Is NotebookLM safe for work?
Medium risk · 51Google · Search · facts (high-confidence)
NotebookLM is medium-risk for default at-work use (51/100): it does not train on your data.
51
Medium risk
Watch out: NotebookLM does not train on your uploads or queries on either tier, a genuinely strong default. But Google is explicit that the product carries no SOC 2, ISO 27001 or HIPAA BAA today; for regulated data you would need the separate NotebookLM Enterprise product.
Data and compliance facts
- Trains on consumer-tier data
- No
- Trains on business-tier data
- No
- Training opt-out available
- Unverified
- SOC 2 Type II
- No
- ISO 27001
- No
- ISO 42001 (AI management)
- Unverified
- GDPR Data Processing Addendum
- Unverified
- HIPAA BAA
- No
- EU data residency
- Unverified
- SSO / SAML
- Unverified
- Data retention
- Feedback submissions (thumbs up or down) are retained up to 3 years, disconnected from your Google Account. General source and document retention is not detailed in Google's public documentation.
- Safer tier
- None of the consumer or Workspace-core tiers carry HIPAA, SOC or ISO coverage. Only NotebookLM Enterprise, a separate Google Cloud SKU with its own IAM, VPC-SC and CMEK controls, targets regulated use.
Why it scores 51 out of 100
- +23SOC 2 Type II. Independent SOC 2 security attestation.
- +14ISO 27001. ISO/IEC 27001 information-security certification.
- +14HIPAA BAA. A Business Associate Agreement, required for protected health information.