The Invisible Hand in Your Workspace: Why Notion’s New AI Autonomy Changes Everything

There is a moment, familiar to anyone who has spent real time inside Notion, when the AI starts finishing your thoughts. You type a project title, and before you reach the colon, it has already drafted the objectives. You ask it a question about a product launch buried three months back in your company wiki, and it surfaces the answer with unnerving confidence. It is useful. It is, if you are being honest, slightly uncanny. And buried underneath all that convenience is a question most teams have not bothered to ask: where is your company knowledge actually going?

Notion, which is valued at around $10 billion and counts Amazon, Uber, Nike, and more than half the Fortune 500 among its customers, has spent the last two years transforming from a beautiful note-taking app into something closer to an operating system for company memory. With the rollout of Notion 3.0 in September 2025, the platform introduced AI agents capable of reading documents, connecting to Gmail, GitHub, and Jira, and taking autonomous multi-step actions inside your workspace. The pitch is intoxicating. The fine print is where things get complicated.

The Promise and the Pipeline

Let me tell you what Notion AI actually does with your data, because the company’s own documentation is worth reading carefully.

When you activate Notion AI, your workspace content does not simply stay in Notion¹. It passes through a chain of what the company calls AI subprocessors. As of early 2026, those subprocessors include OpenAI, Anthropic, and Google. Every page in your workspace is converted into a numerical representation called an embedding. Those embeddings are generated through OpenAI’s API and stored in a third-party vector database called Turbopuffer. For non-Enterprise plan users on Free, Plus, or Business tiers, the underlying LLM providers are permitted to retain your customer data for up to 30 days before deletion.

That 30-day window is the gap between what the marketing materials say and what the data handling actually means in practice. Your salary review notes, product roadmaps, client lists, and hiring trackers all touch OpenAI or Anthropic’s infrastructure before they reach the answer box on your screen. Only Enterprise plan customers get zero data retention with LLM providers. If your company is paying for the Business tier, which starts at far lower price points than Enterprise, your documents are spending a month in systems you do not control.

“The biggest problem is that it doesn’t know your workspace, it just searches it. If it had your workspace loaded in its context the usefulness would be 100% better.” — r/Notion user, 2025

Notion is direct about one thing: by default, it does not use your data to train its models, and it requires all subprocessors to agree contractually to the same prohibition. The official AI safety page² states that subprocessors are bound by agreements that prohibit any use of customer data for model training. The Notion AI Supplementary Terms confirm this position explicitly: your use of Notion AI does not grant Notion any right to train machine learning models on your content.

But there is a program most users have never heard of.

The LEAP Program: An Opt-In Nobody Talks About

Buried in Notion’s AI safety documentation is a disclosure about the AI LEAP Program. The program offers workspace owners something appealing: front-of-line access to future AI improvements and features in exchange for voluntarily sharing workspace data to improve underlying models. It is opt-in. Notion says so clearly. The question worth sitting with is why the program exists at all if training on customer data offers no value.

The existence of the LEAP Program tells you something important about the economics of AI at scale. Training data from real business workflows is not cheap to replicate synthetically. When a company like Notion builds an AI assistant that is supposed to understand the rhythms of project management, product strategy, and organizational knowledge, the most valuable training signal comes from actual product managers, strategists, and teams. The LEAP Program is how Notion harvests that signal from customers who willingly trade their data for early access.

Industry observers have noted the pattern across the productivity software sector. According to AI Reverie³, Slack faced a significant backlash in 2024 after users discovered that the platform’s default settings opted everyone into AI training, requiring an email to opt out. Zoom triggered similar outrage when it revised its terms of service to claim broad rights over content generated on its platform. The difference with Notion is that the opt-in mechanism is genuinely opt-in. The concern, raised by security and privacy researchers, is that for most users, the program’s existence is functionally invisible.

“While it’s great that training is opt-in,” notes one analysis from the team at eesel AI⁴, “the fact that your data leaves Notion to be processed by third parties is something to keep in mind. This is a big one that a lot of people miss.”

What the Data Actually Touches

To understand why the third-party processing question matters, you need to understand how Notion AI’s Q&A feature works under the hood. It is not magic. It is a retrieval pipeline with several moving parts.

Notion’s own documentation describes the flow: your workspace pages are sent to OpenAI to create embeddings. Those embeddings are stored in Turbopuffer’s vector database, which has been vetted for SOC 2 Type II certification. When you ask a question, it goes to an LLM subprocessor to be rephrased for optimal search results. The rephrased question queries Turbopuffer. Relevant pages come back. The question and those pages are sent to an LLM subprocessor to generate a response. Notion processes the output and shows it to you.

