Security & Data Protection


Updated: Oct, 16 2025 02:27 PM


Introduction

We take the security, confidentiality, integrity, and availability of your data very seriously. This page describes what technical, physical, and organizational measures we implement — and the security standards and certifications we adhere to — to protect your information.


Security Governance & Compliance Frameworks


ISO / International Standards

  • Our web platform (via Duda) operates under an ISO/IEC 27001:2022 aligned Information Security Management System.
  • Where applicable, our cloud and SaaS providers (Google Cloud / Google Workspace) are also certified to ISO/IEC 27001:2022.
  • Our usage of Zoho services is governed by their compliance with ISO/IEC 27017 (cloud security) and ISO/IEC 27018 (protection of personally identifiable information in clouds) and extended privacy controls under ISO/IEC 27701.
  • Zoho also maintains SOC 2 Type II compliance for many of its services.


By aligning with these standards, our providers and infrastructure adopt industry-recognized best practices for risk management, incident response, access controls, cryptography, and continuous improvement.


Infrastructure & Host Security (via Duda + Google Cloud)


Duda Platform Security

  • Duda implements strong information security policies and continuous review processes in alignment with ISO 27001:2022.
  • All websites built with Duda use automatic SSL / TLS encryption by default.
  • Duda enforces HTTP Strict Transport Security (HSTS) to prevent protocol downgrade attacks or cookie hijacking.
  • Role-based access controls and granular user permissions help ensure that only authorized users can edit or administer parts of the site.
  • Network protections include application firewalls, DDoS mitigation, monitoring, and intrusion detection systems as part of Duda’s infrastructure security.
  • Remote administrative access is restricted via VPN, SSH tunnels, and two-factor authentication.


Underlying Cloud / Hosting (Google Cloud) Security

  • Google Cloud (which underpins many services we rely on) follows a “security-first” architecture with layers of defense — physical, network, hardware, software, and identity layers.
  • Access to infrastructure is tightly controlled. Google implements privileged access restrictions, just-in-time access, role-based permissions, and rigorous logging.
  • Google’s services (including Google Workspace) are ISO/IEC 27001:2022 certified.
  • Encryption is used both in transit (TLS) and at rest (AES, etc.).
  • Key and secret management is performed using secure key management systems (e.g. Cloud KMS) with options for customer-managed keys.
  • Google provides tools such as Identity and Access Management (IAM), VPC Service Controls, Security Command Center, and more for threat detection, perimeter control, and policy enforcement.


Application & Data Layer Security


Encryption & Data Protection

  • Data is encrypted while in transit (TLS) and at rest using strong encryption algorithms.
  • Encryption keys are managed securely, separated where possible from data, and access to keys is restricted.


Data Segmentation & Access Controls

  • Each account, client, or tenant’s data is logically segregated to prevent unauthorized cross-access.
  • Least privilege principle is enforced: users and system components get only the permissions they strictly need (no broad “admin everywhere” access).
  • Multi-factor authentication (MFA/2FA) is mandatory for administrative accounts.


Secure Development & Change Controls

  • All code and platform updates go through secure development lifecycle (SDL) practices: code reviews, vulnerability scanning, static/dynamic analysis, and staging before deployment. (This is standard among mature SaaS providers.)
  • Change management and version control are tracked, and roll-back controls exist in case of deployment issues.


Monitoring, Logging & Incident Detection

  • All platforms maintain logs for access, changes, errors, and system events.
  • Automated alerting systems monitor for anomalous behavior, intrusion detection, and suspicious access patterns.
  • Regular internal and external security assessments, including penetration tests and vulnerability scans, are performed.
  • An Incident Response Plan is documented, tested, and updated periodically to ensure timely and effective reaction to any breach or security event.


Physical, Operational & Organizational Security

  • Data centers used by Google or underlying hosting providers maintain rigorous physical security: restricted access, biometric controls, surveillance, environmental controls, and disaster protection.
  • Our own internal operations enforce strict policies:
    • Background checks and confidentiality obligations (NDAs) for staff with access to sensitive systems
    • Security awareness training and periodic refreshers
    • Access revocation upon termination or role change
    • Vendor and third-party risk management (ensuring sub-processors comply with equivalent security standards)


Business Continuity & Disaster Recovery

  • Regular backups are taken and stored in geographically separate locations.
  • Disaster recovery plans and failover architectures are in place to maintain availability in the event of outages or catastrophic failures.
  • Continuity of operations is tested periodically to validate the recovery procedures and minimize downtime risk.


Data Privacy & Compliance

  • We process personal data in compliance with applicable privacy laws and regulations.
  • We ensure that our cloud service providers (Google, Zoho, Duda) abide by relevant privacy practices such as those in ISO/IEC 27018 regarding protection of personally identifiable information (PII) in the cloud.
  • Where requested or required by contract, we will provide customers or users with required audit or compliance reports (e.g. certificates, service compliance documents).
  • In case of a data breach, we maintain procedures for timely notification to affected parties and regulators as required by law or contract.


Limitations & Disclaimers

  • While we employ industry-leading measures, no system is completely immune from attack. There is always residual risk of zero-day vulnerabilities or advanced sophisticated attacks.
  • Our security is only as strong as the controls used by our users (e.g. if a user uses weak passwords or shares credentials, that is a weak link).
  • This page describes our security posture at a high level; proprietary implementation details, configuration settings, or internal controls cannot be publicly disclosed for security reasons.