The Coda Platform is hosted on cloud-based servers provided by Amazon Web Services, Inc. (“AWS”) and Coda relies on AWS for the physical security of the data centers where Coda services are hosted. Please refer to AWS’s physical security controls . Coda uses AWS’s Key Management Service (KMS) to create, maintain, and rotate encryption keys. Data transmitted between Customer and the Coda Platform is protected using TLSv1.2 or higher. Data at rest is encrypted using AES-256 symmetric encryption algorithm.
Business continuity and disaster recovery
Coda uses AWS as its hosting provider and replicates production data across multiple AWS Availability Zones to ensure the availability of the Coda Platform in the event of a location-specific catastrophic event. Additionally, Coda replicates production data to a second geographical location to account for a regional outage. Moreover, Coda tests disaster recovery procedures at least once a year.
Data retention and disposal
Deleted documents are retained in primary storage systems for seven (7) days to allow for accidental deletions to be reverted. After this 7-day period, documents are permanently removed from Coda’s primary storage systems. However, deleted documents will still be retained in backups for 35 days. Once this 35-day retention period is over, the documents will no longer be present in the backups.
Coda uses Multi-Factor Authentication (MFA) to access any data processing systems. Access to data processing systems is granted based on the employee's roles and responsibilities using Role-Based Access Control (RBAC). Coda uses Just-in-Time (JIT) access grants to securely manage our service.
System monitoring, logging, and alerting
Coda logs audit events, including privileged administrative operations and security information, at various layers of our infrastructure, and monitors them for suspicious activity. Audit logs are retained for one (1) year and access to these logs is restricted.
Security incident management
Coda has implemented policies and procedures to respond to security incidents. These incidents are managed by Coda’s Security Team. The incident response plan identifies the types of events that require the incident response process, categorizes them by severity, and provides procedures for managing them. Incident response procedures are regularly tested and updated annually.
Vulnerability and Patch Management
Coda performs vulnerability scanning and package monitoring continuously, and services are patched according to Coda’s internal policies. Any issues that are discovered are triaged and resolved according to severity level.
Coda treats infrastructure as code. Infrastructure goes through Coda’s code review process before being deployed to the production environment. Deviations will be identified and fixed as part of infrastructure deployment.
Coda has a Secure Development Lifecycle program that is integrated into various phases of our software development process to continuously produce secure software, including:
Engineering-focused security training; Threat modeling as an integral part of the design process; and Usage of static code analysis and dynamic security testing tools. Coda conducts annual penetration testing by reputable security research firms. The scope of this testing includes web applications, Coda’s Packs infrastructure, cloud infrastructure, and mobile applications.
Coda runs a public bug bounty program.
Measures for internal IT and IT security governance and management
Personnel are instructed to process and use User Content only within the framework and for the purposes of their duties (e.g., service provision). Coda employs segregation of duties and separate environments for testing and production systems.
As part of our hiring process, Coda conducts thorough background checks on all employees prior to their onboarding.All employees are mandated to undergo security training during their onboarding process upon joining the company, and are required to take security training annually thereafter.
All workstations provided to Coda personnel are configured by Coda to meet our security standards. These standards ensure that all workstations are properly configured, regularly updated, encrypt data at rest, have strong passwords, automatically lock when idle, and monitored through Coda’s endpoint management solutions.
Measures for certification/assurance of processes and products
Coda is SOC 2 Type 2 certified. The technical and organizational measures defined herein are implemented on the basis of the international standard SOC 2 Type 2. Coda shall maintain controls materially as protective as those provided in the SOC 2 Type 2.
Measures for ensuring data quality
All User Content on the Coda Platform is provided by Customers, and Customers are responsible for the User Content they create, use, store, process and destroy. Coda does not assess the quality of the User Content provided by Customers.
Information security policies
Coda internally reviews its information security policies annually. All employees must acknowledge the information security policies and are re-trained on information security policies once per year.
Measures for allowing data portability and ensuring erasure
The Coda Platform offers built-in tooling to allow Customers to export and permanently erase data.
Measures to be taken by the (Sub-) Processor to be able to provide assistance to Customer (and, for transfers from Coda to a Subprocessor, to the Data Exporter).
The transfer of User Content to a third party (e.g. customers, subcontractors, service providers) is only made if a corresponding contract exists, and only for the specific purposes. If User Content is transferred outside the EEA, UK and Switzerland, Coda provides that an adequate level of data protection exists at the target location or organization in accordance with the European Union's data protection requirements, e.g. by employing contracts based on the EU SCCs.