Data Security & Compliance

Trust Ideanote to keep your data secure and meet your compliance requirements.

Book a DemoTry Free
decorative
Secure Access

Ideanote supports SSO through SAML 2.0, SCIM provisioning, domain claiming, and device management integrations so only approved users and trusted devices ever reach your workspace.

Easy Compliance

All customer data in Ideanote is encrypted both in transit and at rest by default. Enterprise admins gain additional visibility and control with audit logs, advanced permission settings, and integrations with audit log aggregators to safeguard your information.

Information Control

Features such as global retention policies, export controls, and audit trails help organizations manage compliance obligations and maintain oversight across the full lifecycle of their ideas.

Hosting Options

Ideanote offers standard cloud hosting, regional data residency, dedicated single‑tenant deployments, and fully self‑managed on‑premise installations—giving you control over where and how your data is hosted.

g2_awards_for_idea_enterprise_idea_management
SECURITY SCORECARD

Trust Speaks Louder than Words

With a 98% score on SecurityScorecard, Ideanote ranks among the most secure platforms worldwide. This top-tier rating confirms our strong defenses, continuous monitoring, and low-risk profile.


Download the Ideanote SecurityScorecard >

FLEXIBLE CONTROL

Visit our Security Report

Ideanote has been audited against and found compliant with SOC 2 security, availability, and confidentiality principles by an independent auditor.

You can confirm our current security report on our trust center.

View Ideanote Trust Center Report >

illustration of the ideanote platform ui elements including secure sso

Security

We take a security-by-design approach to protect your data. Our infrastructure, policies, and processes are continuously monitored by Drata to ensure compliance with industry standards.

safe icon

Encryption Everywhere

All data that flows through Ideanote is encrypted using strong cryptography both when it is sent across the internet (TLS 1.2+) and when it is stored in our databases or file systems (AES-256). This ensures that your data is protected against unauthorized access, whether it’s moving between systems or sitting at rest in storage.

Least-Priviledge Access

Access to customer data is granted only when strictly necessary and always limited to the minimum required. Every employee has unique accounts, multi-factor authentication is enforced, and terminated accounts are automatically removed within one business day. This prevents unnecessary exposure and reduces risk in case of human error or malicious intent

Continous Monitoring

With Drata, our infrastructure, endpoints, and policies are monitored around the clock. Automated alerts and daily evidence collection ensure that security controls are active and effective every single day.

Secure Development Lifecycle

Our software development lifecycle (SDLC) includes multiple safeguards. Every code change undergoes peer review, automated testing, and security scans before release. Dependencies are continuously checked for vulnerabilities, and builds are validated in separate development, staging, and production environments. MFA is enforced for all code repositories, deployment systems, and pipelines, ensuring secure practices from code creation to deployment.

Clear Reporting Structure

We maintain documented internal processes and external contacts so vulnerabilities and incidents can be reported and addressed quickly and transparently.

Secure Authentication

Ideanote supports multiple enterprise‑grade authentication methods, including SAML 2.0, SCIM, JWT, OpenID and more. These options give organizations strong control over identity management and provide secure, streamlined access for their teams.

Privacy

Your data stays yours. We design our platform and policies to ensure confidentiality, transparency, and compliance with global standards.

lock icon

How we Handle your Data

Our team is dedicated to developing and maintaining data privacy safeguards that align with industry best practices. We provide ongoing training to ensure our employees are up to date with evolving legislation and privacy standards. Every employee and contractor signs confidentiality and non-disclosure agreements, and vendors handling personal data must meet the same strict requirements.

Agreements

The Ideanote Terms and Data Processing Addendum describe in detail our data privacy practices, standards, and safeguards. These agreements are regularly reviewed and updated to ensure compliance with GDPR, CCPA, and other global data protection laws.

Data Governace

We apply policies and procedures that govern the entire data lifecycle from collection and processing to distribution, storage, and deletion. This ensures your information remains secure, private, accurate, and accessible throughout its use.

