> Notion being SOC 2 Type 2 and Notion Email only being Type 1 is a red flag that they're doing something weird or not re-using policies and infrastructure.

No it's not. It's a new product. As you aptly pointed out, Type 2 is "over time". It's a fixed time period (at a minimum three months) that you have to be observed. That means you can't get a type 2 until you've been live for 3 months, and that's assuming you've already engaged the auditor on day one.

Given that this is a new space for them, they probably had to add new infra or policies that weren't under consideration before.

Not necessarily. A SOC2 audit also often has a "Scope" – that can mean that some apps are in-scope for the audit, and some aren't.

It might be that this particular app was not ready to be in scope for their audit or observation period, so was left out, even if it's in the same infrastructure.

It still means the app is less mature, but I wouldn't go so far as to say it's a red flag.

Either way, I'd wait for something this critical (like giving it access to my email) for a few months to have any low hanging fruit bugs worked out before jumping in.

My guess is that notion mail is on the way to Soc 2 type 2. You start by getting type 1 and then get evaluated for 2 after a period of time.

I was surprised that our auditors wanted to re-do Soc 2 for our second product rather than just apply it to the company.

It's because they acquired Skiff. They would have to fully integrate it into their compliant infrastructure and then qualify it. I don't think that's a red flag although they could've waited to launch. I'm not a Notion user.