Every page in your workspace participates in this pipeline by default. The Q&A feature, as Wysor’s⁵ detailed privacy comparison notes, generates embeddings for every page in your workspace and searches across all pages you have permission to access. It is not limited to the document you are currently viewing. The entire corpus of your company’s institutional knowledge, everything from last year’s board presentation to today’s engineering incident report, exists in vector form inside a database that Notion does not own.

This is not a scandal. The data is encrypted in transit using TLS 1.2 or higher. The subprocessors are contractually bound. The certifications are real. But it is a fact that deserves more prominence than it gets in the average sales conversation, and for companies operating under GDPR, HIPAA, or sector-specific data regulations, it is a fact that has legal weight.

“73% of AI Agent implementations in European companies during 2024 presented some GDPR compliance vulnerability according to audit by EU Data Protection Authorities.” — Technova Partners⁶

The Vulnerability Nobody Fixed

The training fears, real or perceived, may actually be less urgent than a different problem that security researchers spent late 2025 and early 2026 documenting in public. It is called prompt injection, and in Notion’s case, it exposed something genuinely alarming.

In September 2025, researcher Abi Raghuram identified what security expert Simon Willison⁷ described as an instance of the “lethal trifecta” in Notion 3.0’s AI agents. The trifecta is the combination of three conditions that make AI-powered data theft possible: access to private data, exposure to untrusted content, and the ability to communicate externally. Notion’s AI agents have all three by design, because having all three is what makes them useful.

The attack Raghuram demonstrated was elegant and disturbing. A PDF with hidden white text on a white background, covered by a white square image for good measure, contained instructions telling Notion AI to read a client list, extract names and revenue figures, concatenate them into a URL string, and fire that string as a web search query to an attacker-controlled domain. The AI executed the instructions before the user could approve anything. According to Code Integrity⁸, the attacker received the data before the warning dialog appeared on screen.

The same month, security firm PromptArmor⁹ disclosed a separate vulnerability: Notion AI would exfiltrate user data via indirect prompt injection because AI document edits were saved before user approval. Researchers reported the issue through HackerOne. Notion’s initial response was to close the finding as “Not Applicable.”

Notion’s response after the public exposure was swift. By January 8, 2026, the company confirmed that remediation was in production. But the episode revealed something structural: Notion’s own AI scanner for malicious documents is itself an LLM, which means it can be bypassed by a prompt injection telling the scanner that the document is safe. Security researcher Bruce Schneier observed that this is an industry-wide problem, not a Notion-specific failure, but that observation offers cold comfort to the 100 million users whose workspaces contain genuinely sensitive information.

Schneier’s¹⁰ post on the topic put it plainly:

“Any AI that is working in an adversarial environment is vulnerable to prompt injection. It’s an existential problem that, near as I can tell, most people developing these technologies are just pretending isn’t there.”

The Regulatory Landscape Catching Up

The fears around AI workspace tools and data training are not purely hypothetical. They are increasingly the subject of formal regulatory attention, and the legal environment around them shifted significantly between 2024 and 2026.

The EU AI Act introduced compliance obligations that took effect in phases starting in 2025. Secure Privacy¹¹ reported that, as of early 2026, organizations face dual obligations under both GDPR and the AI Act for systems involving personal data. Cumulative GDPR fines since 2018 have reached 5.88 billion euros across more than 2,000 recorded penalties. Non-compliance with the AI Act can trigger fines up to 35 million euros or 7% of global annual revenue.

GDPR Article 35¹² requires data protection impact assessments when AI performs systematic evaluation of personal data at scale. Every time Notion AI generates embeddings from your entire workspace, it is doing exactly that. Under GDPR, embedding the generation of personal information requires a lawful basis that goes beyond operational convenience. “AI improvement” is not automatically sufficient justification under the regulation’s purpose limitation principle.

For American companies, the picture is more fragmented but heading in the same direction. California passed its AI Transparency Act, requiring risk assessments for automated decision-making. All 50 states introduced AI legislation in 2025, and 28 states passed substantive measures. Research from 2025, as reported by Entre¹³, found that sensitive data now makes up 34.8% of employee inputs to AI tools, up from 11% in 2023. Most of that data entry is not malicious. Employees are just doing their jobs, and the tools make it frictionless to paste in whatever they are working on.

The EU Data Protection Board issued preliminary guidance in January 2025, suggesting that current consent mechanisms for AI training use are insufficient. According to reporting by analysts tracking enterprise AI governance, California’s Attorney General has been investigating whether opt-out mechanisms for AI data processing are functional across major platforms.

The Contractual Gap

When a major financial services firm pushed back on Notion’s data practices in late 2024, the company reportedly offered custom enterprise agreements with explicit opt-out from model training pipelines. The reported price for those agreements was roughly triple the standard enterprise rate. The story, documented in investigations into enterprise AI data practices, is instructive. If explicit data exclusion is available for a premium, the implicit conclusion is that including customer data in training pipelines has a measurable dollar value.

