If you are in the EU, UK, or Switzerland, your personal data may be transferred to the United States or other countries, and Cisco relies on Standard Contractual Clauses as the legal mechanism to protect that data during the transfer.
This analysis describes what Duo Security's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Cross-border transfers of authentication data to the US are subject to EU privacy rules, and Standard Contractual Clauses are the primary safeguard Cisco uses, but the adequacy of those safeguards depends on implementation and cannot be assumed without verification.
Interpretive note: The policy does not specify whether Cisco is certified under the EU-US Data Privacy Framework, and it is unclear whether the referenced SCCs are the updated 2021 European Commission versions applicable to all processing scenarios.
EU, UK, and Swiss users' authentication logs and personal data may be transferred to the US, where different legal standards apply, relying on Standard Contractual Clauses as the primary legal protection.
How other platforms handle this
OpenAI is based in the United States and the information we collect is governed by U.S. law. If you are accessing our services from outside of the United States, please be aware that your information may be transferred to, stored, and processed by us in our facilities in the United States and by tho...
When we transfer personal information from the European Economic Area, United Kingdom, or Switzerland to countries that have not been found to provide an adequate level of protection under applicable law, we take steps to provide appropriate safeguards, including through the use of Standard Contract...
We may transfer your personal information to countries other than the country in which you live. We transfer personal data from the European Economic Area, United Kingdom, and Switzerland to other countries, some of which have not been determined by the European Commission to have an adequate level ...
Monitoring
Duo Security has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Cisco operates globally and may transfer your personal data to Cisco affiliates and third parties in countries outside your country of residence, including the United States. When we transfer personal data from the EEA, the UK, or Switzerland to countries that have not received an adequacy decision, we rely on appropriate safeguards such as Standard Contractual Clauses approved by the European Commission.— Excerpt from Duo Security's Duo Privacy
REGULATORY LANDSCAPE: GDPR Chapter V governs international transfers of personal data from the EEA, requiring either an adequacy decision, Standard Contractual Clauses, Binding Corporate Rules, or another approved mechanism. The EU-US Data Privacy Framework provides an adequacy mechanism for certified US entities. UK GDPR and the UK International Data Transfer Agreement apply to transfers from the UK. Swiss data protection law applies to transfers from Switzerland. GOVERNANCE EXPOSURE: Medium. Cisco's stated reliance on Standard Contractual Clauses is a recognized and widely used transfer mechanism, but enterprise customers have an obligation under GDPR to conduct Transfer Impact Assessments in certain circumstances, particularly for transfers to the US given potential government access to data. Failure to conduct these assessments creates compliance exposure for enterprise customers even where Cisco's SCCs are technically in place. JURISDICTION FLAGS: EEA, UK, and Swiss organizations deploying Duo should confirm whether Cisco is certified under the EU-US Data Privacy Framework and whether SCCs or the UK IDTA are in place in their specific contract. Organizations in countries with data localization requirements such as China, Russia, or India face heightened exposure when using cloud authentication services. CONTRACT AND VENDOR IMPLICATIONS: Enterprise DPAs should explicitly reference the transfer mechanism, list the applicable SCCs version, and address sub-processor transfer chains. Procurement teams should request Cisco's Transfer Impact Assessment documentation or equivalent for US-bound transfers. COMPLIANCE CONSIDERATIONS: EEA-based organizations using Duo should document their reliance on Cisco's SCCs in their records of processing activities under GDPR Article 30. Legal teams should verify whether the applicable DPA incorporates updated SCCs following the 2021 European Commission modernization. UK-based organizations should confirm whether the UK IDTA or UK Addendum to EU SCCs has been executed.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Cross-border transfers of authentication data to the US are subject to EU privacy rules, and Standard Contractual Clauses are the primary safeguard Cisco uses, but the adequacy of those safeguards depends on implementation and cannot be assumed without verification.
EU, UK, and Swiss users' authentication logs and personal data may be transferred to the US, where different legal standards apply, relying on Standard Contractual Clauses as the primary legal protection.
ConductAtlas has identified this type of provision across 78 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Duo Security.