Coda Security Annex

Coda uses AWS’s Key Management Service (KMS) to create, maintain, and rotate encryption keys. Data transmitted between Customer and the Coda Platform is protected using TLSv1.2 or higher. Data at rest is encrypted using AES-256 symmetric encryption algorithm.

Coda uses AWS as its hosting provider and replicates production data across multiple AWS Availability Zones to ensure the availability of the Coda Platform in the event of a location-specific catastrophic event. Additionally, Coda replicates production data to a second geographical location to account for a regional outage. Moreover, Coda tests disaster recovery procedures at least once a year.

Deleted documents are retained in primary storage systems for seven (7) days to allow for accidental deletions to be reverted. After this 7-day period, documents are permanently removed from Coda’s primary storage systems. However, deleted documents will still be retained in backups for 35 days. Once this 35-day retention period is over, the documents will no longer be present in the backups.

Coda uses Multi-Factor Authentication (MFA) to access any data processing systems. Access to data processing systems is granted based on the employee's roles and responsibilities using Role-Based Access Control (RBAC). Coda uses Just-in-Time (JIT) access grants to securely manage our service.

Coda logs audit events, including privileged administrative operations and security information, at various layers of our infrastructure, and monitors them for suspicious activity. Audit logs are retained for one (1) year and access to these logs is restricted.

Coda has implemented policies and procedures to respond to security incidents. These incidents are managed by Coda’s Security Team. The incident response plan identifies the types of events that require the incident response process, categorizes them by severity, and provides procedures for managing them. Incident response procedures are regularly tested and updated annually.

Coda performs vulnerability scanning and package monitoring continuously, and services are patched according to Coda’s internal policies. Any issues that are discovered are triaged and resolved according to severity level.

Coda treats infrastructure as code. Infrastructure goes through Coda’s code review process before being deployed to the production environment. Deviations will be identified and fixed as part of infrastructure deployment.

Personnel are instructed to process and use User Content only within the framework and for the purposes of their duties (e.g., service provision). Coda employs segregation of duties and separate environments for testing and production systems.

As part of our hiring process, Coda conducts thorough background checks on all employees prior to their onboarding.All employees are mandated to undergo security training during their onboarding process upon joining the company, and are required to take security training annually thereafter.

All workstations provided to Coda personnel are configured by Coda to meet our security standards. These standards ensure that all workstations are properly configured, regularly updated, encrypt data at rest, have strong passwords, automatically lock when idle, and monitored through Coda’s endpoint management solutions.

Coda is SOC 2 Type 2 certified. The technical and organizational measures defined herein are implemented on the basis of the international standard SOC 2 Type 2. Coda shall maintain controls materially as protective as those provided in the SOC 2 Type 2.

All User Content on the Coda Platform is provided by Customers, and Customers are responsible for the User Content they create, use, store, process and destroy. Coda does not assess the quality of the User Content provided by Customers.

Coda internally reviews its information security policies annually. All employees must acknowledge the information security policies and are re-trained on information security policies once per year.

The Coda Platform offers built-in tooling to allow Customers to export and permanently erase data.

The transfer of User Content to a third party (e.g. customers, subcontractors, service providers) is only made if a corresponding contract exists, and only for the specific purposes. If User Content is transferred outside the EEA, UK and Switzerland, Coda provides that an adequate level of data protection exists at the target location or organization in accordance with the European Union's data protection requirements, e.g. by employing contracts based on the EU SCCs.