At Milanote, we take the security of your data seriously and are committed to protecting it at every level. Below, you’ll find details about our security practices, designed to ensure your information remains safe and secure.

Milanote has activated logging on all essential systems. The logs cover failed and successful logins, application access, content access by support staff, database access, administrator modifications, and system changes. Much of this data is processed by our observability and threat detection services, which will issue alerts if any threats are identified.

Milanote stores customer data in a combination of databases on AWS and Google Cloud. Automatic backups are enabled, encrypted similarly to live production data, and occur at least daily.

Milanote implements encryption in transport and at rest. Customer data is encrypted at rest using AES-256 within database tables and backups. The encryption keys are managed by our database storage providers. Data sent in-transit is encrypted using TLS 1.2 or greater.

Milanote leverages cloud providers to host our application and defer data center physical security controls to them.

Milanote does not handle or process payments directly. All payment transactions are managed through our partner Stripe. You can find information about their security measures and PCI compliance on Stripe's security page.

Milanote is happy to collaborate with the security community to find security vulnerabilities. These reports should be sent to security@milanote.com and should not be discussed outside of this program.

At Milanote, we ensure robust software development practices by incorporating multiple security-focused measures into our Software Development Lifecycle (SDLC). These include conducting design reviews to identify and mitigate potential security risks early in the development process. We perform thorough code reviews to ensure quality, adherence to standards, and the identification of vulnerabilities. Additionally, we regularly scan all open-source software (OSS) packages used in our projects for known vulnerabilities.

Milanote performs vulnerability scanning and package monitoring on all infrastructure related hosts and serverless functions. Services are patched on a regular basis. Any issues identified are triaged and resolved according to severity.

All public endpoints are protected by a managed Web Application Firewall to deter attempts to exploit common vulnerabilities.

Milanote has a structured incident management plan to address security incidents, including preparation, identification, containment, investigation, eradication, recovery and post-mortem analysis. In the event of a security or data breach posing a risk, we promptly notify relevant authorities and affected individuals, providing all necessary details as outlined in our Privacy Policy.

Multi-factor authentication (MFA) is used whenever possible by all Milanote employees to log in to any systems that are used to administer the application, infrastructure or any systems that may contain customer data. We discourage the use of shared accounts on any system and use an enterprise grade password manager to securely share login details.

Customer data is never stored in non-production environments. We have separate development, testing and production environments.

Milanote leverages third party applications and managed services for Distributed Denial of Service (DDoS) protection.

Milanote is hosted on AWS and Google Cloud, who handle physical security to data centers. Please refer to AWS’s security documentation, and Google’s security documentation.

Milanote’s infrastructure is hosted in a highly secure and fully redundant environment within AWS. Customer data is stored across various data stores hosted by AWS and Google Cloud. AWS upholds best security practices through a range of reports, certifications, and third-party assessments. For more information, see the AWS compliance program.

AWS infrastructure is located in Amazon-controlled data centers, primarily in the United States, which are protected by robust physical security measures to prevent unauthorized access. Read more about AWS data centers and their security protocols.

Only team administrators are able to add and remove people from a Team plan. Refer to Managing a Team plan for further details.

Users can manage access permissions for any content they create by controlling who they share a board with. For more information, see Sharing & Collaboration.

Passwords are hashed with bcrypt. No plaintext passwords are stored. Milanote also provides support for Google and Apple OAuth.

Uploading high risk executables are restricted for all users. For a full list of supported file types refer to What kind of files can I upload?
​

No, the content posted on Milanote is not monitored or used for training AI algorithms.
​

Milanote doesn't scrape your data or incorporate it into any other systems.
​

No, Milanote does not sell data to third parties. That said, our system does rely on some third party services for tracking performance and other metrics on our system - but you do have the option to modify which cookies can be stored on your system here.
​

At the moment, Milanote does not provide SOC2 reports or other individual audits.

We employ robust security measures, but it's important to note that we are not currently HIPAA-compliant. If you're dealing with sensitive information, you may want to consider platforms explicitly designed to protect health data.

Milanote only supports OAUTH through Apple and Google for now. If it is something you'd like to see as part of a future release, we encourage you to submit your suggestion through our feature request poll.