Security infrastructure

Ideanote’s infrastructure is designed with layers of protection to help ensure your data is secure while transmitted, stored, or processed. Protections include but are not limited to encryption, least privilege access, secure software development.

Compliance

We align with leading frameworks and undergo independent audits to provide assurance that your data is handled responsibly.

SOC2 Type II

Our systems and controls are audited against the AICPA Trust Services Criteria, verifying that Ideanote maintains effective safeguards over security, availability, and confidentiality over time. Ideanote is proud to be SOC 2 Type II certified by an independent third-party auditor, ensuring customers that our security controls have been attested and validated. We are constantly looking for ways to not only improve security for our product but also with how we conduct business on a daily basis.


GDPR Compliance

As the GDPR is considered the most stringent global privacy framework and because Ideanote is based in the EU we map our privacy program to its requirements and other international regulations. Customers have rights to access, correct, delete, and restrict the use of their personal data in accordance with GDPR.

Data Residency Options

Data residency for Ideanote lets organizations choose the country or region where they want to store their encrypted data at rest. Ideanote supports the EU, US, CA and AE regions out of the box. It gives customers the flexibility to comply with regional regulations like the Canadian Provincial Privacy Regulation, the Australian Privacy Act of 1988 or the KSA Data Sovereignty Policy.

On-Premise Hosting

For organizations with strict compliance or security mandates, Ideanote also offers fully self‑managed installations that provide maximum control over data location, infrastructure, and operational policies. With Ideanote you can keep all company ideas behind your firewall.

Reliability

Innovation requires a platform you can depend on. Ideanote is built with resilience and continuity in mind.

Automatic Load Balancing

Load balancing and a clustered architecture ensure high availability for our webapp and API. Ideanote's system scales automatically with demand and can handle traffic peaks for global campaigns without a problem.

Backup and Retention

All databases are backed up daily, with versioned storage and defined retention periods. This ensures data can be restored reliably and quickly.

Cloud Monitoring and Alerts

Core infrastructure, including databases and messaging queues, is continuously monitored. Automated alerts escalate issues before they impact availability.

Business Continuity

A tested disaster recovery and business continuity plan ensures services can be restored quickly in case of incidents. Lessons learned from testing feed into continuous improvements.

AI Governance

AI in Ideanote is built to help you work smarter without adding risk or complexity. We follow a clear governance model that protects your data, respects privacy and gives you control over how AI is used. You can adopt AI knowing the essentials are handled for you.

No Training on Customer Data

Your content stays yours. Ideanote does not use customer content to train AI models.
We also require that our subprocessors refrain from using your data for model training.

Microsoft confirms that Azure OpenAI does not use customer data to train. Learn more >

Regional AI And Data Residency

If you use Ideanote in a regional deployment, your AI processing stays in-region alongside your workspace data. This helps you meet internal and regulatory expectations around data residency—without additional setup or maintenance from your side.

For example, Microsoft’s EU Data Boundary keeps eligible data stored and processed within the EU. Learn more >

Enterprise Security And Isolation

Your AI data is processed in infrastructure designed for confidentiality and compliance, with encryption and isolation built in by default.

Azure OpenAI uses AES-256 encryption and logical data isolation.
Learn more >

Zero Logging And Zero Retention

We have you covered on the basics so you don’t need to worry:

  • We have disabled logging of prompts and completions
  • We enforce zero retention, so prompts and completions are not stored
  • No human review of customer content
  • No data is held for training, monitoring or auditing purposes

Azure OpenAI supports deployments with no logging and no retention after approval. Learn more >

Fine-Grained Control

AI is optional and configurable. You can turn all AI features off, disable specific capabilities or limit access to selected users. This gives teams the benefits of AI without exceeding internal policies.

BYOK and Customer Endpoints

Ideanote is open to BYOK approaches for AI where requests are sent to your own cloud AI providers for even more control. While this is not enabled in our interface we can work with you to enable AI your way.

Frequently Asked Questions

What are your SLAs for availability as well as RPO and RTO?