Notion’s standard enterprise agreements include a Data Processing Addendum with EU and UK Standard Contractual Clauses. AI inputs and outputs are classified as Customer Data under the DPA. Subprocessors are contractually prohibited from training on that data. These are real protections, and Notion deserves credit for making them explicit.

What the contractual framework does not address is the inherent tension between the product’s value proposition and meaningful data separation. Notion AI gets smarter the more it knows about your workspace. That intelligence is built on embeddings of your documents. The embeddings travel through third-party systems. The third-party systems are bound by contracts that were written by Notion. Whether those contracts are actually enforceable against, say, OpenAI in the event of a model weight inspection or government subpoena is a question that has not been tested in court.

“A model cannot leak what it never sees.” — AI privacy researcher, Evinent

One reliable way to take the temperature of working professionals on any enterprise tool is to read what they say when they think nobody important is listening. According to Tool Discovery¹⁴, the r/Notion community on Reddit is a good barometer, and what it shows is a split between power users who find genuine value in the AI features and skeptics who regard the whole thing as an overpriced wrapper around models they could access directly.

The most upvoted criticism on the subreddit in 2025 and early 2026 is not about training fears at all. It is about the AI’s failure to actually understand the workspace it claims to know.

“The biggest problem is that it doesn’t know your workspace, it just searches it,” one highly upvoted comment reads. “If it had your workspace loaded in its context the usefulness would be 100% better.”

That complaint is revealing in its own way. The promise of Notion AI is deep contextual intelligence about your organization. The reality, for most users, is a retrieval system that sometimes finds relevant pages and sometimes does not. If the product were actually ingesting and learning from your workspace at the level users expect, the privacy stakes would be higher. The gap between the marketing and the mechanics cuts in multiple directions.

On Hacker News, the community’s reaction to the prompt injection disclosures was sharper. One commenter noted that the lethal trifecta conditions are not a bug in Notion’s design but a feature: the whole point of an AI agent is that it can access your data, read external content, and do things with that combination. Removing any of the three capabilities would cripple the product. This is the bind that every enterprise AI workspace vendor is currently sitting in, and nobody has found a clean way out of it.

The Question of Model Contamination

There is a separate concern that does not get enough attention in privacy discussions about AI workspaces, and it is worth naming directly: even if your documents are never used to train a model, the outputs that AI generates from your documents are a form of knowledge transfer that is not covered by contractual prohibitions on training.

When Notion AI summarizes your product roadmap and returns a response, that response was generated by a model run by OpenAI or Anthropic on their infrastructure. The response itself is not your customer data in any legal sense. But the model that generated the response was informed by your customer data at the moment of inference. The question of whether multi-tenant inference creates any durable signal in model behavior is genuinely unsettled in the academic literature on large language models.

Most security researchers believe the answer is no, that inference does not persistently modify model weights, and Notion’s architecture keeps individual customer accounts separate in its production environment. But the question is not purely technical. It is also about trust in a system where contractual obligations run through multiple intermediaries, the infrastructure is not auditable by the enterprise customer, and the models themselves are black boxes.

What gets called a “training fear” is often something more specific: a fear that your company’s strategic thinking, its unpublished product plans, its personnel decisions, its client relationships, could become legible to systems you do not govern. That fear does not require any training to occur. It requires only that the data travels.

What Responsible Use Looks Like

None of this means that Notion AI is unsafe to use. It means it requires the same careful thinking that any enterprise software integration should receive, which, in practice, most organizations skip because the tools are fast and the legal review is slow.

Organizations operating under GDPR should conduct a Data Protection Impact Assessment before enabling Notion AI at workspace scale. This is not optional under Article 35 when systematic processing of personal data is involved. The assessment should document what categories of data live in the Notion workspace, which subprocessors will process it, under what legal basis, and for how long.

Enterprise plan customers get stronger protections: zero data retention with LLM providers, which means your content is not sitting in OpenAI’s systems for 30 days after each query. For any organization handling genuinely sensitive information, the cost difference between Business and Enterprise plans should be weighed against the data retention differential, not just against feature availability.

Notion’s¹⁵ guidance on prompt injection risks is worth reading for anyone enabling the AI agent features. The company recommends restricting URL access for agents, turning off web search if it is not required, and approaching untrusted documents with caution. These are reasonable precautions. The uncomfortable reality is that the attack surface for prompt injection scales with the usefulness of the agent. The more your agent can do, the more an attacker can make it do.

The Deeper Problem

Notion is not a uniquely bad actor here. The company has been more transparent than most about its data practices, has published detailed subprocessor documentation, and has contractual structures that are more rigorous than many competitors. What Notion represents is a broader and largely unresolved tension in enterprise AI: the intelligence of these systems is inseparable from their access to your information.

