// Trust & Security Report

    Coda, Inc. (acquired by Grammarly) logo

    Coda, Inc. (acquired by Grammarly)

    Coda is an enterprise collaborative workspace platform combining document editing, spreadsheet-like tables, and app-building capabilities. Coda AI is an integrated work assistant powered by OpenAI and other LLM providers. Tiered for teams: Product, Marketing, Sales, Engineering, Design, HR.

    Certifications held

    8

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    SOC 2 Type II - Trust Services Principles certification available exclusively to enterprise customers upon request.

    Verify on coda.io
    SOC 3
    HELD

    SOC 3 - Service Organization Controls report available for download.

    Verify on coda.io
    ISO 27001
    HELD

    ISO 27001 - Information Security Management System (ISMS) with downloadable certificate available.

    Verify on coda.io
    ISO 27017
    HELD

    ISO 27017 - Addresses Security Controls for the Provision and Use of Cloud Services with certificate provided.

    Verify on coda.io
    ISO 27018
    HELD

    ISO 27018 - Focuses on Protection of Personally Identifiable Information (PII) with downloadable documentation.

    Verify on coda.io
    GDPR
    HELD

    GDPR - General Data Protection Regulation compliance implemented. Data Processing Addendum (DPA) available for customer data processing.

    Verify on coda.io
    CCPA
    HELD

    CCPA - The California Consumer Privacy Act standards are supported.

    Verify on coda.io
    HIPAA
    HELD

    Coda is able to assist customers in their HIPAA compliance efforts through the Enterprise plan. Business Associates Agreement (BAA) governs the handling and protection of Protected Health Information.

    Verify on help.coda.io

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Multi-region via AWS: production data replicated across multiple AWS Availability Zones; additionally replicated to a second geographical location for regional outage protection. Specific region selection not publicly documented but standard AWS infrastructure applies.

    Coda explicitly does NOT allow AI third-party providers or contractors to use customer data for training their models. Coda does NOT use AI inputs and results from enterprise customers for improving Coda AI functionality. Coda AI uses OpenAI and other LLM providers, but maintains strict data handling policies with those providers.

    // Security controls

    Encryption in transit

    TLS 1.2 or higher for all data in transit

    coda.io

    Encryption at rest

    AES-256 symmetric encryption for customer data; AWS Key Management Service (KMS) for encryption key administration and rotation

    coda.io

    Data backups

    Daily backups and cross-regional backups; deleted documents retained in primary storage for 7 days, backup copies retained for 35 days before permanent removal

    coda.io

    Authentication

    SSO via SAML 2.0, Google, Microsoft, Apple, Magic links, and 2-factor authentication (MFA)

    coda.io

    Access control

    Role-based access control (RBAC), Just-in-Time (JIT) access grants, multi-factor authentication for system access, fine-grained controls on docs, folders, Packs, and workspaces

    coda.io

    Audit and logging

    Audit logs capturing privileged operations and security events; logs retained for one (1) year with restricted access; continuous monitoring for suspicious activity

    coda.io

    Penetration testing

    Annual penetration testing across applications, cloud infrastructure, and mobile platforms; public bug bounty program

    coda.io

    Data portability

    Built-in tooling to export and permanently erase customer data; third-party transfers require contracts and EU Standard Contractual Clauses for transfers outside EEA, UK, and Switzerland

    coda.io

    Uptime commitment

    99.9% uptime commitment to Enterprise customers

    coda.io

    Legal hold and eDiscovery

    Legal hold and eDiscovery capabilities for regulatory compliance; Audit APIs provide 12-month log access

    coda.io

    // Products & data scope

    Coda (Core platform)Collaborative workspace / all-in-one workspace

    data: User-generated documents, tables, formulas, integrations with 600+ third-party tools

    Primary product: combines doc editing, spreadsheets, and app-building in a single platform. Trusted by 80% of Fortune 100.

    Coda AIAI assistant / work assistant

    data: User prompts and document context for AI chat, summarization, table generation, and AI columns

    Integrated LLM-powered assistant using OpenAI and other models. Does not train on customer data. Enterprise plan includes dedicated AI features.

    Coda for Teams (Product, Marketing, Sales, Engineering, Design, HR)Vertical templates and solutions

    data: Industry-specific templates and workflows

    Pre-built solutions for specific team roles; underlying data handling consistent with core platform.

    // What to watch

    • SOC 2 Type II is available exclusively to enterprise customers upon request—not universally available to all users.
    • HIPAA compliance requires Enterprise plan and Business Associates Agreement (BAA)—not available on lower tiers.
    • Privacy policy URL redirects to Grammarly domain (https://coda.io/trust/privacy → Grammarly privacy), reflecting Grammarly's acquisition of Coda. Verify current privacy policy details directly with Coda or on the Grammarly site.
    • Data residency not granularly documented; AWS regions not explicitly listed. Enterprises requiring specific region residency (e.g., EU data in EU) should contact sales for details.
    • No evidence of ISO/IEC 42001 (AI governance) or CSA STAR AI certifications at this time.

    // At a glance

    Pricing model

    Freemium subscription: Free tier, Team, Business, and Enterprise plans with per-seat or workspace-based pricing. No per-AI-request metering visible; AI credits bundled with plans.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Coda, Inc. (acquired by Grammarly)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    coda.io

    > Browse all vendor trust reports