Security best practices for your Document360 project are a set of recommended configurations and habits that project owners and team managers can apply to reduce the risk of unauthorised access, data loss, or unintended exposure of your knowledge base. While Document360 secures the underlying infrastructure, the practices in this article are within your control and directly affect how protected your project is. Following these recommendations helps you stay in control of who can access your data and how it is managed.
When to apply these practices
Use these practices when:
- You are setting up a new Document360 project for the first time and want to start with a secure configuration.
- You are onboarding new team members and need to assign the right access levels.
- You are integrating Document360 with external systems using API tokens.
- You want to ensure your project data can be recovered quickly after an accidental change or data loss event.
- You need to control whether your knowledge base is visible to the public or restricted to internal users only.
Best practices
Protect your API keys
Do not share API keys over unsecured networks, in public repositories, or via less secure communication channels. An exposed API key can be used to view or exploit your data. If a key is exposed, delete it immediately and generate a new one.
For more information, see Creating Document360 API tokens.
Scope API key permissions
Grant each API key only the permissions it needs for its intended purpose. For example, if an API key is only used to retrieve data, assign it the GET method only — this prevents anyone using that key from modifying your data even if it is compromised.
For more information, see Creating Document360 API tokens.
Assign the correct team roles
Give each team member only the access level their role requires. Document360 provides built-in roles that correspond to specific access levels, making it straightforward to manage permissions consistently across your team. The team manager should review and assign roles carefully to prevent unauthorised changes to documentation.
For more information, see Team roles and permissions explained.
Use backups proactively
Your project is automatically backed up every day at 00:00 UTC, with daily, weekly, and monthly backups retained for up to one month. In addition to automatic backups, trigger a manual backup before making significant changes to your project. Both automatic and manual backups cover Settings, Landing Page, Documentation, and Entire Project contents, and can be restored at any time to return to a previous version.
For more information, see Backup and restore.
Make your documentation private when appropriate
If your knowledge base is intended for internal team members only, set the project to private so it is not accessible to the public. Document360 allows project owners to control the visibility of their documentation to suit different use cases — public, private, or a mix of both.
For more information, see Making a knowledge base private.
FAQ
What should I do if an API key is accidentally exposed?
Delete the exposed key immediately from your Document360 project settings and generate a new one. An exposed key can be used to view or modify your data, so it is important to act quickly. See Creating Document360 API tokens for steps.
Can I restore my project to a version from two weeks ago?
Yes. Daily, weekly, and monthly backups are retained for up to one month, so you can restore to any backup taken within that window. You can also trigger a manual backup at any time for an on-demand snapshot. See Backup and restore for steps.
Can I make only part of my knowledge base private?
Yes. Document360 supports mixed projects where some versions are public and others are private. This lets you keep internal documentation restricted while making other content publicly accessible. See Making a knowledge base private for configuration details.
For more information about Document360's security and infrastructure, contact us or book a demo with our experts.