Outline was created to be the best place to write and publish your mission-critical documents. We consider security, access control, and strong content management tools to be a key component of a successful documentation effort.

Whether you use our cloud-hosted version or our on-premise enterprise edition, your data will be secure and fully under your control.

Privacy and data portability

First and foremost, we take our obligation to protect user privacy very seriously and comply with all applicable privacy laws and regulation. You can learn about the details in our Privacy Policy.

If at any time you wish to take your data out of Outline, you may export all document text and images to portable markdown or JSON by going to Settings > Import/Export in the Outline UI or you can access all available data using the API.

Network security and reliability

When use Outline, the transmission of information between your device and our servers is protected using 256-bit TLS Elliptical Curve encryption. At rest, Outline encrypts all data using AES-256.

Outline servers are located in the US and data centers are managed by Amazon Web Services.

Data is continuously replicated off-site. Secondary backups are taken daily and retained for at least 3 months, they are fully encrypted in transit and at rest.

Product security

Outline has a robust and easy to understand permissions system built into the product. Permissions are targeted at the Collections level and assigned to individuals and pre-defined groups. Collections can be configured to enable or prevent public sharing of documents.

Outline also provides a document-level revision history for every document, so changes can be tracked through time and an audit trail of changes can be established.

In the cloud-hosted version, Outline supports single sign-on through Google, Slack, and Microsoft 356. These are all battle-tested industry leading authentication providers, with excellent security track records.

For the enterprise self-hosted edition, Outline supports SAML-based Single Sign On (SSO) using providers like Okta and OneLogin in addition to the other methods listed above.

Operational and information security

People are often the weakest link in any security environment; recognizing this, Outline designs its organization and processes to create the smallest possible attack surface.

• Outline purposefully does not have internal administrative “god mode” interfaces with broad access to customer data.

• We do not implement user impersonation features in our support tooling.

These design decisions may cause some support cases to take longer to resolve, but provides “defense in depth”, ensuring that even if an internal admin account is compromised, customer data will not be exposed.

Open source and community

Outline is proudly open-source at its core. Outline cloud, community edition, and enterprise edition all share the large majority of their codebase. In addition to our own efforts, we leverage the power of the open-source community to monitor the Outline code and its dependencies for security vulnerabilities.

We have thousands of self-hosted and enterprise instances of Outline running in production, each monitored and vetted by volunteer and commercial contributors and IT teams. Outlines vibrant self-hosted community regularly performs independent security audits and penetration tests.

How to report an issue

The procedure for reporting and resolving a suspected issue or vulnerability is documented in the developer docs in the security section.