For up to date information on our SLAs please see https://ideanote.io/legal/sla

  • We guarantee an uptime of 99.9%
  • Ideanote’s RTO is 1 hour
  • Ideanote’s RPO is 24 hours
  • Ideanote MTPOD is 8 days
Is the data encrypted at rest?

Yes, you Content and PII is encrypted at rest on Google Cloud databases using KEK. Industry standard, FIPS compliant encryption is used (AES 256).

The Google Cloud Platform encrypts customer data stored at rest by default. Data in Google Cloud Platform is broken into subfile chunks for storage, and each chunk is encrypted at the storage level with an individual encryption key. The key used to encrypt the data in a chunk is called a data encryption key (DEK). Because of the high volume of keys at Google, and the need for low latency and high availability, these keys are stored near the data that they encrypt. The DEKs are encrypted with (or “wrapped” by) a key  encryption key (KEK).

For more information see https://cloud.google.com/docs/security/encryption/default-encryption

How is my data protected?

We take security very seriously. Your data is protected with HTTPS enforcement and Transport Layer Security (TLS) 1.3 with SHA-256 hashing and RSA-2048 signing to keep them private during transit. At rest they are kept safe and encrypted in our SOC2 compliant Google Cloud Kubernetes Datacenter.

On top of the security features of our datacenter we have:

  • 128-bit SSL encryption of all data transfer in our platform.
  • Daily backups of all your data, in case anything goes wrong.
  • Security protocols where we work.
Can Ideanote provide a full copy or redacted summary of the independent 3rd party penetration test report?
Yes, Ideanote can provide summaries and results and remediation of vulnerability assessments and/or 3rd party penetration tests to Enterprise customer on request.
Are anonymous idea submissions really anonymous?

Ideanote believes anonymity should be clear and consistent for users. Ideanote offers three levels of anonymity on the platform.

  • Visible Ownership - where the full name is visible to everyone who can see the idea.
  • Partly Anonymous Ownership - where the full name is visible for people with editing rights to the idea collection, including admins.
  • Fully Anonymous Ownership - where not even admins can see that you submitted an idea.

Fully Anonymous Ownership hides your name for other people from anywhere in the user interface including lists, statistics, integrations, notifications and exports. While anonymous ideas are also not counted in statistics and not shown on your profile, it might still be possible to identify or approximate an idea submitter identity via metadata like the location of a user, custom JavaScript code added to the platform by the administrator or process loopholes like only letting one person submit an idea at a time while knowing who a link was sent to.

Ideanote is also forced to provide a "data dump" export of all data on a workspace on request by the Workspace Owner for compliance reasons. While these requests are rate, the data might contain ways to uncover anonymity. Ideanote does not reveal the identity of anonymous ideas on request. In cases of suspected gross negligence Ideanote reserves the right to send notifications to users suspected to be victims of a breach of their anonymity.

