Authentication: Coda provides a wide range of authentication methods, such as SSO with SAML 2.0, Sign-in with Google, Microsoft, Apple, Magic links, and Basic authentication with 2-factor. Enterprise customers can set authentication policies and manage users through SCIM. Learn more here.

Encryption: Customer data is encrypted in-transit and at-rest by default.

Authorization: Access controls on docs, folders, Packs and workspaces. Sharing with Google Groups. Enterprise customers can also share with SCIM groups and set advanced sharing policies for forms, docs and packs. Learn more here.

Auditing [Enterprise only]: We provide Audit APIs for enterprise customers to obtain audit logs for the past 12 months. Coda also provides the Admin Pack to view the audit events. Learn more here.

Enterprise Policies [Enterprise only]: Enterprises can set policies to govern users, docs and Packs. These include policies for user authentication, external and inbound sharing, publishing, shared folder creation, data export, file uploads and session duration. Learn more here.

Enterprise dashboards [Enterprise only]: Coda offers Enterprise customers advanced admin dashboards to manage their workflows easily on Coda. These include dashboards to view and manage licenses, publicly shared docs, user activity and docs owned by de-provisioned users. Learn more here.

Pack configurations and approvals [Enterprise only]: Coda offers highly advanced security controls for third-party integrations. Enterprises have full control over what data can be brought into Coda, who can bring it, and who can access it. Learn more here.

Security Development Lifecycle: Our Secure Development Lifecycle program is integrated into every phase of our software development process to continuously produce secure software. Examples include annual security trainings for all employees, threat modeling as part of the design process, and static code analysis tools.

Annual penetration testing: Coda conducts an annual penetration testing by reputed security research firms. The scope of this test includes: web application, Coda's Packs infrastructure, cloud infrastructure and mobile applications.

Public Bug Bounty Program: Coda runs a public bug bounty program through HackerOne. Learn more here.

Cloud infrastructure: Coda is built with well-established security principles, including defense in depth, least privileges, and attack surface area reduction. Coda follows AWS best practices for network security, using services like AWS CloudFront, AWS WAF, AWS security groups, and VPCs.

Operations security: We use Multi-factor authentication, Role-Based Access Control (RBAC), and Just in Time access grants to securely manage our service. Furthermore, we log audit events and security information at each layer of our infrastructure and monitor them for suspicious activity.

Backups: Coda performs daily database backups for all data stored in AWS. Backups are typically retained for at least 35 days. We also perform regular backup integrity testing and perform tabletop disaster recovery exercises at least annually.

Clock synchronization: Coda's information assets use the NTP protocol to sync to approved NTP sources.

Packs Security: Packs execute in isolated secure sandboxes. Pack developer never touch authorization credentials used by users in Packs. We ensure that Packs only share data with the websites they claim they do. Learn more here.

Encryption: Coda uses the Amazon Key Management Service (KMS) to create, maintain, and rotate encryption keys. Coda also uses Transport Layer Security (TLS 1.2) to encrypt user data in transit and the AES-256 symmetric encryption algorithm to encrypt customer data at rest.

SOC 2 Type 2

GDPR

CCPA

ISO 27001:2022

ISO 27017:2015

ISO 27018:2019

Overview: Enterprise security features

Sign in and out of Coda