Duo Security · Duo Privacy · View original document ↗

Controller vs. Processor Distinction for Enterprise Users

High severity Unique · 0 of 343 platforms
Share 𝕏 Share in Share 🔒 PDF
Monitor governance changes for Duo Security Create a free account to receive the weekly governance digest and monitor one platform for governance changes.
Create free account No credit card required.

This analysis describes what Duo Security's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology

ConductAtlas Analysis

Why it matters (compliance & governance perspective)

This allocation of data controller responsibility clarifies the operational relationship and regulatory obligations between Cisco, the enterprise customer, and end users under data protection frameworks. It establishes that privacy right requests and data governance determinations flow through the enterprise customer as the primary data controller rather than through Cisco.

Consumer impact (what this means for users)

End users of Duo services deployed by enterprises must direct privacy requests to their employer or organization (the Duo customer) rather than to Cisco directly. The terms structure Cisco's liability and obligations around the enterprise customer's data controller status rather than direct relationships with individual users.

How other platforms handle this

Anthropic Medium

This Privacy Policy does not apply where Anthropic acts as a data processor and processes personal data on behalf of commercial customers using Anthropic's Commercial Services – for example, your employer has provisioned you a Claude for Work account, or you're using an app that is powered on the ba...

DocuSign Medium

When our business customers use certain Services, we generally process and store limited personal information on their behalf as a data processor. For certain products such as Docusign's Contract Lifecycle Management (CLM) and Identity products, we may act as a processor and as a controller in certa...

Mixpanel Medium

Mixpanel acts as a data processor on behalf of its customers (the controllers) when processing end user data through the Mixpanel analytics platform, and as a data controller with respect to data it collects about its own website visitors and account holders.

See all platforms with this clause type →

Monitoring

Duo Security has changed this document before.

Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.

Start Monitor free trial Or create a free account →
▸ View Original Clause Language DOCUMENT RECORD
"
When Cisco acts as a data processor on behalf of our customers (e.g., when a business uses Duo to authenticate their employees), the customer is the data controller and is responsible for determining how and why personal data is processed. In these cases, individuals should contact the business (our customer) directly to exercise their privacy rights.

— Excerpt from Duo Security's Duo Privacy

Applicable regulations

CCPA/CPRA
California, USA
Colorado AI Act
US-CO
CAN-SPAM
United States Federal
ePrivacy Directive
European Union
FTC Act Section 5
United States Federal
GDPR
European Union

Provision details

Document information
Document
Duo Privacy
Entity
Duo Security
Document last updated
May 5, 2026
Tracking information
First tracked
May 7, 2026
Last verified
May 9, 2026
Record ID
CA-P-004673
Document ID
CA-D-00696
Evidence Provenance
Source URL
Wayback Machine
Content hash (SHA-256)
76697f41b9802295d06a87d1528973ffe114cdf77c5e038c903ecb798ac000bc
Analysis generated
May 7, 2026 07:36 UTC
Methodology
Evidence
✓ Snapshot stored   ✓ Hash verified
Citation Record
Entity: Duo Security
Document: Duo Privacy
Record ID: CA-P-004673
Captured: 2026-05-07 07:36:01 UTC
SHA-256: 76697f41b9802295…
URL: https://conductatlas.com/platform/duo-security/duo-privacy/controller-vs-processor-distinction-for-enterprise-users/
Accessed: July 4, 2026
Permanent archival reference. Stable identifier suitable for legal filings, compliance documentation, and research citation.
Classification
Severity
High
Categories

Other risks in this policy

Related Analysis

Compliance Governance Intelligence

Need to monitor specific governance provisions?

Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.

Arbitration clauses AI governance Data rights Indemnification Retention policies
Start Compliance free trial

Or start with Monitor →

Built from archived source documents, structured governance mappings, and historical version tracking.

Frequently Asked Questions

What does Duo Security's Controller vs. Processor Distinction for Enterprise Users clause do?

This allocation of data controller responsibility clarifies the operational relationship and regulatory obligations between Cisco, the enterprise customer, and end users under data protection frameworks. It establishes that privacy right requests and data governance determinations flow through the enterprise customer as the primary data controller rather than through Cisco.

How does this clause affect you?

End users of Duo services deployed by enterprises must direct privacy requests to their employer or organization (the Duo customer) rather than to Cisco directly. The terms structure Cisco's liability and obligations around the enterprise customer's data controller status rather than direct relationships with individual users.

Is ConductAtlas affiliated with Duo Security?

No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Duo Security.