Data Security & Compliance

Encryption Everywhere

All data that flows through Ideanote is encrypted using strong cryptography both when it is sent across the internet (TLS 1.2+) and when it is stored in our databases or file systems (AES-256). This ensures that your data is protected against unauthorized access, whether it’s moving between systems or sitting at rest in storage.

Least-Priviledge Access

Access to customer data is granted only when strictly necessary and always limited to the minimum required. Every employee has unique accounts, multi-factor authentication is enforced, and terminated accounts are automatically removed within one business day. This prevents unnecessary exposure and reduces risk in case of human error or malicious intent

Continous Monitoring

With Drata, our infrastructure, endpoints, and policies are monitored around the clock. Automated alerts and daily evidence collection ensure that security controls are active and effective every single day.

Secure Development Lifecycle

Our software development lifecycle (SDLC) includes multiple safeguards. Every code change undergoes peer review, automated testing, and security scans before release. Dependencies are continuously checked for vulnerabilities, and builds are validated in separate development, staging, and production environments. MFA is enforced for all code repositories, deployment systems, and pipelines, ensuring secure practices from code creation to deployment.

Clear Reporting Structure

We maintain documented internal processes and external contacts so vulnerabilities and incidents can be reported and addressed quickly and transparently.

Secure Authentication

Ideanote supports multiple enterprise‑grade authentication methods, including SAML 2.0, SCIM, JWT, OpenID and more. These options give organizations strong control over identity management and provide secure, streamlined access for their teams.

‍

How we Handle your Data

Our team is dedicated to developing and maintaining data privacy safeguards that align with industry best practices. We provide ongoing training to ensure our employees are up to date with evolving legislation and privacy standards. Every employee and contractor signs confidentiality and non-disclosure agreements, and vendors handling personal data must meet the same strict requirements.

Agreements

The Ideanote Terms and Data Processing Addendum describe in detail our data privacy practices, standards, and safeguards. These agreements are regularly reviewed and updated to ensure compliance with GDPR, CCPA, and other global data protection laws.

Data Governace

We apply policies and procedures that govern the entire data lifecycle from collection and processing to distribution, storage, and deletion. This ensures your information remains secure, private, accurate, and accessible throughout its use.

Security infrastructure

Ideanote’s infrastructure is designed with layers of protection to help ensure your data is secure while transmitted, stored, or processed. Protections include but are not limited to encryption, least privilege access, secure software development.

SOC2 Type II

Our systems and controls are audited against the AICPA Trust Services Criteria, verifying that Ideanote maintains effective safeguards over security, availability, and confidentiality over time. Ideanote is proud to be SOC 2 Type II certified by an independent third-party auditor, ensuring customers that our security controls have been attested and validated. We are constantly looking for ways to not only improve security for our product but also with how we conduct business on a daily basis.

‍

GDPR Compliance

As the GDPR is considered the most stringent global privacy framework and because Ideanote is based in the EU we map our privacy program to its requirements and other international regulations. Customers have rights to access, correct, delete, and restrict the use of their personal data in accordance with GDPR.

Data Residency Options

Data residency for Ideanote lets organizations choose the country or region where they want to store their encrypted data at rest. Ideanote supports the EU, US, CA and AE regions out of the box. It gives customers the flexibility to comply with regional regulations like the Canadian Provincial Privacy Regulation, the Australian Privacy Act of 1988 or the KSA Data Sovereignty Policy.

On-Premise Hosting

For organizations with strict compliance or security mandates, Ideanote also offers fully self‑managed installations that provide maximum control over data location, infrastructure, and operational policies. With Ideanote you can keep all company ideas behind your firewall.

Automatic Load Balancing

Load balancing and a clustered architecture ensure high availability for our webapp and API. Ideanote's system scales automatically with demand and can handle traffic peaks for global campaigns without a problem.

Backup and Retention

All databases are backed up daily, with versioned storage and defined retention periods. This ensures data can be restored reliably and quickly.

Cloud Monitoring and Alerts

Core infrastructure, including databases and messaging queues, is continuously monitored. Automated alerts escalate issues before they impact availability.

Business Continuity

A tested disaster recovery and business continuity plan ensures services can be restored quickly in case of incidents. Lessons learned from testing feed into continuous improvements.

No Training on Customer Data

Your content stays yours. Ideanote does not use customer content to train AI models.
We also require that our subprocessors refrain from using your data for model training.

Microsoft confirms that Azure OpenAI does not use customer data to train. Learn more >

Regional AI And Data Residency

If you use Ideanote in a regional deployment, your AI processing stays in-region alongside your workspace data. This helps you meet internal and regulatory expectations around data residency—without additional setup or maintenance from your side.

For example, Microsoft’s EU Data Boundary keeps eligible data stored and processed within the EU. Learn more >

Enterprise Security And Isolation

Your AI data is processed in infrastructure designed for confidentiality and compliance, with encryption and isolation built in by default.

Azure OpenAI uses AES-256 encryption and logical data isolation.
Learn more >

Zero Logging And Zero Retention

We have you covered on the basics so you don’t need to worry:

• We have disabled logging of prompts and completions
• We enforce zero retention, so prompts and completions are not stored
• No human review of customer content
• No data is held for training, monitoring or auditing purposes

Azure OpenAI supports deployments with no logging and no retention after approval. Learn more >‍

Fine-Grained Control

AI is optional and configurable. You can turn all AI features off, disable specific capabilities or limit access to selected users. This gives teams the benefits of AI without exceeding internal policies.

BYOK and Customer Endpoints

Ideanote is open to BYOK approaches for AI where requests are sent to your own cloud AI providers for even more control. While this is not enabled in our interface we can work with you to enable AI your way.