The value proposition of an AI workspace assistant is that it knows your organization. Not a generic organization. Yours. The meeting notes from last quarter, the strategic pivots that never made it to the all-hands, and the way your team actually talks about clients when the clients are not listening. That organizational specificity is exactly what makes the product worth paying for. It is also exactly what makes the data handling question serious.

The Gartner¹⁶ survey of enterprise risk executives in 2025 found that AI-related information governance risks had moved to second place among the biggest business risk factors, behind only weak economic growth. That was up from fourth place just three months earlier. The category rising fastest was shadow AI: employee use of unapproved tools. The irony is that as IT departments lock down unofficial AI use, the officially approved tools like Notion AI carry their own governance gaps that are less visible precisely because they are approved.

The regulatory environment is hardening. The enforcement tools are becoming sharper. And the products are becoming more capable and more deeply embedded in organizational workflows at the same time. That combination is not a crisis today. Left unexamined, it becomes one.

The question worth asking before your next Notion AI rollout is not just whether the terms of service permit the use. It is whether you understand, concretely and specifically, the path that your company’s knowledge takes between when it enters your workspace and when it becomes an answer on a screen. That path runs through more hands than most people realize.

Sources

1. “Notion AI security & privacy practices – Notion Help Center” Notion, www.notion.com/help/notion-ai-security-practices. Accessed 21 Apr. 2026. ↩︎
2. “Notion’s commitment to AI safety – Notion Help Center” www.notion.com/help/ai-safety. Accessed 21 Apr. 2026. ↩︎
3. AI Reverie, aireverie.beehiiv.com/p/slack-faces-backlash-over-ai-data-training-practices. Accessed 21 Apr. 2026. ↩︎
4. AI, eesel. “A practical guide to Notion AI security & privacy practices” Eesel AI, 19 Oct. 2025, www.eesel.ai/blog/notion-ai-security-privacy-practices. Accessed 21 Apr. 2026. ↩︎
5. “Private Notion AI Alternative: AI Without Multi-Party Data Processing” Wysor, wysor.io/private-alternative/notion-ai. Accessed 21 Apr. 2026. ↩︎
6. Marques, Alfons. “AI Agents & GDPR 2026: Compliance Checklist” Technova Partners, 10 Apr. 2026, technovapartners.com/en/insights/security-gdpr-enterprise-ai-agents. Accessed 21 Apr. 2026. ↩︎
7. Willison, Simon. “The Hidden Risk in Notion 3.0 AI Agents: Web Search Tool Abuse for Data Exfiltration” Simon Willisons Weblog, 19 Sept. 2025, simonwillison.net/2025/Sep/19/notion-lethal-trifecta/. Accessed 21 Apr. 2026. ↩︎
8. Raghuram, Abi. “The Hidden Risk in Notion 3.0 AI Agents: Web Search Tool Abuse for Data Exfiltration” CodeIntegrity, 19 Sept. 2025, www.codeintegrity.ai/blog/notion. Accessed 21 Apr. 2026. ↩︎
9. “Notion AI: Data Exfiltration” www.promptarmor.com/resources/notion-ai-unpatched-data-exfiltration. Accessed 21 Apr. 2026. ↩︎
10. Schneier, Bruce. “Abusing Notion’s AI Agent for Data Theft” Schneier on Security, 29 Sept. 2025, www.schneier.com/blog/archives/2025/09/abusing-notions-ai-agent-for-data-theft.html. Accessed 21 Apr. 2026. ↩︎
11. Team, Secure Privacy. “GDPR Compliance in 2026: The Complete Guide” Secure Privacy Blog, 26 Nov. 2025, secureprivacy.ai/blog/gdpr-compliance-2026. Accessed 21 Apr. 2026. ↩︎
12. “Art. 35 GDPR – Data protection impact assessment” General Data Protection Regulation (GDPR), gdpr-info.eu/art-35-gdpr/. Accessed 21 Apr. 2026. ↩︎
13. Aftab, Mohammad. “AI Data Privacy for Businesses: Safe Usage Guide for 2026” 30 Jan. 2026, www.entremt.com/ai-data-privacy-business-guide-2026/. Accessed 21 Apr. 2026. ↩︎
14. “Notion AI Reddit Review 2026: Is It Worth It?” www.aitooldiscovery.com/guides/notion-ai-reddit. Accessed 21 Apr. 2026. ↩︎
15. “How Notion 3.0 protects against prompt injection risks – Notion Help Center” www.notion.com/help/how-notion-protects-against-prompt-injection-risks. Accessed 21 Apr. 2026. ↩︎
16. Garter, Gartner, www.gartner.com/en/newsroom/press-releases/2025-11-06-gartner-survey-finds-risk-leaders-concered-about-low-growth-econ-environment-and-ai-risks-in-q3. Accessed 21 Apr. 2026. ↩︎