This analysis describes what Duo Security's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The provision establishes operational criteria for data lifecycle management rather than fixed retention periods. This approach permits extended retention based on institutional assessment of necessity and risk factors, rather than automatic deletion at specified intervals.
Personal data is retained according to Cisco's assessment of necessity for stated purposes and legal compliance, with retention duration varying based on data characteristics and processing context. Users do not receive automatic data deletion at defined time periods; instead, retention continues based on Cisco's ongoing determination of necessity.
How other platforms handle this
We retain personal data for as long as needed to provide our services, comply with our legal obligations, resolve disputes, and enforce our policies. Retention periods will vary depending on the type of data and the purposes for which we use it.
Microsoft retains personal data for as long as necessary to provide the products and fulfill the transactions you have requested, or for other legitimate purposes such as complying with our legal obligations, resolving disputes, and enforcing our agreements. Because these needs can vary for differen...
We keep information as long as we need it to provide our products and services and fulfil the purposes described in this policy. This is a case-by-case determination that depends on things like the nature of the information, why it is collected and processed, relevant legal or operational retention ...
Monitoring
Duo Security has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Cisco retains personal data for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure, the purposes for which we process it, and whether we can achieve those purposes through other means.— Excerpt from Duo Security's Duo Privacy
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The provision establishes operational criteria for data lifecycle management rather than fixed retention periods. This approach permits extended retention based on institutional assessment of necessity and risk factors, rather than automatic deletion at specified intervals.
Personal data is retained according to Cisco's assessment of necessity for stated purposes and legal compliance, with retention duration varying based on data characteristics and processing context. Users do not receive automatic data deletion at defined time periods; instead, retention continues based on Cisco's ongoing determination of necessity.
ConductAtlas has identified this type of provision across 66 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Duo Security.