At Duckly we take security and privacy very seriously. We are the first users of the service and we put all our effort in creating a service we would love to use and trust.

Secure calls and encryption

Calls are established using 256-bit TLS encryption and call video, audio, and media are protected by AES-128 encryption.

All the files shared from your IDE are always shared via peer-to-peer and are end-to-end encrypted. The files can only be accessed by the call participants you are in. No data touches our servers.

We collect data about how our features are used and any errors users encounter for sole the purposes of making the services better.

We use for our calls that is hosted on AWS infrastructure located around the world. Data centers are SOC 1, SOC 2, and ISO 27001 certified with 24/7 operations and enterprise-grade security. You can learn more about its security at

Calls and chat messages with 4 or fewer participants are peer-to-peer and end-to-end encrypted. We don't record nor have access to the meetings.

When a fifth participant joins, the call seamlessly switches to the cloud infrastructure. Cloud-connected calls are encrypted to and from cloud servers. Media that is decrypted and re-encrypted in the cloud always happens in memory and at the application layer, so we never have access to your calls.

Our servers and services are hosted on Google Cloud Platform which provides a secure network and computing environment. Including but not limited to firewalls at network or application level, data encryption, DDoS mitigation, etc.

External access

Any access to our servers, source code and third-party tools is secured with 2-factor authentication.

Even that we are a small team, we all have the lowest level of access that allow us to get the work done. This never includes access to production besides rare exceptions when this could be required.

Duckly bug bounty

If you think you have found a security issue, please email us at security @ with a description and the step-by-step instructions on how to reproduce.

Duckly will reward for qualifying and non-duplicated reports up to $5000 depending on the severity, maximum impact, probability of attack-scenarios and the quality of the report.

Please do not publicly disclose the issue until we have had a reasonable time to review it and address it. Do not interact with other accounts or teams without their explicit permission. Do not exploit any security issue for any other reason than for testing purposes.