Product security

Coda offers enterprise-grade product security features for more control, visibility, and flexibility.
Identity and user management

Authentication options include SSO via SAML 2.0, Google, Microsoft, Apple, Magic links, and email+password with 2-factor. Enterprises can manage users through SCIM.


Access controls on docs, folders, Packs, and workspaces. Sharing with SCIM groups and Google Groups. Enterprises can set advanced sharing policies.


Audit APIs let Enterprises obtain audit logs for previous 12 months. Audit events can be viewed with the Coda Admin Pack.


We use Amazon KMS for encryption key management, TLS 1.2+ for data in transit encryption, and AES-256 for data at rest encryption.

Enterprise policies

Enterprises can govern user authentication, doc sharing, publishing, folder creation, data export, file uploads, and session duration.

Enterprise dashboards

Admin workflows are streamlined with dashboards to view and manage licenses, public docs, and docs owned by de-provisioned users.

Data governance

Legal hold & eDiscovery features enable enterprise admins to identify, preserve, and retrieve pertinent information subjected to regulatory requirements.

Pack controls

Enterprise admins can configure any integration according to the unique security and compliance requirements of their organization.

Read more about Pack controls

Application security

Coda's security commitment starts with processes, tooling and practices to continuously design and develop secure software.
Secure development lifecycle

Our secure development lifecycle program integrates into every phase of our software development process which includes annual security trainings, threat modeling, and static code analysis tools.

Read more about the program
Annual penetration testing

Annual penetration testing is conducted by reputed security research firms. It covers our web application, Pack infrastructure, cloud infrastructure, and mobile applications.

Download our latest pentest report
Public bug bounty program

Coda runs a public bug bounty program through HackerOne to facilitate the discovery of vulnerabilities and to minimize threat exposure by utilizing the expertise of external ethical hackers.

Read more about the program

Infrastructure security

Coda is built from the ground up using AWS security best practices.
Cloud infrastructure

Coda is built with well-established security principles, including defense in depth, least privileges, and attack surface area reduction.

Network security

Coda follows AWS best practices for network security, using services like AWS CloudFront, AWS WAF, AWS security groups, and VPCs.

Operations security

We employ multi-factor authentication, RBAC, and just-in-time access for secure service management. We also log audit events and monitor all infrastructure layers for security threats.

Pack security

Each Pack execution is run in a secure sandbox environment. Pack developers do not have access to customer credentials or data.

Read more about Pack security


Coda adheres to global privacy laws and security standards with measures in place to help you meet your compliance obligations.
ISO 27001

Information Security Management System (ISMS)

Download certificate
ISO 27017

Security Controls for the Provision and Use of Cloud Services

Download certificate
ISO 27018

Protection of Personally Identifiable Information (PII)

Download certificate
SOC 2 Type 2

(Type Ⅱ) Trust Services Principles

Available for enterprise customers

Service Organization Controls

Download report

General Data Protection Regulation

Read more about GDPR

The California Consumer Privacy Act

Read more about CCPA

Coda's approach to security.

Coda’s security whitepaper provides more detail about our product security, application security, and infrastructure security.