13 min read

Securely integrate with other tools (aka Packs)

All the info to put your mind at ease about how Coda connects with other tools and services to enhance functionality.

Admin features mentioned are only available on the Enterprise plan.

What is a Pack?

A Pack is an integration. It’s the way Coda connects with other pieces of software. By leveraging Packs, you can provide your users with a powerful ecosystem of integrations that enhances their productivity, collaboration, and overall work experience. Packs are built with security at the forefront and our Enterprise customers have even more control to protect your data.

What you'll get:

An understanding of our Pack security
How to accomplish granular Pack controls
Understanding Pack access, connection, and security tips

What you'll use:

Org admin settings (Enterprise only)

Admins have the power

We have Packs for many of the tools your teams likely use - from Slack, to Jira, to Google Calendar and Gmail, and Salesforce. As an org admin, you can regulate how these Packs are used, protecting your users and your company data. Instead of simply enabling/disabling Pack integration (which is possible — learn more), we recommend a granular approach so you can customize access to your specific security requirements.

A walkthrough from our Customer Success Team

1. Coda's compliance

Covered by everything that already makes Coda secure: SOC 2 Compliance, GDPR compliance, data encryption, data access controls, and more all come standard with Coda. Learn more. Just what you share, and no more: When a Pack is executed, it only receives the data that the user explicitly provided — e.g. formula parameters — and no other content from your doc.

2. Designed with security from the ground up.

Restricted network request

We ensure Packs only share data with the website they say they do. Some of our most popular Packs are integrations — connections to external data sources. Pack Makers must declare which domains their Pack connects to, which we publish to users of the Pack in each Pack’s security tab, found on the Pack listing page. Coda enforces that Packs can only ever connect to these declared domains.

Locked-down authentication

We never let developers touch users’ login details. For Packs that require user authorization credentials, Coda handles credentials on behalf of the Pack, stores them encrypted at rest, and applies them to outgoing requests such that neither Pack code, Pack Makers, nor other users of a doc ever have access to them.

Rigorous evaluation

Packs run in a dedicated, secure server. We execute Packs in a secure sandbox environment that isolates Pack executions from Coda’s broader infrastructure and data from other executions of Packs. The infrastructure receives an annual professional penetration test and receives constant evaluation via Coda’s bug bounty program.

3. Granular Pack controls for admins

This feature allows org admins on our Enterprise plans to establish policies to govern what aspects or functionality of the Pack can be used within their organization and control how Pack data is shared within Coda.

Pack configurations give organization administrators the ability to control:

Who within their organization can install a Pack.
What parts of that Pack can be used and how users can use the Pack.
How docs containing that Pack can be shared within their organization.

This gives you the peace of mind that:

Only some users have access to certain Packs.
Only allows some functionality of the Pack to be used by users.
Only allows docs with certain integration data to be shared with just users that have access to the Pack.

Learn how to configure your granular approach in this doc.

4. FAQs about Packs.

Click "learn more" to get an in-depth video explanation from the head of our Pack team about each topic.

Can a Pack maker access my credentials or data?

No, a Pack Maker cannot access your credentials or data in Coda. The Coda platform is designed to prevent unauthorized access to sensitive information. Learn more.

When I install a Pack, what exactly is it getting access to?

Packs only get access to the specific categories of data that you link through your accounts. The level of access is determined by the permissions granted to those accounts in the external application. Learn more.

What is the difference between a shared and private account? How can I make sure my teammates can / can NOT take action through my log-in?

The difference between a shared account and a private account lies in their usage and permissions. A shared account is intended for retrieving data and taking actions within a document or Pack. A private account is meant for individual users to take action using their own accounts. Learn more.

What are Coda’s best practices for Pack security? Any tips on managing access to data via third-party Pack accounts?

Learn more for the full video tutorial.

Review pack declarations: Carefully review the Pack's declarations about the websites it connects to and the categories of data it requests. This information is publicly available on the Pack listing page in Coda's Gallery or during the pack install dialog.
Utilize service access controls: Explore the settings of the external services you plan to use with Packs. Many services provide API or administrator settings that allow you to restrict the data accessible to external applications before it reaches Coda and the Pack.
Create role accounts: Instead of using real user accounts, consider creating role accounts specifically for integrating with Packs or other applications. These accounts can be dedicated for Pack usage and can have limited access to data.
Configure private accounts: Configure private accounts instead of shared accounts whenever possible.
Use Cross-doc for data syndication: Coda's Cross-doc feature allows you to sync data from a table or view in one doc to another doc. This way, only authorized users can access the complete dataset, while others only see limited views of the data.

Was this helpful?

YesNo