Coda Enterprise Security

I just received the latest Coda newsletter (which are great) and it headlined about enterprise and focused on security.

My understanding is that any editor can copy any doc they have access to, thus granting them Owner permissions and removing any restrictions they may have had as an editor.

Does the enterprise plan provide more securitiy? That would be nice to know! Thanks

Doc level security options are the same between the Team Plan and the Enterprise Plan.

Enterprises generally have more strict rules in how information is stored and handled and there are quite a few benchmarks for a data company to hit to earn that compliance. We earned these benchmarks and that’s what the newsletter was about. Our protocols and how we work with our servers and things of that nature, not about doc settings for the user.

1 Like

When I first signed up for CODA, I spent quite a bit of time on the community pages. One of the random posts I encountered (I believe it was written by @Paul_Danyliuk) described the way CODA docs are loaded into the client-side browser.

Over my head a bit, technically, but my understanding from the post was that any person who had view/comment access to a doc… could simply right-click the page, inspect element and download your entire docs worth of data from the browser’s resources

Obfuscated or not, that kind of sucks.

Does this security update address that issue?

If it doesn’t, then that means CODA is still not secure enough for a lot of use cases where you would want to share some data and protect sensitive data within the same doc.

Please let me know if I’m completely off base here or not understanding CODA’s technology stack well enough. To me, that issue/feature/bug makes using CODA to work with outside/untrusted collaborators a definite no-no. Would be great to be wrong about this because I love CODA for all my personal and internal team stuff.

1 Like

This isn’t the exact post I read, but it seems these users identified the same security issue of being able to download the entire doc, even if there are hidden/permissioned settings.

Just to be clear, any editor can make a copy of the doc they have access to, but they would be the owner of the new doc, not the original one.

This is the reality with all web-based documents. As long as information is being passed through over the internet, it’s impossible to prevent a determined individual from intercepting the raw data for a doc and using it to recreate it. The most that we can do, or even Google or Microsoft for that matter, is to put controls in the user interface to make it significantly harder to extract doc info, but it would never be impossible. Even with UI in place to prevent an individual doc from being copied, that wouldn’t prevent anyone from manually recreating the original doc from scratch in a new doc.

Currently we recommend cross-doc as a way of partitioning access to a doc, since data transfer happens via Coda servers, which respect any settings set on Coda API tokens that limit access to a specific table or view.


@oleg yes you are correct that, with the current setup, a technical user could inspect and dissemble the page resources to get the data out of the doc.

However, security is a game of degrees, and being able to wholesale copy the entire document, with all of the formulas, configurations, automations, etc. is 1000x more of a risk than someone dissecting the page resources and reconstructing the document. The investment to do that vs being able to copy, especially with a complicated document is massive.

Enabling the owner to disable Editor copy would increase doc security tremendously and can be done with almost no development (a preference toggle to disable). This seems so obvious … why not make this easy fix to support Makers?


We currently do have a way of disabling the copy option when publishing docs, so if you use that and share the link to the published doc, it won’t be as easy to figure out how to copy the doc.

Hello @oleg ,
Can you please tell me more about this ‘disabling copy option’ - because of GDPR I have to make sure that one of my doc’s can’t be copied. It would help if the published doc can’t be copied, it would be a lot better if the shared doc can’t be copied either, other than by the doc owner. I can’t stress enough how important this is for many, many people, even if they don’t realize this.
I read again through all the links, but I can’t find how to accomplish this.

1 Like

Hi @joost_mineur, in the link that I shared, see “How do I publish my Coda doc?” → “#6: Set your preferred doc settings”. I understand the desire to have an option do this for sharing regular docs as well and it’s on our backlog for consideration.


it is easy though, so it’s debatable what’s worse: admit that it’s not possible to properly secure the doc from copying and extracting all data, or give people false sense of security.

The only correct solution with Coda would be: use Crossdoc. Or push data through Zapier etc. Nothing else.
Or don’t use Coda at all, but code a backend that would authorize each user to only get a portion of data, and serve only that data to them. Yes, you’ll be writing a web server and security logic yourself.
Or use Bubble or some other app builder that supports item-level security on backend.

1 Like

Hello @oleg,

Thank you for your answer and explanation - I misunderstood the non-copy option. For me, if I publish it, it will usually be OK to copy it, but it is nice that we can leave the copy button out and that the menu option to copy isn’t there.
For my projects, play mode is not enough for my users and with filters and locks I can do exactly what I want - up to the point where I can’t prevent the doc to be copied and all the settings to be undone. I am glad you have it under consideration: you will make a lot of people happy if this makes it to the short list.


Can you help me understand why you think disabling editors from the ability to copy the doc isn’t a ‘correct solution’, atleast for now?

Dear @oleg,

F.Y.I: Recently I ended up with this material

Maybe for the time being too futuristic, but it could solve many security issues and open up new fields to uncover.