Product security
Authentication options include SSO via SAML 2.0, Google, Microsoft, Apple, Magic links, and email+password with 2-factor. Enterprises can manage users through SCIM.
Access controls on docs, folders, Packs, and workspaces. Sharing with SCIM groups and Google Groups. Enterprises can set advanced sharing policies.
Audit APIs let Enterprises obtain audit logs for previous 12 months. Audit events can be viewed with the Coda Admin Pack.
We use Amazon KMS for encryption key management, TLS 1.2+ for data in transit encryption, and AES-256 for data at rest encryption.
Enterprises can govern user authentication, doc sharing, publishing, folder creation, data export, file uploads, and session duration.
Admin workflows are streamlined with dashboards to view and manage licenses, public docs, and docs owned by de-provisioned users.
Pack controls
Application security
Our secure development lifecycle program integrates into every phase of our software development process which includes annual security trainings, threat modeling, and static code analysis tools.
Annual penetration testing is conducted by reputed security research firms. It covers our web application, Pack infrastructure, cloud infrastructure, and mobile applications.
Coda runs a public bug bounty program through HackerOne.
Infrastructure security
Coda is built with well-established security principles, including defense in depth, least privileges, and attack surface area reduction.
Coda follows AWS best practices for network security, using services like AWS CloudFront, AWS WAF, AWS security groups, and VPCs.
We employ multi-factor authentication, RBAC, and just-in-time access for secure service management. We also log audit events and monitor all infrastructure layers for security threats.
Packs security
Compliance
SOC for Service Organizations
General Data Protection Regulation
California Consumer Privacy Act