// Trust & Security Report
Coda, Inc. (acquired by Grammarly)
Coda is an enterprise collaborative workspace platform combining document editing, spreadsheet-like tables, and app-building capabilities. Coda AI is an integrated work assistant powered by OpenAI and other LLM providers. Tiered for teams: Product, Marketing, Sales, Engineering, Design, HR.
Certifications held
8
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on coda.io“SOC 2 Type II - Trust Services Principles certification available exclusively to enterprise customers upon request.”
Verify on coda.io“ISO 27001 - Information Security Management System (ISMS) with downloadable certificate available.”
Verify on coda.io“ISO 27017 - Addresses Security Controls for the Provision and Use of Cloud Services with certificate provided.”
Verify on coda.io“ISO 27018 - Focuses on Protection of Personally Identifiable Information (PII) with downloadable documentation.”
Verify on coda.io“GDPR - General Data Protection Regulation compliance implemented. Data Processing Addendum (DPA) available for customer data processing.”
Verify on help.coda.io“Coda is able to assist customers in their HIPAA compliance efforts through the Enterprise plan. Business Associates Agreement (BAA) governs the handling and protection of Protected Health Information.”
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Multi-region via AWS: production data replicated across multiple AWS Availability Zones; additionally replicated to a second geographical location for regional outage protection. Specific region selection not publicly documented but standard AWS infrastructure applies.
Coda explicitly does NOT allow AI third-party providers or contractors to use customer data for training their models. Coda does NOT use AI inputs and results from enterprise customers for improving Coda AI functionality. Coda AI uses OpenAI and other LLM providers, but maintains strict data handling policies with those providers.
// Security controls
Encryption at rest
AES-256 symmetric encryption for customer data; AWS Key Management Service (KMS) for encryption key administration and rotation
coda.ioData backups
Daily backups and cross-regional backups; deleted documents retained in primary storage for 7 days, backup copies retained for 35 days before permanent removal
coda.ioAuthentication
SSO via SAML 2.0, Google, Microsoft, Apple, Magic links, and 2-factor authentication (MFA)
coda.ioAccess control
Role-based access control (RBAC), Just-in-Time (JIT) access grants, multi-factor authentication for system access, fine-grained controls on docs, folders, Packs, and workspaces
coda.ioAudit and logging
Audit logs capturing privileged operations and security events; logs retained for one (1) year with restricted access; continuous monitoring for suspicious activity
coda.ioPenetration testing
Annual penetration testing across applications, cloud infrastructure, and mobile platforms; public bug bounty program
coda.ioData portability
Built-in tooling to export and permanently erase customer data; third-party transfers require contracts and EU Standard Contractual Clauses for transfers outside EEA, UK, and Switzerland
coda.ioLegal hold and eDiscovery
Legal hold and eDiscovery capabilities for regulatory compliance; Audit APIs provide 12-month log access
coda.io// Products & data scope
data: User-generated documents, tables, formulas, integrations with 600+ third-party tools
Primary product: combines doc editing, spreadsheets, and app-building in a single platform. Trusted by 80% of Fortune 100.
data: User prompts and document context for AI chat, summarization, table generation, and AI columns
Integrated LLM-powered assistant using OpenAI and other models. Does not train on customer data. Enterprise plan includes dedicated AI features.
data: Industry-specific templates and workflows
Pre-built solutions for specific team roles; underlying data handling consistent with core platform.
// What to watch
- SOC 2 Type II is available exclusively to enterprise customers upon request—not universally available to all users.
- HIPAA compliance requires Enterprise plan and Business Associates Agreement (BAA)—not available on lower tiers.
- Privacy policy URL redirects to Grammarly domain (https://coda.io/trust/privacy → Grammarly privacy), reflecting Grammarly's acquisition of Coda. Verify current privacy policy details directly with Coda or on the Grammarly site.
- Data residency not granularly documented; AWS regions not explicitly listed. Enterprises requiring specific region residency (e.g., EU data in EU) should contact sales for details.
- No evidence of ISO/IEC 42001 (AI governance) or CSA STAR AI certifications at this time.
// At a glance
Pricing model
Freemium subscription: Free tier, Team, Business, and Enterprise plans with per-seat or workspace-based pricing. No per-AI-request metering visible; AI credits bundled with plans.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Coda, Inc. (acquired by Grammarly)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
coda.io