[jedberg]

> Notion being SOC 2 Type 2 and Notion Email only being Type 1 is a red flag that they're doing something weird or not re-using policies and infrastructure.

No it's not. It's a new product. As you aptly pointed out, Type 2 is "over time". It's a fixed time period (at a minimum three months) that you have to be observed. That means you can't get a type 2 until you've been live for 3 months, and that's assuming you've already engaged the auditor on day one.

Given that this is a new space for them, they probably had to add new infra or policies that weren't under consideration before.