If you are in the EU, UK, or Switzerland, your personal data may be transferred to the United States or other countries, and Cisco relies on Standard Contractual Clauses as the legal mechanism to protect that data during the transfer.
This analysis describes what Duo Security's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Cross-border transfers of authentication data to the US are subject to EU privacy rules, and Standard Contractual Clauses are the primary safeguard Cisco uses, but the adequacy of those safeguards depends on implementation and cannot be assumed without verification.
Interpretive note: The policy does not specify whether Cisco is certified under the EU-US Data Privacy Framework, and it is unclear whether the referenced SCCs are the updated 2021 European Commission versions applicable to all processing scenarios.
EU, UK, and Swiss users' authentication logs and personal data may be transferred to the US, where different legal standards apply, relying on Standard Contractual Clauses as the primary legal protection.
How other platforms handle this
Your personal information may be transferred to, stored, and processed in the United States or other countries outside of your country of residence, which may have data protection laws that are different from those in your country.
Your personal information may be transferred to, stored, and processed in the United States or other countries where our service providers and partners operate. By using our Services, you acknowledge that your personal information may be transferred to countries outside your country of residence, in...
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
Monitoring
Duo Security has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Cisco operates globally and may transfer your personal data to Cisco affiliates and third parties in countries outside your country of residence, including the United States. When we transfer personal data from the EEA, the UK, or Switzerland to countries that have not received an adequacy decision, we rely on appropriate safeguards such as Standard Contractual Clauses approved by the European Commission.— Excerpt from Duo Security's Duo Privacy
REGULATORY LANDSCAPE: GDPR Chapter V governs international transfers of personal data from the EEA, requiring either an adequacy decision, Standard Contractual Clauses, Binding Corporate Rules, or another approved mechanism. The EU-US Data Privacy Framework provides an adequacy mechanism for certified US entities. UK GDPR and the UK International Data Transfer Agreement apply to transfers from the UK. Swiss data protection law applies to transfers from Switzerland. GOVERNANCE EXPOSURE: Medium. Cisco's stated reliance on Standard Contractual Clauses is a recognized and widely used transfer mechanism, but enterprise customers have an obligation under GDPR to conduct Transfer Impact Assessments in certain circumstances, particularly for transfers to the US given potential government access to data. Failure to conduct these assessments creates compliance exposure for enterprise customers even where Cisco's SCCs are technically in place. JURISDICTION FLAGS: EEA, UK, and Swiss organizations deploying Duo should confirm whether Cisco is certified under the EU-US Data Privacy Framework and whether SCCs or the UK IDTA are in place in their specific contract. Organizations in countries with data localization requirements such as China, Russia, or India face heightened exposure when using cloud authentication services. CONTRACT AND VENDOR IMPLICATIONS: Enterprise DPAs should explicitly reference the transfer mechanism, list the applicable SCCs version, and address sub-processor transfer chains. Procurement teams should request Cisco's Transfer Impact Assessment documentation or equivalent for US-bound transfers. COMPLIANCE CONSIDERATIONS: EEA-based organizations using Duo should document their reliance on Cisco's SCCs in their records of processing activities under GDPR Article 30. Legal teams should verify whether the applicable DPA incorporates updated SCCs following the 2021 European Commission modernization. UK-based organizations should confirm whether the UK IDTA or UK Addendum to EU SCCs has been executed.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Cross-border transfers of authentication data to the US are subject to EU privacy rules, and Standard Contractual Clauses are the primary safeguard Cisco uses, but the adequacy of those safeguards depends on implementation and cannot be assumed without verification.
EU, UK, and Swiss users' authentication logs and personal data may be transferred to the US, where different legal standards apply, relying on Standard Contractual Clauses as the primary legal protection.
ConductAtlas has identified this type of provision across 84 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Duo Security.