in our interface we can work with you to enable AI your way.

Frequently Asked Questions

How is my data protected?

We take security very seriously. Your data is protected with HTTPS enforcement and Transport Layer Security (TLS) 1.3 with SHA-256 hashing and RSA-2048 signing to keep them private during transit. At rest they are kept safe and encrypted in our SOC2 compliant Google Cloud Kubernetes Datacenter.

On top of the security features of our datacenter we have:

  • 128-bit SSL encryption of all data transfer in our platform.
  • Daily backups of all your data, in case anything goes wrong.
  • Security protocols where we work.
Are anonymous idea submissions really anonymous?

Ideanote believes anonymity should be clear and consistent for users. Ideanote offers three levels of anonymity on the platform.

  • Visible Ownership - where the full name is visible to everyone who can see the idea.
  • Partly Anonymous Ownership - where the full name is visible for people with editing rights to the idea collection, including admins.
  • Fully Anonymous Ownership - where not even admins can see that you submitted an idea.

Fully Anonymous Ownership hides your name for other people from anywhere in the user interface including lists, statistics, integrations, notifications and exports. While anonymous ideas are also not counted in statistics and not shown on your profile, it might still be possible to identify or approximate an idea submitter identity via metadata like the location of a user, custom JavaScript code added to the platform by the administrator or process loopholes like only letting one person submit an idea at a time while knowing who a link was sent to.

Ideanote is also forced to provide a "data dump" export of all data on a workspace on request by the Workspace Owner for compliance reasons. While these requests are rate, the data might contain ways to uncover anonymity. Ideanote does not reveal the identity of anonymous ideas on request. In cases of suspected gross negligence Ideanote reserves the right to send notifications to users suspected to be victims of a breach of their anonymity.

Is the data encrypted at rest?

Yes, you Content and PII is encrypted at rest on Google Cloud databases using KEK. Industry standard, FIPS compliant encryption is used (AES 256).

The Google Cloud Platform encrypts customer data stored at rest by default. Data in Google Cloud Platform is broken into subfile chunks for storage, and each chunk is encrypted at the storage level with an individual encryption key. The key used to encrypt the data in a chunk is called a data encryption key (DEK). Because of the high volume of keys at Google, and the need for low latency and high availability, these keys are stored near the data that they encrypt. The DEKs are encrypted with (or “wrapped” by) a key  encryption key (KEK).

For more information see https://cloud.google.com/docs/security/encryption/default-encryption

What are your SLAs for availability as well as RPO and RTO?

For up to date information on our SLAs please see https://ideanote.io/legal/sla

  • We guarantee an uptime of 99.9%
  • Ideanote’s RTO is 1 hour
  • Ideanote’s RPO is 24 hours
  • Ideanote MTPOD is 8 days
Can Ideanote provide a full copy or redacted summary of the independent 3rd party penetration test report?
Yes, Ideanote can provide summaries and results and remediation of vulnerability assessments and/or 3rd party penetration tests to Enterprise customer on request.
What are legal challenges to open innovation?

Regardless of which aspect of new open innovation project you are working on, you need to be mindful of your participants' legal rights and obligations. Having a legal best practice like terms and conditions for participations set in place before beginning an open innovation effort is vital.

Intellectual property law intends to ensure an inventor is credited while also allowing them to profit from their ideas. With open innovation, however, it is possible that the innovator will need to rescind their rights to an idea.

Companies or individuals submitting solutions must be sure that the process is fair and transparent and that the legal bases and ownership terms are covered.

Have you completed a recent penetration test and would you be prepared to share the results?

Ideanote initiates vulnerability assessments on an annual basis. Any findings are addressed and remediated.

We can share the results of our most recent vulnerability assessment with customers on the Enterprise plan.

Are there any in-system capabilities for data archiving?

Yes, you can archive content on Ideanote.

Is sensitive data (e.g. PII) encrypted?

Yes, sensitive data including user personal identifiable information (name, email) and sensitive data (ideas, content) are encrypted in transit and at rest.

Is data encrypted in transit via transport layer encryption (TLS)?

Yes, Ideanote uses and enforces TLS encryption. Ideanote uses TLS 1.3 by default but also supports clients with TLS as low as 1.2.

TLS 1.1 is not safe and not supported by Ideanote.

When a user visits a website or application with Ideanote instrumented, the details of their interactions are captured and sent to Ideanote over  HTTPS. All data transferred over HTTPS  s encrypted. Ideanote only allows connections over HTTPS exclusively to ensure data is encrypted in transit.

Contact Sales

Thank you! Your message has been sent.
Oops! Something went wrong while submitting the form.