Settings
Manage your organization or account settings and preferences.
Overview
The Settings section centralizes all controls for your organization and your personal account. Here you can manage your organization’s profile, members, roles, billing, integrations, and account details.
Settings
Here you can configure your Organization Logo, Name, Slug, and retrieve your Organization UUID.
- Logo: Use a square image (minimum 200×200px) that works well in both light and dark themes. PNG or SVG is recommended.
- Name: Displayed across all modules and reports.
- Slug: A unique, URL-safe identifier automatically generated from the name. Used in links and references.
- UUID: The immutable identifier for your organization. Useful when contacting support or for integrations.
You can create multiple organizations. Each requires its own subscription. You are automatically assigned the Owner role in new organizations you create.
On-Premise Option
For unlimited organizations and advanced infrastructure control, see our On-Premise solution.
Ownership
Ownership can be transferred to another member. The process is instant and can only be undone by the new Owner. This is useful for handovers or restructuring.
Deletion
Deleting an organization is permanent. All data (policies, risks, assets, frameworks, etc.) will be irreversibly removed.
Deleting an Organization
Deletion starts immediately once the organization name is confirmed. There is no second confirmation step. Only the Owner can delete an organization.
Members
Organizations work best with multiple members collaborating toward compliance goals.
Invitations
- Invite members via email.
- Invited users receive a link to join.
- Invitations can be revoked or resent before acceptance.
- Pending invitations are listed beneath the member list.
Account Creation
Invitees must create an account before joining. Once their account is created, they will see pending invitations on their dashboard.
Member Types
- Owner: Full control, including billing, member management, and organization deletion.
- Admin: Manage policies, risks, frameworks, and members. Cannot transfer or delete ownership.
- Member: Limited access. Can collaborate on content but cannot change organizational settings.
- Auditor (coming soon): Read-only access for reviews and external auditors.
Roles
Roles represent business functions and can be assigned to multiple members. Unlike member types, roles do not grant permissions. They are used to group members and attach responsibilities to objects such as Assets, Risks, or Policies.
Examples
- CEO: Single user linked to executive responsibilities.
- Developers: Group of technical staff involved with risk and asset management.
- Managers: Leadership group, which may include the CEO and other department leads.
- Team: A collective group where all users are included.
We recommend creating roles per department or function (e.g., Sales, Marketing, Legal) to reflect your organizational structure.
Deleting Roles
Deleting a role removes its associations across all linked objects. Carefully review dependencies before deletion.
Billing
Billing is managed at the organization level. Each organization has one subscription, independent of the number of users.
- Plans are billed monthly or annually.
- The annual plan provides a ~20% discount (two months free).
- You can cancel anytime via the interface. The subscription remains active until the end of the billing cycle.
- Canceled plans are not refunded.
For details see our Pricing page.
SAML Integration
We support SAML Single Sign-On (SSO) so users can authenticate with your existing Identity Provider (IdP).
This integration requires exchanging configuration information about your identity provider, such as the URL and the certificate. Once we have this information, we will configure the integration for you.
Annual Plan
SAML SSO is available on the annual plan, which also includes a ~20% discount.
On-Premise Integration
We offer an On-Premise deployment to run devguard in a selected AWS region or within your own infrastructure.
This allows:
- Unlimited organizations under one license.
- Dedicated hosting for regulatory or residency requirements.
- Greater control of data and system integration.
Infrastructure Requirements
Minimum Requirements
- Support for Docker images
- Ability to whitelist authentication and framework endpoints
- Availability of PostgreSQL, Redis, and a message broker
Costs depend on the chosen environment:
- AWS: Billed per instance and region.
- Self-hosted: Based on your hardware and the level of setup and support required.
Account
Manage your personal account details and preferences.
Profile
Update your Avatar, Name, Email, and Password. You can also choose your preferred theme (light/dark) and language.
Notifications
- System Notifications: Mandatory. Used for invitations, alerts, and critical updates.
- Marketing Notifications: Optional. Subscribe/unsubscribe for product news and promotions.
Expert Mode
Enable Expert Mode to display additional object information such as UUID, creation date, and last updated date. This is useful for debugging, data exports, and imports.
Deleting an Account
Account deletion is irreversible. You must transfer or delete ownership of all organizations before deleting your account.
Two Factor Authentication
Enable Two Factor Authentication to add an extra layer of security to your account. This requires you to enter a code sent to your phone or email every time you log in.
Tokens
API tokens allow you to authenticate with the devguard API programmatically. Keep your tokens secure and never expose them in client-side code or public repositories.
- Store tokens securely using environment variables or secret management systems
- Never commit tokens to version control or expose them in client-side code
- Use tokens with the minimum required permissions for each use case
- Regularly rotate tokens and delete unused ones
- Set appropriate expiration times based on your security requirements
To authenticate, include your API token in the Authorization header as a Bearer token with all API requests. You also need to provide the organizationId in the request body. Here are some common API usage examples:
curl -X GET "https://app.devguard.ch/api/assets/?organizationId=UUID" \
-H "Authorization: Bearer dvg_your_token_here" \
-H "Content-Type: application/json"const url = 'https://app.devguard.ch/api/assets/?organizationId=UUID';
const res = await fetch(url,
{
method: 'GET',
headers: {
'Authorization': 'Bearer dvg_your_token_here',
'Content-Type': 'application/json',
},
});
const data = await res.json();
console.log(data);import requests
url = "https://app.devguard.ch/api/assets/"
params = {"organizationId": "UUID"}
headers = {
"Authorization": "Bearer dvg_your_token_here",
"Content-Type": "application/json"
}
response = requests.get(url, headers=headers, params=params)
print(response.json())use reqwest::blocking::Client;
use std::error::Error;
fn main() -> Result<(), Box<dyn Error>> {
let client = Client::new();
let url = "https://app.devguard.ch/api/assets/";
let org_id = "UUID";
let res = client
.get(url)
.query(&[("organizationId", org_id)])
.header("Authorization", "Bearer dvg_your_token_here")
.header("Content-Type", "application/json")
.send()?;
let body = res.text()?;
println!("{}", body);
Ok(())
}import java.net.http.*;
import java.net.URI;
import java.io.IOException;
public class DevguardExample {
public static void main(String[] args) throws IOException, InterruptedException {
String token = "dvg_your_token_here";
String orgId = "UUID";
String url = "https://app.devguard.ch/api/assets/?organizationId=" + orgId;
HttpRequest request = HttpRequest.newBuilder()
.uri(URI.create(url))
.header("Authorization", "Bearer " + token)
.header("Content-Type", "application/json")
.GET()
.build();
HttpClient client = HttpClient.newHttpClient();
HttpResponse<String> response = client.send(request, HttpResponse.BodyHandlers.ofString());
System.out.println(response.body());
}
}Go to our API documentation for all available endpoints and resources.
Rate Limiting
API requests are rate-limited based on your token's configuration. The default limit is 1000 requests per hour. Rate limit information is included in the response headers:
X-RateLimit-Limit - Maximum requests per window X-RateLimit-Remaining - Requests remaining in current window X-RateLimit-Reset - Window reset time (Unix timestamp)
Error Handling
The API uses standard HTTP status codes. Common responses include:
- 200 OK - Request succeeded
- 401 Unauthorized - Invalid or missing API token
- 403 Forbidden - Token lacks required permissions
- 429 Too Many Requests - Rate limit exceeded
- 500 Internal Server Error - Server error
About
The About section provides transparency into the application:
- Current version and release details
- Company details and contact information
- Quick access to documentation and support channels
This helps you stay informed about the state of the platform and reach us when needed.
How is this guide?