At Coda, security is of utmost importance. To learn about the security of our systems, head to coda.io/trust/security.
Aside from our systems, we’ve also built ways for you to protect your docs and accounts with built-in controls in Coda. This article highlights many of these features and includes links to articles where you can learn more!
Authentication & signing in
Email + Password
Passwords are secured using an industry standard salt, pepper, and secure hash mechanism. Two-factor authentication is available for all accounts using email + password as their authentication mechanism.
Authentication of users within Coda is delegated to Google via the industry-standard OAuth2 protocol; Coda has no knowledge about a user's password. During login, Google authenticates the user in question with a password (and, if configured, multi-factor authentication). Google Workspace administrators can configure any password-complexity and multi-factor enforcement policies within the admin console. After authentication, Coda requests access to a number of OAuth "scopes" in order to provide access to limited account data, thereby enabling the Coda integration with Google. This account access can be revoked by the user at any time via the Google Accounts console at https://myaccount.google.com/permissions, or via a Google Workspace admin using the Google Workspace admin console. Details on the scopes requested and how they are used can be found in the appendix section of this whitepaper.
SSO via SAML 2.0 (Enterprise only)
Enterprise tier workspaces may integrate Coda with their existing IdP (Identity Provider) service to enable seamless single-sign on (SSO) for their users. First-party plugins are available for both Okta and Azure Active Directory, though any IdP utilizing SAML 2.0 will work with Coda. In addition, SCIM user provisioning and de-provisioning is available for Enterprise tier workspaces.
SCIM (System for Cross-domain Identity Management) is a set of protocols that allow a third-party Identity Provider to manage users inside Coda for your organization.
Fine-grained authorization controls
Coda provides granular access controls to manage your organization, workspaces, folders and individual docs.
Coda provides two kinds of folders:
Shared Folders - Shared folders are public to all makers within a workspace and grants all workspace members Edit permissions to their doc contents. By default, all new folders (besides the My Docs folder) are shared, so make them private if you don't want every member of your workspace to have access to your doc(s).
Private Folders - For Team and Enterprise plans, you can adjust your folder settings by clicking on Shared folder settings in the top-left corner of the folder window. Then scroll down to the Folder access section and turn on the Private folder option. Note: Making folders private is a Team plan feature. Free and Pro makers can use their My Docs folder to keep docs private.
A doc has three permissions:
Can view allows others to only view the contents of your doc; they cannot make any edits, including interacting with buttons or controls
Can comment allows others to view and leave comments on your doc; they cannot make any other edits
Can edit allows others to edit your doc, delete content, create pages, push buttons, leave comments, etc.; you can use locking to scale down editing abilities
One can share a doc with specific users, a full domain, or the entire world. You can find more about doc permissions in the Sharing your doc article.
Enterprise Advanced Sharing Rules
Organization admins for teams on Coda’s enterprise plan can choose how docs can be shared outside their organization. Learn more about these in Enterprise Advanced Sharing Rules.
List of Publicly-Shared Docs
Enterprise organization admins can also see which docs have been publicly shared. For all docs that are shared with the public, the list displays what level of access has been granted to the public (View / Comment / Edit), as well as the doc's discoverability setting. Get an overview of how to use this feature in this article.
Admins for teams on Coda’s Enterprise plan can control Packs usage by their users. Admins can either auto approve all packs usage or manually approve each and every pack’s usage.
For our Enterprise customers, we offer an API to support auditing activities via an event log. This REST API queries audit logs within an organization, and can be consumed by a SIEM (security information and event management) system.
To learn more about this API, check out this article.
Security in Packs
Coda has built the Packs platform with security features from the ground up and provides transparency on how each Pack uses your data so you can decide if you’re comfortable installing it.
Learn more about these Packs specific security features here.