/Security

Your company's security checklist

The list below contains general security recommendations —not unique to Duda— that you should be mindful of in your professional life. Although cyber security measures frequently adapt to counter ever-evolving threats, these security guidelines remain consistent year after year.  As you read through, think about the security practices at your company and identify areas for improvement.

Best practices for strong security

Use strong, unique passwords or use biometric authentication

Creating strong, unique passwords is the first line of defense against unauthorized access to your accounts. This is crucial in preventing a variety of attacks, such as brute-force or credential stuffing.

  • Whenever possible, enable fingerprint scanning or facial recognition as an additional layer of security for easy, but secure, access to company devices


For Duda account owners:

Duda does not currently enforce password rotations, however, we strongly recommended that you update your passwords every three months to further enhance your account's security.

Use Two-Step Verification (2SV) or Two-Factor Authentication (2FA) when available

We highly encourage users to either use Google SSO for login, as it leverages Google’s robust security infrastructure, or enable 2-Step Verification (2SV) directly within the Duda platform. Both options provide an extra layer of protection, ensuring your account remains secure even if your password is compromised.

Keep software and browsers up to date

Always keep your operating systems, web browsers, and software applications up to date with the latest security patches and features. Outdated software can have vulnerabilities that hackers may exploit. This is why Duda only supports the latest versions of browsers.

(See our System Requirements article.)

Use antivirus and anti-malware software

Make sure your teams have reliable antivirus and anti-malware software installed and kept up to date to maintain a secure environment.

Be caution when using 3rd-party APIs and external code

When using 3rd-party APIs, research the API providers' security track record.

In addition:

  • Read the API documentation carefully to understand what data is collected, stored, and shared
  • Rotate API keys regularly and store them securely (never hardcode them in your codebase!)
  • Regularly review API permissions and revoke access when it’s no longer needed

Securing company-provided devices

Locking and encrypting your company's devices ensures that even if they are lost or stolen, unauthorized users cannot access sensitive information. To do this:


  • Enable device encryption: Most modern operating systems, like Windows, macOS, iOS, and Android, offer built-in encryption. Turn on full disk encryption (e.g., BitLocker for Windows, FileVault for macOS, or Android/Apple's native encryption features) to protect your data even if a device is compromised.


  • Company-approved devices only: Only company-provisioned devices should be permitted on the company network and its cloud platforms. While employees can use personal phones to access certain collaboration and reporting tools, only company laptops should be permitted for work.


  • Enable automatic locking: Set your devices to lock after a short period of inactivity to minimize the chances of someone accessing it if you forget to lock it manually.


  • External storage restrictions: The use of external storage devices should be prohibited unless explicitly approved by your security/IT professional.


  • Data security on devices: Devices must never be left unattended in public spaces, especially while traveling. Ask your team to report any lost or stolen devices immediately.

Require regular security training

Training your employees about cyber threats is crucial. Human error is one of the biggest security risks businesses face. Even the most advanced security systems can’t protect against mistakes like clicking on phishing emails, using weak passwords, or mishandling sensitive data.


Regular training helps employees recognize threats, follow best practices, and respond appropriately to potential attacks. By fostering a security-first mindset, you create a stronger defense against cybercriminals and reduce the risk of data breaches, financial loss, and reputational damage.

Be cautious with public Wi-Fi

Public Wi-Fi networks are less secure than private networks. If an employee routinely needs to do work from hotels, or coffee shops, use of a VPN can offer additional security.

Backup your data

Regular backups ensure that your important files are safe, even if your device is compromised or lost. However, it’s a protective measure rather than a preventative one.


For Duda sites, Duda automatically creates up to 50 backups of your sites, ensuring that you can restore your site to a previous version if needed. Additionally, site owners have the ability to create their own backups at any time. For more information on how to manage backups in Duda, visit this article on backing up your site.

Bottom line

Be aware that part of your security responsibility is to:

  • manage access to sensitive areas of the platform
  • take extra care with third-party integrations to ensure that they are properly secured
  • manage custom code carefully and always prioritize security when adding or editing code on the platform

By following these best practices, you can help protect sensitive information and maintain a secure Duda environment.


Next up: we're going to run through some of the features within Duda's platform that we recommend using to enhance security beyond access controls.