Security at Coda

Understand Coda's stance on security, and the many investments we've made in product, application, infrastructure security

Updated this week

At Coda, security is of utmost importance. And we understand that trust, privacy, and security are equally important to our customers. For this reason, you retain ownership of all your data within Coda, and we take significant steps to ensure the safeguarding of your data.

We firmly believe that securing content on Coda is a collaborative effort between us and our customers. We continuously invest in securely designing, developing, and operating our service, as well as enhancing product security features to assist customers in meeting their stringent security requirements.

The following provides an overview of some of our significant security investments.

Product Security

Coda offers enterprise-grade product security features for more control, visibility and flexibility.

  • Authentication: Coda provides a wide range of authentication methods, such as SSO with SAML 2.0, Sign-in with Google, Microsoft, Apple, Magic links, and Basic authentication with 2-factor. Enterprise customers can set authentication policies and manage users through SCIM. Learn more here.

  • Encryption: Customer data is encrypted in-transit and at-rest by default.

  • Authorization: Access controls on docs, folders, Packs and workspaces. Sharing with Google Groups. Enterprise customers can also share with SCIM groups and set advanced sharing policies for forms, docs and packs. Learn more here.

  • Auditing [Enterprise only]: We provide Audit APIs for enterprise customers to obtain audit logs for the past 12 months. Coda also provides the Admin Pack to view the audit events. Learn more here.

  • Enterprise Policies [Enterprise only]: Enterprises can set policies to govern users, docs and Packs. These include policies for user authentication, external and inbound sharing, publishing, shared folder creation, data export, file uploads and session duration. Learn more here.

  • Enterprise dashboards [Enterprise only]: Coda offers Enterprise customers advanced admin dashboards to manage their workflows easily on Coda. These include dashboards to view and manage licenses, publicly shared docs, user activity and docs owned by de-provisioned users. Learn more here.

  • Pack configurations and approvals [Enterprise only]: Coda offers highly advanced security controls for third-party integrations. Enterprises have full control over what data can be brought into Coda, who can bring it, and who can access it. Learn more here.

Application Security

Coda's security commitment start with processes, tooling and practices to continuously design and develop secure software.

  • Security Development Lifecycle: Our Secure Development Lifecycle program is integrated into every phase of our software development process to continuously produce secure software. Examples include annual security trainings for all employees, threat modeling as part of the design process, and static code analysis tools.

  • Annual penetration testing: Coda conducts an annual penetration testing by reputed security research firms. The scope of this test includes: web application, Coda's Packs infrastructure, cloud infrastructure and mobile applications.

  • Public Bug Bounty Program: Coda runs a public bug bounty program through HackerOne. Learn more here.

Infrastructure Security

Coda is built from the ground up using AWS security best practices.

  • Cloud infrastructure: Coda is built with well-established security principles, including defense in depth, least privileges, and attack surface area reduction. Coda follows AWS best practices for network security, using services like AWS CloudFront, AWS WAF, AWS security groups, and VPCs.

  • Operations security: We use Multi-factor authentication, Role-Based Access Control (RBAC), and Just in Time access grants to securely manage our service. Furthermore, we log audit events and security information at each layer of our infrastructure and monitor them for suspicious activity.

  • Backups: Coda performs daily database backups for all data stored in AWS. Backups are typically retained for at least 35 days. We also perform regular backup integrity testing and perform tabletop disaster recovery exercises at least annually.

  • Clock synchronization: Coda's information assets use the NTP protocol to sync to approved NTP sources.

  • Packs Security: Packs execute in isolated secure sandboxes. Pack developer never touch authorization credentials used by users in Packs. We ensure that Packs only share data with the websites they claim they do. Learn more here.

  • Encryption: Coda uses the Amazon Key Management Service (KMS) to create, maintain, and rotate encryption keys. Coda also uses Transport Layer Security (TLS 1.2) to encrypt user data in transit and the AES-256 symmetric encryption algorithm to encrypt customer data at rest.


Coda adheres to global privacy laws and security standards with measures in place to help you meet your compliance obligations. This includes:

  • SOC 2 Type 2

  • GDPR

  • CCPA

In addition to the above, we are currently undergoing the certification process for the following frameworks:

  • ISO 27001:2022

  • ISO 27017:2015

  • ISO 27018:2019


In the case of a suspected security incident, please submit a ticket to the support team using the in product help widget or by emailing

Related resources

Did this answer your question?