How Coda’s enterprise security policies give teams more control of their data

Learn how to customize Coda to meet your security needs with our enterprise policies.

Bala Neerumalla

Head of Information Security at Coda

How Coda’s enterprise security policies give teams more control of their data

By Bala Neerumalla

Share this article

Share on TwitterShare on LinkedInShare on Facebook
At Coda, security is a top priority. We recognize that when you choose Coda, you’re trusting us to keep your information safe and secure—and that’s not a responsibility we take lightly. After all, it takes a lifetime to build a reputation, and just a blink of an eye to ruin it. Our team thinks about trust and data security every single day, and we’ve made substantial investments in both application and infrastructure security to ensure that your data is well protected. Our commitment to security is just one of the reasons why we were recognized as a leader for enterprise by G2, and why businesses like Qualtrics and TED trust Coda to be their company-wide collaborative workspace.

Customize Coda with our enterprise policies.

We recognize that every enterprise company is unique and has specific security needs based on its threat profile. Customers on our Enterprise plan get enhanced control with features such as SAML SSO, user and group provisioning through SCIM, and an Admin API to view audit logs, modify policies, and more. In addition to providing roles and fine-grained permissions at the document, folder, and workspace levels, we also offer several custom policies. These policies override permissions for all users and entities owned by a company to secure your Coda usage. Here, we’re sharing more about six of the policies available to enterprise customers:
  1. Inbound sharing.
  2. Publishing.
  3. Shared folder creation.
  4. Data exports.
  5. File uploads.
  6. Session duration.
Let’s take a look at each of these policies in more detail and how they can help keep your business data secure.

1. Control inbound doc sharing.

Phishing attacks are a prevalent method used in many security breaches. To mitigate this risk in Coda, you can enable an inbound sharing policy. This policy prevents external users from sharing Coda docs with your employees and blocks your employees from accessing external users’ docs, effectively blocking phishing campaigns through Coda. It’s important to note that you should continue to provide training to your employees on identifying phishing messages across various communication channels such as email and SMS. Bear in mind that using this policy will restrict your employees from collaborating with external users, as all external doc sharing will be blocked for them.

2. Prevent publishing.

While many of our users enjoy publishing Coda docs to share ideas, templates, and thought leadership, there is a potential risk of employees accidentally publishing sensitive company content to the public. To address this concern, you can choose to use this policy to block employees from publishing any Coda content on the internet, including the creation of maker profiles that could potentially leak employee information. Please note that your employees will still be able to collaborate with other users as permitted by the doc sharing policies. This allows for secure collaboration while reducing the risk of unintentional data exposure.

3. Limit shared folder creation.

Shared folders in Coda provide a convenient way to make documents accessible and discoverable to all users within a workspace. This is particularly useful for sharing information that is relevant organization-wide. However, it also introduces the risk of employees accidentally creating sensitive documents within shared folders and potentially leaking them to the organization. Additionally, shared folders may not be ideal when multiple departments are sharing a single Coda workspace or when there is less need for organization-wide sharing. The shared folder policy restricts your employees’ ability to create shared folders or convert private ones into shared ones. It’s important to note that this policy only impacts the creation of shared folders specifically—users can still share documents with the entire workspace or a large number of employees using SCIM groups or Google Groups when needed. This approach ensures controlled sharing while minimizing the possibility of accidental exposure of sensitive information.

4. Restrict data exports.

Coda allows you to export your docs in several file formats such as PDFs and CSVs. This can be helpful for offline sharing but creates a potential security risk of employees exporting sensitive documents and sharing the downloaded files with unauthorized individuals. Plus, if an employee account is compromised, there is a risk of exfiltrating sensitive data through exports. To mitigate these risks, you can enable a policy that restricts your employees’ ability to export Coda docs. This helps maintain control over sensitive information and reduces the likelihood of unauthorized sharing or data breaches.

5. Disable file uploads.

Coda offers integrations with a wide range of external services, including the ability to import content from platforms like Google Drive, Confluence, Trello, Notion, and Airtable. This is highly beneficial for consolidating information from various tools into Coda docs or creating comprehensive write-ups by importing data stored in other tools. However, we know that some enterprises may have specific policies regarding the use of different tools based on the sensitivity of the data involved. To align with these policies, you can choose to disable file uploads in Coda. This means employees will be prevented from importing documents, spreadsheets, and resources from other tools into Coda docs, ensuring adherence to approved tools and policies within the organization.

6. Set session duration limits.

The default setting for signed-in Coda users is that sessions expire after 30 days of inactivity. While this provides convenient access for those using Coda on a daily basis, it can also pose a security risk if an employee’s Coda session is compromised. As a “defense in depth” best practice, many enterprises have their own internal policies around session durations based on their risk tolerance. If so, you can set a custom session duration limit for your employee’s sessions based on your policies. This can help reduce the risk of unauthorized access or viewing and minimize the potential for idle sessions to be exploited by attackers.

You can be confident your data is secure with us.

These internal controls are just a few examples of the security measures that Coda can enable to meet your specific security requirements. We offer a range of other internal controls as well. If you have any specific security requirements or need further information, please don’t hesitate to reach out to your customer contacts or email support@coda.io. They will provide you with more details and assist you in implementing the necessary security measures. Head over to our guide to learn more about the features available on our Enterprise plan and recommended best practices for setting up Coda for your organization based on your internal security policies.

Related posts

Explore more stories.
10 tips to maximize Coda’s search and sharing features

Find the information you need quickly, keep your workspace organized, and share docs securely with the right people.

How Coda keeps your data secure

An interview with Bala Neerumalla, Head of Information Security at Coda.

Evaluating AI productivity tools: A guide for IT teams

Tips and suggestions for choosing the right tools for your team.