Product security

Coda offers enterprise-grade product security features for more control, visibility, and flexibility.
Identity and user management

Authentication options include SSO via SAML 2.0, Google, Microsoft, Apple, Magic links, and email+password with 2-factor. Enterprises can manage users through SCIM.


Access controls on docs, folders, Packs, and workspaces. Sharing with SCIM groups and Google Groups. Enterprises can set advanced sharing policies.


Audit APIs let Enterprises obtain audit logs for previous 12 months. Audit events can be viewed with the Coda Admin Pack.


We use Amazon KMS for encryption key management, TLS 1.2+ for data in transit encryption, and AES-256 for data at rest encryption.

Enterprise policies

Enterprises can govern user authentication, doc sharing, publishing, folder creation, data export, file uploads, and session duration.

Enterprise dashboards

Admin workflows are streamlined with dashboards to view and manage licenses, public docs, and docs owned by de-provisioned users.

Pack controls

Coda has augmented the best-in-class security of its Packs integration platform with the ability for Enterprise admins to configure any integration according to the unique security and compliance requirements of their organization.

Application security

Coda's security commitment starts with processes, tooling and practices to continuously design and develop secure software.
Secure development lifecycle

Our secure development lifecycle program integrates into every phase of our software development process which includes annual security trainings, threat modeling, and static code analysis tools.

Annual penetration testing

Annual penetration testing is conducted by reputed security research firms. It covers our web application, Pack infrastructure, cloud infrastructure, and mobile applications.

Public bug bounty program

Coda runs a public bug bounty program through HackerOne.

Infrastructure security

Coda is built from the ground up using AWS security best practices.
Cloud infrastructure

Coda is built with well-established security principles, including defense in depth, least privileges, and attack surface area reduction.

Network security

Coda follows AWS best practices for network security, using services like AWS CloudFront, AWS WAF, AWS security groups, and VPCs.

Operations security

We employ multi-factor authentication, RBAC, and just-in-time access for secure service management. We also log audit events and monitor all infrastructure layers for security threats.

Packs security

Coda's Packs platform is built with multiple layers of defense. Each Pack execution is run in a secure sandbox environment. Pack developers do not have access to customer credentials or data. We ensure Packs only share data in the places they're disclosing.


Coda adheres to global privacy laws and security standards with measures in place to help you meet your compliance obligations.
SOC 2 Type 2

SOC for Service Organizations


General Data Protection Regulation


California Consumer Privacy Act