ModelCharter

Is NotebookLM safe for work?

Medium risk · 51

Google · Search · facts (high-confidence)

NotebookLM is medium-risk for default at-work use (51/100): it does not train on your data.

Watch out: NotebookLM does not train on your uploads or queries on either tier, a genuinely strong default. But Google is explicit that the product carries no SOC 2, ISO 27001 or HIPAA BAA today; for regulated data you would need the separate NotebookLM Enterprise product.

Data and compliance facts

Trains on consumer-tier data
No
Trains on business-tier data
No
Training opt-out available
Unverified
SOC 2 Type II
No
ISO 27001
No
ISO 42001 (AI management)
Unverified
GDPR Data Processing Addendum
Unverified
HIPAA BAA
No
EU data residency
Unverified
SSO / SAML
Unverified
Data retention
Feedback submissions (thumbs up or down) are retained up to 3 years, disconnected from your Google Account. General source and document retention is not detailed in Google's public documentation.
Safer tier
None of the consumer or Workspace-core tiers carry HIPAA, SOC or ISO coverage. Only NotebookLM Enterprise, a separate Google Cloud SKU with its own IAM, VPC-SC and CMEK controls, targets regulated use.

Why it scores 51 out of 100

  • +23SOC 2 Type II. Independent SOC 2 security attestation.
  • +14ISO 27001. ISO/IEC 27001 information-security certification.
  • +14HIPAA BAA. A Business Associate Agreement, required for protected health information.