Why Coda is Sticking with Secureframe to Get HIPAA Compliant After Achieving SOC 2 Compliance

Coda is the all-in-one doc for teams. In a world full of applications, why do documents and spreadsheets still run the world? And why haven’t they been updated in over 50 years? Coda is a new kind of doc that brings words, data, and teams together. It comes with a set of building blocks that anyone can combine to create a doc as powerful as an app.


“The team, the attention, and the expertise are 100% the reason we stay with Secureframe. Given the A-to-B, easy process we had with Secureframe for SOC 2, it was a no-brainer to use it to organize our HIPAA compliance.”

Khoi Pham, IT Lead, Coda




  • Several large opportunities depended on getting SOC 2 compliant.
  • Wanted to demonstrate commitment to security to customers.
  • Needed a security compliance automation platform and partner


Secureframe met Coda's needs by providing several advantages:

  • Vital expertise and true partnership with the Secureframe compliance team.
  • Personalized support from customer support.
  • A comprehensive platform with everything they needed to get audit-ready.


  • Got SOC 2 Type I and II reports without hiring an external consultant.
  • Unlocked revenue by closing several deals that would not have been possible without SOC 2.
  • Improved and maintained their security, privacy, and compliance posture.
  • Decided to get HIPAA compliant with Secureframe’s help next.


Needed to partner with a new security compliance vendor to get SOC 2 compliant quickly to close several large opportunities

Coda has a strong security culture with talented and experienced leaders on the engineering and security side. Getting SOC 2 compliant would not only be critical to closing large opportunities — it would also  signal to customers that they’re doing as much as they can to keep their data secure and building their product with security in mind.

Coda was initially using a different security compliance automation platform, but ultimately decided they wanted to work with a product that would truly partner with them and not just be another tool they use. However, migrating to another platform would mean extra effort to move data from one system to another.


Secureframe’s platform combined with customer support and compliance expertise made the entire process easy

With personalized support from Secureframe’s customer support team, Coda was able to migrate configurations, assets and integrations over quickly and seamlessly. The team helped set up Coda’s team so they understood how they would be using Secureframe on a day-to-day basis.


“What pushes past something being just a tool is the partnership you get out of it. The Secureframe team has been a game changer for us.”

Secureframe’s platform provided everything Coda needed to get audit-ready quickly, from automated evidence gathering to auditor-approved policy templates.

There are always unique audit issues that come up because every company and auditor is different. Secureframe’s compliance experts were there to help provide guidance as audit issues came up, which ultimately led to a smooth audit experience.


“The Secureframe team’s expertise and speed-to-response to get things solved is a difference-maker for us.”


Unlocked revenue, saved time and money, and got peace of mind that they are maintaining SOC 2 compliance

With the SOC 2 report in hand, Coda was able to win a lot of opportunities that would not have otherwise closed.

Coda also saved time and money by not needing to hire an external consultant. Consultants are often expensive and still require companies to perform a lot of manual tasks, like providing InfoSec evidence and an inventory of employee assets.

Secureframe as a platform also continuously monitors Coda’s security posture so they have peace of mind that they stay compliant. Now it’s easier for Coda to prove their security posture to customers and prospects.


“With Secureframe and the onboarding piece spelled out, it saved us a lot of time versus having a consultant. Even with a consultant, it’s not possible to do things like bringing in infrastructure, having an asset inventory, and monitoring employee compliance.”