What are the institutional and regulatory implications of this document?

REGULATORY LANDSCAPE: This policy engages GDPR (particularly lawful basis requirements, data subject rights, and cross-border transfer mechanisms including Standard Contractual Clauses) for EEA and UK users, and CCPA/CPRA for California residents including rights to know, delete, correct, and opt out of sale or sharing of personal information. The FTC Act is relevant to Cisco's consumer-facing data practices in the United States. For organizations in regulated sectors such as healthcare or fina…

How does Duo Security's Duo Privacy affect users?

Cisco collects authentication logs, device identifiers, IP addresses, and usage data from Duo users and website visitors, with authorization to share this data among affiliates and service providers. For end users whose employers have deployed Duo, the applicable privacy obligations and individual rights are established through a separate data processing agreement between the employer and Cisco rather than through this public policy, meaning individual rights against Cisco may be limited or exe…

How often is Duo Security's Duo Privacy updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when Duo Security updates this document?

Yes. Monitor subscribers ($19/month) can add Duo Security to their watchlist and receive same-day email alerts whenever this document or any other Duo Security document changes.

CA-D-000696

Duo Privacy

Duo Security

Last change detected May 5, 2026 Privacy policy

SHA-256: d9afe9414eec7f10260… 1 version captured 0 changes documented

Create free account

Track 1 platform and get the weekly governance digest. No credit card required.

View original document at Duo Security ↗

This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology

9 Total

0 High severity

6 Medium severity

3 Low severity

Summary

This document establishes Cisco's privacy policy for Duo Security products, websites, and services, specifying categories of personal data collected including authentication logs, device identifiers, IP addresses, and usage patterns. The policy authorizes Cisco to use collected data for product improvement and internal system training, and permits sharing this data with Cisco's global affiliates and service providers. For users in the EU or California, the policy establishes data subject rights including access, correction, and deletion, exercisable through Cisco's Privacy Request portal.

Technical / Legal Breakdown

This document is the Cisco Online Privacy Statement governing Cisco's collection, use, and sharing of personal data across Cisco and Duo Security websites, products, and services, with legal bases including consent, legitimate interests, contractual necessity, and legal obligation depending on jurisdiction. The statement asserts that Cisco collects a broad range of personal data including identifiers, authentication logs, device information, usage data, and geolocation, and the terms authorize sharing this data with Cisco affiliates, business partners, service providers, and in connection with corporate transactions such as mergers or acquisitions. The statement reserves the right to use personal data for product improvement, security research, and AI/ML model development, which extends beyond transactional service delivery and may warrant scrutiny under data minimization principles applicable in certain jurisdictions. The policy engages GDPR and EU adequacy frameworks for EEA residents, CCPA and CPRA for California residents, and references compliance with sector-specific frameworks relevant to Duo's authentication and identity management context; applicability of specific protections depends on user location and applicable law. Organizations deploying Duo as a B2B security product should note that employee authentication data processed through Duo may be governed by separate data processing agreements rather than this consumer-facing statement, creating a dual-layer governance structure that compliance teams should map carefully.

Institutional Analysis

Institutional analysis available with Compliance

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Compliance.

Start Compliance free trial

Medium — 6 provisions

Personal Data Collection Scope Compare →

Cisco collects a wide range of personal information about you including your name, contact details, device identifiers, IP address, and detailed logs of every time you authenticate through Duo including what device you used and what application you accessed.

Added May 9, 2026 Standard Seen across 284 platforms
Data Sharing with Affiliates and Third Parties Compare →

Cisco can share your personal data with its global family of companies, its business partners and resellers, and third-party service providers, as well as with any company that acquires Cisco or Duo in a future transaction.

Added May 9, 2026 Standard Seen across 252 platforms
Use of Data for AI and Product Improvement Compare →

Cisco may use your authentication logs and other personal data to train and improve its AI and machine learning systems embedded in Duo and other Cisco products.

Added May 9, 2026 Standard Seen across 284 platforms
Cross-Border Data Transfers Compare →

If you are in the EU, UK, or Switzerland, your personal data may be transferred to the United States or other countries, and Cisco relies on Standard Contractual Clauses as the legal mechanism to protect that data during the transfer.

Added May 9, 2026 Standard Seen across 284 platforms
California Resident Rights (CCPA/CPRA) Compare →

California residents have specific legal rights to know what data Cisco holds about them, delete it, correct it, and opt out of any sale or sharing of their personal information for targeted advertising or other purposes.

Added May 9, 2026 Standard Seen across 284 platforms
Data Retention Compare →

Cisco keeps your personal data for as long as it considers necessary for its business purposes or as required by law, but does not specify fixed retention periods for most data categories.

Added May 9, 2026 Standard Seen across 284 platforms

Low — 3 provisions

Cookies and Tracking Technologies Compare →

Cisco uses cookies and tracking tools from itself and third-party partners on the Duo website to track your browsing behavior, which pages you visit, and how long you spend on them, and uses that data for analytics and advertising.

Added May 9, 2026 Standard Seen across 284 platforms
Children's Privacy Compare →

Cisco states that Duo's products are not meant for children under 16 and that it will delete any personal data collected from children under 16 if discovered.

Added May 9, 2026 Standard Seen across 284 platforms
Security Safeguards Disclaimer Compare →

Cisco says it uses reasonable security measures to protect your data but makes no guarantee that those measures will always succeed, and accepts that breaches could occur.

Added May 9, 2026 Standard Seen across 252 platforms