Will the personal information be collected directly from the individuals to whom it is about or indirectly from another source?
The source of the information depends on the implementation and use of Ideanote and is up to the customer. When using single-sign on or importing user data via CSV, the customer is providing the personal information to Ideanote. In cases where the user signs up manually to the platform, e.g. via a shareable link, the individual would be providing the information themselves.
Will end-user personal information be used for new purposes and is it disclosed to third parties?
End-user personal information will not be exposed to Ideanote and its support staff. The only purpose for end-user personal information being provided to the platform is performing the Ideanote service. In no circumstance is this data used for other purposes or shared with third parties for other purposes than performing the service. Some limited personal information might in some case be shared with 3rd party sub-processors, e.g. in the case of sending an email via Sendgrid, the email needs to be shared with Sendgrid to send the email. For more information on our 3rd party sub-processors, and the list of countries and locations that the data is hosted see https://ideanote.io/legal/sub-processors
Why do your Terms of Service require the worldwide, royalty-free, non-exclusive, perpetual right to store, display, modify, edit, send, delete, scan, analyze, track, repackage and reproduce content?
While these rights may seem expansive at first glance, they are both standard and necessary for any digital service that handles user-generated content. Here's why: Operational Efficiency: For any service to function properly, the ability to store, display, and modify content is essential. This ensures that the platform operates seamlessly across different devices and user interfaces. User Experience: In some instances, content might need to be reformatted or edited to fit within the context of the platform. This guarantees an optimal user experience, making it easier to read, access, or interact with your content. Global Accessibility: The "worldwide" aspect ensures that your content can be accessed from anywhere, which is integral for cloud-based platforms that aim for a global reach. Technical Collaboration: As technology evolves, companies often need to integrate third-party services to improve functionality or add new features. The rights extend to these partnerships to ensure a consistent and unified service. Data Analysis: Scanning and tracking enable the service to understand how users interact with the platform, which helps in continuously improving the service for everyone. Security: These rights allow the service to scan for harmful or inappropriate content, ensuring a secure and safe environment for all users. Perpetual Rights: The perpetual nature of the rights ensures that the service remains uninterrupted, even if the legal entity behind it changes. No Additional Notices: Obtaining additional consent for every small modification could result in a cumbersome experience for the user and hinder the service's ability to adapt quickly. Cost Efficiency: The "royalty-free" and "non-exclusive" terms help keep operating costs low, which is crucial for offering competitive, yet high-quality services. By granting these rights, you're not giving away ownership. Rather, you're enabling the service to use your content in ways that maximize functionality and user experience, all while maintaining the platform's agility and effectiveness.
What security features do Ideanote’s data centers provide?

Ideanote is using GCP as a secure data center provider. The Google Cloud Platform data centers are monitored 24/7 by high-resolution interior and exterior cameras that can detect and track intruders. Access logs, activity records, and camera footage are available in case an incident occurs. Access to Google's data center floor is only possible via a security corridor which implements multi-factor access control using security badges and biometrics.

Only approved employees with specific roles may enter. Additionally, Google data center physical security features a layered security model, including safeguards like custom-designed electronic access cards, alarms, vehicle access barriers, perimeter fencing, metal detectors, and biometrics, and the data center floor features laser beam intrusion detection. Google meticulously tracks the location and status of all equipment within their data centers from acquisition to installation to retirement to destruction, via barcodes and asset tags. Metal detectors and video surveillance are implemented to help make sure no equipment leaves the data center floor without authorization.

If a component fails to pass a performance test at any point during its lifecycle, it is removed from inventory and retired. Google hard drives leverage technologies like FDE (full disk encryption) and drive locking, to protect data at rest. When a hard drive is retired, authorized individuals verify that the disk is erased by writing zeros to the drive and performing a multiple-step verification process to ensure the drive contains no data. If the drive cannot be erased for any reason, it is stored securely until it can be physically destroyed. Physical destruction of disks is a multistage process beginning with a crusher that deforms the drive, followed by a shredder that breaks the drive into small pieces, which are then recycled at a secure facility. Each data center adheres to a strict disposal policy and any variances are immediately addressed.

What protection do you provide against DDoS, Ransomware, Malware and other attacks?

Ideanote is protected against vulnerabilities and threats with a range of

  • Ideanote is protected against DDOS attacks with the Google Cloud Armor WAF (Web Application Firewall).
  • Ideanote follows secure development lifecycle and secure development environment practices.
  • Ideanote tests against OWASP 10 vulnerabilities and develops with OWASP 10 in mind.
  • Ideanote conducts a vulnerability assessment by an independent third party on an annual basis and remediates any findings.
  • Any security findings are prioritized and addressed on a running basis.
  • Ideanote has separate development, staging and production environments and does not use production data during development.
  • Customer data is encrypted at rest and in transit.
  • Industry standard encryption methods (AES 256) is used to protect customer data.
  • Code dependencies are automatically checked for vulnerabilities.
  • Automated tests are run to ensure authentication and authorization methods are secure.
  • Ideanote endpoints are hardened, encrypted and protected against malware.