Product security
Authentication options include SSO via SAML 2.0, Google, Microsoft, Apple, Magic links, and email+password with 2-factor. Enterprises can manage users through SCIM.
Access controls on docs, folders, Packs, and workspaces. Sharing with SCIM groups and Google Groups. Enterprises can set advanced sharing policies.
Audit APIs let Enterprises obtain audit logs for previous 12 months. Audit events can be viewed with the Coda Admin Pack.
We use Amazon KMS for encryption key management, TLS 1.2+ for data in transit encryption, and AES-256 for data at rest encryption.
Enterprises can govern user authentication, doc sharing, publishing, folder creation, data export, file uploads, and session duration.
Admin workflows are streamlined with dashboards to view and manage licenses, public docs, and docs owned by de-provisioned users.
Legal hold & eDiscovery features enable enterprise admins to identify, preserve, and retrieve pertinent information subjected to regulatory requirements.
Enterprise admins can configure any integration according to the unique security and compliance requirements of their organization.
Application security
Our secure development lifecycle program integrates into every phase of our software development process which includes annual security trainings, threat modeling, and static code analysis tools.
Annual penetration testing is conducted by reputed security research firms. It covers our web application, Pack infrastructure, cloud infrastructure, and mobile applications.
Coda runs a public bug bounty program through HackerOne to facilitate the discovery of vulnerabilities and to minimize threat exposure by utilizing the expertise of external ethical hackers.
Infrastructure security
Coda is built with well-established security principles, including defense in depth, least privileges, and attack surface area reduction.
Coda follows AWS best practices for network security, using services like AWS CloudFront, AWS WAF, AWS security groups, and VPCs.
We employ multi-factor authentication, RBAC, and just-in-time access for secure service management. We also log audit events and monitor all infrastructure layers for security threats.
Each Pack execution is run in a secure sandbox environment. Pack developers do not have access to customer credentials or data.
Compliance
Information Security Management System (ISMS)
Security Controls for the Provision and Use of Cloud Services
Protection of Personally Identifiable Information (PII)
(Type Ⅱ) Trust Services Principles
Service Organization Controls
General Data Protection Regulation
The California Consumer Privacy Act
Health Insurance Portability & Accountability Act