We evaluated against other vendors as well as potentially solving this internally ourselves. Solving this problem internally was just way too much of a lift and the native tooling that was available within our cloud provider just didn’t cut it. We did a vendor bakeoff between a number of products and Formal came out on top.
Head of Security Engineering @ Notion
Challenges
- Explosive engineering growth created access-control complexity.
Hundreds of developers needed database access across 100+ growing RDS instances, making it difficult to manage permissions and monitor activity consistently. - Lack of centralized visibility into database usage.
Security teams had to piece together logs from many sources to answer basic questions like who ran what query and why – slowing investigations and heightening overall risk. - Native cloud and internal solutions couldn’t meet policy requirements.
Existing tooling lacked a strong policy layer, made scaling difficult, and required significant engineering lift to maintain.
Solutions
- A scalable, policy-driven access control layer powered by Formal.
Short-lived credentials, fine-grained policies, and centralized monitoring delivered the foundation for secure developer access. - Developer-friendly, seamless deployment.
A single-binary and API-first design allowed Notion to roll out Formal in less than a week with zero developer friction. - Visibility and prevention in one platform.
Formal became Notion’s centralized data-access operating system – enabling real-time visibility, fast investigations, and malicious query prevention across hundreds of data stores.
Growing Fast Meant Growing Security Complexity
Notion’s rapid global growth brought new engineering challenges to scale its systems and infrastructure. The team expanded services, added new workloads, and spun up hundreds of RDS instances – each with its own access patterns, configurations, and developer workflows.
As this complexity grew, so did the security challenges. With more than a hundred million users depending on Notion, the company’s data quickly became both a critical asset and a significant source of risk.
Ensuring secure access at this scale was increasingly difficult. Developers needed to move quickly, but security needed to guarantee that every access was approved, auditable, and compliant with their high security standards. In practice, this meant that tracing a single query – who ran it, why, and what it did – often required navigating scattered logs and multiple internal tools. Achieving the centralized Visibility was complex and required extensive manual effort from the security team.
As Notion partnered with enterprise customers and faced stricter regulatory expectations, the security team knew they needed a uniform, scalable approach. They required short-lived credentials, fine-grained controls, and end-to-end visibility across all developer data access. But they also couldn’t risk slowing engineering down. Any solution had to be both powerful and transparent to an engineer.
Existing Approaches Fell Short
Before Formal, Notion evaluated every reasonable path: native cloud solutions, internal tooling, and a range of vendors. None met their bar.
Native AWS features helped identify where data lived, but not how it was accessed in real time – and certainly not with a robust, expressive policy layer. Internal solutions were explored, but requirements like seamless developer experience, Okta-integrated JIT access, and consistent policy enforcement across 100+ databases quickly revealed the massive engineering lift such a build would require. It would take hundreds of hours just to build a minimum viable system, and years of ongoing maintenance to keep it aligned with Notion’s speed of product changes.
Vendor tools weren’t much better. Many focused on data discovery or simple visibility dashboards. Few tackled the underlying access-control problem. They could point out issues – but couldn’t fix them. Nothing offered the combination of scalability, prevention, policy depth, and developer transparency that Notion needed.
For a team managing both consumer-scale data and enterprise-grade expectations, these gaps were unacceptable. Notion needed a platform that would not only reveal access activity, but actively enforce guardrails, centralize policies, and eliminate friction for the hundreds of developers who touched internal systems every day.
What’s nice is that the developers who are using it don’t even notice that they’re using it. So it’s working very seamlessly into our system. It’s working in the background and it’s not impacting developer velocity.
Security Engineer @ Notion
Deploying Formal: Fast, Seamless, and Developer-Transparent
Formal delivered an approach fundamentally different from everything Notion had evaluated. It combined a strong policy engine, a lightweight proxy, and a single-binary deployment model that fit perfectly into Notion’s infrastructure choices – including Terraform and ECS. This meant the security team could roll out Formal quickly, confidently, and without forcing developers into new workflows.
Within days, Formal was fully operational in Notion’s environment. The rollout was guided by a hands-on team of experts from Formal who ensured a smooth deployment across the full database ecosystem. Logs flowed into Notion’s SIEM, short-lived credentials were automatically issued through Okta, and the entire access request process became JIT by default. Developers could keep using their existing tools, terminals, and database clients – with Formal quietly acting as the policy and visibility layer underneath.
Crucially, Formal introduced fine-grained, group-based access rules, eliminating broad or long-lived permissions. It also unlocked richer insight into access patterns, enabling both detection engineering and prevention policy refinement. What had previously required manual log correlation now became a single, centralized source of truth.
Most importantly it was frictionless for developers. Formal integrated into their workflows so smoothly that engineering velocity stayed intact – and in many cases, improved due to fewer manual steps.
The ROI was pretty significant for formal because it would’ve cost us hundreds of hours to develop our own. With formal, we were able to almost instantaneously deploy something that was gave us visibility into what we had difficulty seeing before and preventative measures that we desperately wanted to instill in our ecosystem.
Head of Security Engineering @ Notion
A Platform That Scales With Notion’s Growth
After deployment, Formal quickly became more than just a tool – it became Notion’s operating system for secure data access. With comprehensive visibility across all database activity, the security team could trace actions instantly, attribute queries with confidence, and detect anomalies that previously would have taken hours to diagnose.
Formal’s policy engine empowered Notion to mature its security posture as its customer base evolved. Enterprise customers brought stricter compliance expectations, and Formal made it possible to confidently meet them with clear evidence, preventative controls, and auditable access records. The system also accelerated internal security initiatives: classifying sensitive columns, shaping new internal standards around what constitutes safe behavior, and enabling proactive detection and prevention of unusual activity.
The ROI was immediate. What would have taken hundreds of engineering hours to build internally was available instantly – not as a one-off tool, but as a platform designed to evolve with Notion’s growth. As the company expanded into new markets and larger customers, Formal continued to scale effortlessly with the complexity of the environment.
Today, Notion’s security team relies on Formal as the foundation for how developers interact with sensitive data. It provides the centralized visibility they once lacked, the prevention they needed, and the confidence required to secure one of the world’s most widely used productivity platforms – all without ever slowing down the people building it.
