Over the last few years, we've invested significantly in our data security and privacy infrastructure to make sure your data is safe. Our security team has decades of experience in cloud-based document platforms which rely on the latest security advancements.
Coda undergoes regular Service Organization Controls audits (SOC 2 Type II) performed by an independent third-party auditing firm. For customers on an Enterprise subscription, contact your account manager or to request a copy of our most recent report.
Data is encrypted in transit and at rest
Our customers' data is encrypted when in transit and at rest, using the highest industry standard procedures and protocols, including TLS 1.2, FIPS 140-2 validated HSMs (AWS KMS), and AES-256 symmetric encryption algorithms where appropriate.
We take organizational security seriously
We're a startup, but you wouldn't know it when you see our badge access, locked monitors, and machine generated, high complexity passwords. (Well, you won't see those.) All Coda employees undergo an annual security training, and we undergo regular 3rd party penetration tests to ensure all our security practices and systems are top-notch.
We're GDPR and CCPA compliant and have entered into DPAs with all our subprocessors; we have a DPA available for customers in the EU upon request.
This page contains details on the security of Coda’s service infrastructure. To learn about security features provided by Coda, refer to . Coda is hosted on Amazon Web Services on the . The physical servers are located within AWS's data centers and access to them is managed by Amazon. For additional information on the security of AWS, visit . Coda infrastructure provisioned within Amazon Web Services (including managed services like RDS) is configured within a . This VPC uses declaratively-managed firewall rules, public/private subnet splits, and network ACLs that restrict access in and out of the VPC and its subnets to those protocols and ports necessary for the functioning of the service. Coda utilizes the Amazon Key Management Service (KMS) for creating, maintaining, and rotating all symmetric encryption keys. Coda does not store or maintain cleartext private key material on disk or in-memory. For more information about KMS and its security architecture, view .
Coda utilizes Transport Layer Security (TLS 1.2) to protect user data as information in transit. HTTPS traffic is terminated using Amazon Elastic Load balancers (ELBs) and private key material is managed by these ELBs. These load-balancers are configured to disable known weak ciphers to minimize the risk of a number of known TLS attacks.
End user document data is stored by services managed by Amazon: for structured data and for file data. RDS instances are configured to store data in encrypted form using the industry standard AES-256 symmetric encryption algorithm for the database, backups, snapshots, and logs. Content stored in S3 is also encrypted at rest via server-side encryption integration with AWS KMS.
Identify and Access Management
Coda’s corporate systems and infrastructure utilize a single-sign-on system using multi-factor authentication along with strong password policies. Access to Coda infrastructure is restricted based on roles and responsibilities. Further more, all operations activities are audited and analyzed for suspicious activities.
Security Incident Management
Our security incident management process is an essential part of our overall security strategy. We log audit events and security information in each layer of our infrastructure and monitor those logs for suspicious activities. In addition, we staff a 24/7 pager rotation on our infosec team to respond to and handle any security incident should one arise.
Secure Development Lifecycle
Our Secure Development Lifecycle program is integrated into every phase of our software development process. Examples include annual security trainings for all employees, threat modeling for sensitive features as part of the design process, static code analysis tools, daily CVE scans with strong patch management SLAs, daily security scans of our production applications, daily configuration drift scans of our production infrastructure, annual pentesting by independent external firms, and a paid public bug bounty program.
Business Continuity and Disaster Recovery
Coda uses a scale out architecture with high availability built into various layers of our stack. We have a disaster recover plan that addresses multiple site availability and replication of critical customer data. All customer data is backed up regularly across geographic locations. Coda performs regular disaster recovery testing.
Coda’s employee base is highly distributed across the globe and was built with remote work in mind from inception. We have three offices in California and Washington, and a large percentage of our employees work remotely. We have systems and processes in place to operate our service even though we are not working in a single office.
The privacy of user data is important and access to it by Coda employees is subject to published policies and procedures. All access to our internal administration tools is logged and periodically reviewed. Access to the Coda admin interfaces are compartmentalized by information type, and access to data is granted as is deemed required for job function. Access to sensitive user data is restricted to our on-call engineering teams and requires approval for access.