/Security
Duda takes security seriously
Let’s start by understanding Duda's security goals and the steps Duda takes behind the scenes to proactively protect you and your clients.
Duda's security goals
Maintaining security is a multi-faceted effort with many moving parts. However, the aim of it all is to:
- Prevent downtime for live sites
- Protect site owners and visitors from abusive use by bad actors
- No malicious files shared through Duda sites!
- Protect Duda’s platform from any unauthorized use that could lead to data breaches or cyber attacks
To achieve these security goals, Duda has many technical and organizational operating measures in place to ensure we’re meeting or exceeding industry standards.
Duda’s platform, infrastructure, & development processes
At Duda, security starts before the very first line of code is written and remains a priority throughout the entire development process. The list below highlights many components of our security practices that we want you to be aware of, but don't require any action on your part.
Secure Software Development Lifecycle (SDLC) practices
Duda integrates industry-leading security practices throughout its development process.
By incorporating strict governance policies and best-practice organizational procedures, Duda ensures that security remains a core focus during product development.
Security testing & vulnerability management
To prevent and mitigate security risks, Duda employs:
Automated Scanning to identify security vulnerabilities before they become threats. This includes regular scans of open source packages (SCA), code (SAST), web-application (DAST), and cloud infrastructure.
Continuous Patch Deployment to ensure that the platform remains up to date with the latest security fixes.
Advanced systems to mitigate denial of service (DoS/DDoS) attacks against the platform.
Penetration Testing. We conduct blackbox security assessments to identify and address vulnerabilities before attackers can exploit them.
Site builders (i.e., YOU)
Here we're referring to the organizations — Agencies or SaaS business— who build and maintain a portfolio of websites for clients.
GDPR readiness & privacy
Duda helps agencies comply with strict privacy regulations by offering:
Europe-Only Hosting in Frankfurt to ensure data residency requirements are met.
Advanced Cookie Compliance Integrations to support site owners and agencies with tools to manage end-user privacy preferences.
More on this later!
This is especially important for business that engage with customer data via ecommerce transations. More on this later.
Development of security features
We'll talk about the security features of Duda's platform that you'll engage with as a site builder in the next lesson.
For now, just know that security is baked in to the infrastructure, tools, and processes that go into developing those features.
Did you know?
In our 'Layers of security' diagram, you may recall a layer that captures the role of 3rd-party applications. While Duda can't monitor code for every possible app that could be embedded into a site, rest assured that the apps in our app store have gone through a thorough vetting process to ensure that they, too, have good security practices in place.
Other security practices within Duda
In addition to the technology-related practices mentioned above, Duda also adheres to policies designed to maintain global security standards to ensure your data is in good hands. Additional measures include:
Once the agreement ends,
data is permanently destroyed, ensuring compliance with privacy regulations and reducing the risk of data exposure.
Secure information practices
Duda follows an ever-improving information security policy aligned with
ISO 27001:2022— a globally recognized data security standard.
This commitment ensures that user and client data is managed with the highest level of security.
Insurance & preparedness
In case a threat or security incident is discovered, Duda has a documented Incident Response plan to ensure we're ready to respond quickly and efficiently.
Duda also carries cyber insurance to further protect ourselves and our clients.
'Least privilege' access measures
Employee access to customer Personally Identifiable Information (PII) data is only available on a need-to-know basis.
On top of these restrictions, Duda will not provide users’ PII and/or business data unless proper verification of the identity of the account owner is established.
This commitment ensures that user and client data is managed with the highest level of security.
In case a threat or security incident is discovered, Duda has a documented Incident Response plan to ensure we're ready to respond quickly and efficiently.
'Least privilege' access measures
Employee access to customer Personally Identifiable Information (PII) data is only available on a need-to-know basis.
On top of these restrictions, Duda will not provide users’ PII and/or business data unless proper verification of the identity of the account owner is established.
Training & dedicated security personnel
Duda has an Information Security manager who reports directly to our executives to ensure optimal communication about security-related topics.
In addition, all Duda employees undergo routine security training sessions to help bring awareness to threats and their role in maintaining security.
'Delete and Destroy' Policy
Duda follows strict data retention policies. Customer data is only stored as long as an active agreement exists.
Once the agreement ends,
data is permanently destroyed, ensuring compliance with privacy regulations and reducing the risk of data exposure.
If you're interested in more about Duda's security measures, check out this article in our support portal.
Next, let's look at that next layer of security: the considerations and features available to you as an organization creating websites with Duda.