Go to Coda
All Collections
Security & Access
Overview of Security Features

Overview of Security Features

Use this article as a starting point to learn about some of the access and security features Coda offers
Lena Webster avatar
Written by Lena Webster. Updated over a week ago

At Coda, security is of utmost importance. To learn about the security of our systems, head to coda.io/trust/security.

Aside from our systems, we’ve also built ways for you to protect your docs and accounts with built-in controls in Coda. This article highlights many of these features and includes links to articles where you can learn more!

Inside this Article

Authentication & signing in

Provisioning

Fine-grained authorization controls

Audit API

Security in Packs

Authentication & signing in

Email + Password

Passwords are secured using an industry-standard salt, pepper, and secure hash mechanism. Two-factor authentication is available for all accounts using email + password as their authentication mechanism.

Related articles:

Google

Authentication of users within Coda is delegated to Google via the industry-standard OAuth2 protocol; Coda has no knowledge about a user's password. During login, Google authenticates the user in question with a password (and, if configured, multi-factor authentication). Google Workspace administrators can configure any password complexity and multi-factor enforcement policies within the admin console. After authentication, Coda requests access to a number of OAuth "scopes" in order to provide access to limited account data, thereby enabling the Coda integration with Google. This account access can be revoked by the user at any time via the Google Accounts console at https://myaccount.google.com/permissions, or via a Google Workspace admin using the Google Workspace admin console. Details on the scopes requested and how they are used can be found in the appendix section of this whitepaper.

Related articles:

SSO via SAML 2.0 (Enterprise only)

Enterprise tier workspaces may integrate Coda with their existing IdP (Identity Provider) service to enable seamless single-sign-on (SSO) for their users. First-party plugins are available for both Okta and Azure Active Directory, though any IdP utilizing SAML 2.0 will work with Coda. In addition, SCIM user provisioning and de-provisioning are available for Enterprise tier workspaces.

Related articles:

Provisioning

SCIM

SCIM (System for Cross-domain Identity Management) is a set of protocols that allow a third-party Identity Provider to manage users inside Coda for your organization. See Configure SCIM for more information.

Share with groups

Push groups to Coda through SCIM for your team members to have easy access to share docs and folders with groups of users.

Fine-grained authorization controls

Coda provides granular access controls to manage your organization, workspaces, folders, and individual docs.

Workspace

Workspace admins can control who joins their workspace, the role and permissions of each member, and the process by which members can be promoted.

Related articles:

Folders

Coda provides two kinds of folders:

  • Shared Folders - Shared folders are public to all makers within a workspace and grant all workspace members Edit permissions to their doc contents. By default, all new folders (besides the My Docs folder) are shared, so make them private if you don't want every member of your workspace to have access to your doc(s).

  • Private Folders - For Team and Enterprise plans, you can adjust your folder settings by clicking on Shared folder settings in the top-left corner of the folder window. Then scroll down to the Folder access section and turn on the Private folder option. Note: Making folders private is a Team plan feature. Free and Pro makers can use their My Docs folder to keep docs private.

Related articles:

Docs

A doc has three permissions:

  • Can view allows others to only view the contents of your doc; they cannot make any edits, including interacting with buttons or controls

  • Can comment allows others to view and leave comments on your doc; they cannot make any other edits

  • Can edit allows others to edit your doc, delete content, create pages, push buttons, leave comments, etc.; you can use locking to scale down editing abilities

One can share a doc with specific users, a full domain, or the entire world. You can find more about doc permissions in the Sharing your doc article.

Related articles:

Enterprise Advanced Sharing Rules

Organization admins for teams on Coda’s enterprise plan can choose how docs can be shared outside their organization. Learn more about these in Enterprise Advanced Sharing Rules.

List of Publicly-Shared Docs

Enterprise organization admins can also see which docs have been publicly shared and change their permissions. For all docs that are shared with the public, the list displays what level of access has been granted to the public (View / Comment / Edit), as well as the doc's discoverability setting and the option to “update access” to make the doc not accessible to the public. Get an overview of how to use this feature in this article.

Packs Approval

Admins for teams on Coda’s Enterprise plan can control Packs usage by their users. Admins can either auto-approve all pack usage or manually approve each and every pack’s usage.

Audit API

For our Enterprise customers, we offer an API to support auditing activities via an event log. This REST API queries audit logs within an organization and can be consumed by a SIEM (security information and event management) system.

To learn more about this API, check out this article.

Security in Packs

Coda has built the Packs platform with security features from the ground up and provides transparency on how each Pack uses your data so you can decide if you’re comfortable installing it.

Learn more about these packs' specific security features here.

Did this answer your question?