At Coda, security is of utmost importance. To learn about the security of our systems, head to coda.io/trust/security.

Aside from our systems, we’ve also built ways for you to protect your docs and accounts with built-in controls in Coda. This article highlights many of these features and includes links to articles where you can learn more!


Authentication

Email + Password

Passwords are secured using an industry standard salt, pepper, and secure hash mechanism. Two-factor authentication is available for all accounts using email + password as their authentication mechanism.

Related articles:

Google

Authentication of users within Coda is delegated to Google via the industry-standard OAuth2 protocol; Coda has no knowledge about a user's password. During login, Google authenticates the user in question with a password (and, if configured, multi-factor authentication). Google Workspace administrators can configure any password-complexity and multi-factor enforcement policies within the admin console. After authentication, Coda requests access to a number of OAuth "scopes" in order to provide access to limited account data, thereby enabling the Coda integration with Google. This account access can be revoked by the user at any time via the Google Accounts console at https://myaccount.google.com/permissions, or via a Google Workspace admin using the Google Workspace admin console. Details on the scopes requested and how they are used can be found in the appendix section of this whitepaper.

Related articles:

SSO via SAML 2.0 (Enterprise only)

Enterprise tier workspaces may integrate Coda with their existing IdP (Identity Provider) service to enable seamless single-sign on (SSO) for their users. First-party plugins are available for both Okta and Azure Active Directory, though any IdP utilizing SAML 2.0 will work with Coda. In addition, SCIM user provisioning and de-provisioning is available for Enterprise tier workspaces.

Related articles:

Provisioning

SCIM

SCIM (System for Cross-domain Identity Management) is a set of protocols that allow a third-party Identity Provider to manage users inside Coda for your organization.

Related articles:

Fine grained authorization controls

Coda provides fine grained access controls to manage your organization, workspaces, folders and individual docs.

Workspace

Workspace admins can control who joins their workspace, the role and permissions of each member, and the process by which members can be promoted.

Related articles:

Folders

Coda provides two kinds of folders:

  • Shared Folders - Shared folders are public to all makers within a workspace and grants all workspace members Edit permissions to their doc contents. By default, all new folders (besides the My Docs folder) are shared, so make them private if you don't want every member of your workspace to have access to your doc(s).

  • Private Folders - For Team and Enterprise plans, you can adjust your folder settings by clicking on Shared folder settings in the top-left corner of the folder window. Then scroll down to the Folder access section and turn on the Private folder option. Note: Making folders private is a Team plan feature. Free and Pro makers can use their My Docs folder to keep docs private.

Related articles:

Docs

A doc has three permissions:

  • Can view allows others to only view the contents of your doc; they cannot make any edits, including interacting with buttons or controls

  • Can comment allows others to view and leave comments on your doc; they cannot make any other edits

  • Can edit allows others to edit your doc, delete content, create pages, push buttons, leave comments, etc.; you can use locking to scale down editing abilities

One can share a doc with specific users, a full domain, or the entire world. You can find more about doc permissions in the article, Sharing your doc.

Related articles:

Enterprise Advanced Sharing Rules

Admins for teams on Coda’s Enterprise plan can choose how docs can be shared outside their organization. Learn more about these in Enterprise Advanced Sharing Rules.

Packs approvals

Admins for teams on Coda’s Enterprise plan can control Packs usage by their users. Admins can either auto approve all packs usage or manually approve each and every pack’s usage.

Audit API

For our Enterprise customers, we offer an API to support auditing activities via an event log. This REST API queries audit logs within an organization, and can be consumed by a SIEM (security information and event management) system.

To learn more about this API, check out this article.

Did this answer your question?