/Security

Your security responsibility: Part 2

Permissions management

In the last section we covered methods to secure who gets to access your sites. Now we're going to look at what permissions you want to give to those individuals who have access.

There are certain areas within the Duda platform that handle more sensitive data, and it’s important to be aware of how to manage access and security for these areas.

 We're going to run through each of these areas and share which permissions you can use restrict use of those features. (Note: We won't cover every available permission here—only those permissions that impact the areas of higher sensitivity.)

Managing permission sets

Both Team Permissions and Client Permissions should be managed using the principles of Least Privilege and Need-to-Know. In short:

Users should only have access to the features which are required for them to perform their jobs. 

If you haven't managed permissions sets with Duda before, know that one of Duda's goals is to make this process as painless as possible. To that end, Duda provides recommended permissions sets for specific team-member roles, as well as a UI designed to make selecting permissions straightforward.

Sensitive spaces in the platform

Okay! Let's review some of the more sensitive spots within Duda and the permission sets you can use to control a user's ability to use (or see) the features:

Possessing the power to control who has access to sites and the permissions of those individuals is a critical responsibility that should only be available to admins. Again, admins should follow the principles of Least Privilege and Need-to-Know in order to protect themselves and their clients.

The Payment tab within Client billing is only accessible to the account owner. This area contains sensitive billing information and should be protected to prevent unauthorized access.

Duda's powerful API can be used to control access, publishing, communications, and more. You do not want a bad actor gaining access to your API credentials. Granting who can and can't access (or reset) API credentials for your account is an admin-only privilege.

The activity log displays a record of the activities happening in your system including your team members and clients. This area should be protected and only visible to trusted individuals.

Given a site's publishing status has billing implications for your business, it's important to ensure that there's a strict process in place for determining who can publish sites.

The contact form submission area may contain personally identifiable information (PII) such as email addresses, physical addresses, names, phone numbers, and other details submitted via contact forms. Duda cannot restrict access to these submissions, so it is critical to ensure that only authorized users have access to this information.

Pages restricted to members-only may contain sensitive data that requires secure handling. These pages are intended for authorized users only, and any data they contain should be treated with the utmost care.

Both Duda’s Native eCommerce and Third Party Store solutions handle customer orders, which can include sensitive data like payment details and customer addresses. While Duda doesn't collect an extensive amount of sensitive information, it's still important to handle this area with care and ensure secure access for those who need it.

Security for third-party integrations, Apps, & custom code

There are ways several ways to extend a website's capabilities beyond what Duda offers natively. These areas also require special attention to ensure secure use. Let's review each one:

Many apps available in Duda’s App Store may also collect sensitive data. For example, Paperform can collect sensitive information. While Duda manages security for the platform itself, be aware of how these third-party apps handle data and ensure your team and your clients are using them securely.

Duda offers the ability to integrate with third-party solutions. Any user who can access the site can customize 3rd-party integrations. 

If those integrations transfer data to 3rd-party systems, it is the user's responsibility to manage access to those systems.

For example, if you use Zapier to push data to Google Sheets, it it your responsibility to manage those integrations and ensure that any data shared with third parties is also handled properly.

Duda also allows users to add custom code to websites. Custom code is great for extending the capabilities of your sites, but an introduce security risks— especially if someone is unfamiliar with the code they are adding to a site.

Make sure that any code added is secure, and that it does not expose the platform to vulnerabilities. Always review and test custom code thoroughly before deploying it.

Bottom line

Be aware that part of your security responsibility is to:

By following these best practices, you can help protect sensitive information and maintain a secure Duda environment.

Next up, we've got one more facet of security for you to manage for your account: privacy management.