Cisco keeps your personal data for as long as it considers necessary for its business purposes or as required by law, but does not specify fixed retention periods for most data categories.
This analysis describes what Duo Security's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The absence of defined retention periods for specific data types like authentication logs means Cisco may retain this data for an extended and indeterminate period, which is relevant to privacy rights and data minimization requirements.
Interpretive note: Enterprise DPAs may specify more precise retention periods that are not reflected in this public statement, creating potential gaps between the public-facing disclosure and actual contractual commitments.
Cisco does not commit to specific maximum retention periods for authentication logs or other personal data in this public statement, meaning your data may be retained for an indefinite period based on Cisco's internal business judgment.
How other platforms handle this
We retain personal data for as long as necessary to fulfill the purposes for which it was collected, including to satisfy any legal, accounting, or reporting requirements, to resolve disputes, and to enforce our agreements. The criteria used to determine our retention periods include: the length of ...
We may retain de-identified or aggregated information that can no longer be used to identify you for any period of time, including indefinitely.
We retain personal information for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements, or as otherwise permitted or required by applicable law.
Monitoring
Duo Security has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"We retain personal data for as long as necessary to fulfill the purposes described in this Privacy Statement, unless a longer retention period is required or permitted by law. The criteria we use to determine retention periods include: the length of time we have an ongoing relationship with you, whether there is a legal obligation to which we are subject, and whether retention is advisable in light of our legal position.— Excerpt from Duo Security's Duo Privacy
REGULATORY LANDSCAPE: GDPR Article 5(1)(e) requires that personal data be kept in a form that permits identification of data subjects for no longer than necessary for the purposes for which the data is processed. The absence of defined retention periods in a public privacy statement may create tension with GDPR transparency requirements, though retention periods may be specified in enterprise DPAs. CCPA does not prescribe specific retention periods but requires disclosure of the period for which personal information will be retained, or the criteria used to determine that period. GOVERNANCE EXPOSURE: Medium. The criteria-based rather than period-specific retention approach is common in enterprise software privacy statements but creates practical difficulty for organizations trying to verify compliance with data minimization obligations. For authentication logs specifically, retention beyond operational necessity creates risk in the event of a data breach or regulatory investigation. JURISDICTION FLAGS: EEA organizations should request specific retention schedules from Cisco for authentication log data as part of their GDPR compliance documentation. California residents may request disclosure of retention periods under CPRA. Some national laws in EU member states, including Germany and France, impose stricter retention limits for employee monitoring data. CONTRACT AND VENDOR IMPLICATIONS: Enterprise DPAs should specify retention periods for each category of data processed by Cisco on behalf of the customer, including authentication logs, device data, and administrative logs. Procurement teams should request Cisco's standard data retention schedule and verify alignment with organizational retention policies. COMPLIANCE CONSIDERATIONS: Legal teams should confirm that Cisco's DPA includes binding retention commitments and deletion obligations upon contract termination. Organizations should document their reliance on Cisco's retention criteria in their own records of processing activities. If specific regulatory requirements impose maximum retention periods for authentication data (such as in regulated financial services or healthcare contexts), these should be explicitly addressed in the DPA.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The absence of defined retention periods for specific data types like authentication logs means Cisco may retain this data for an extended and indeterminate period, which is relevant to privacy rights and data minimization requirements.
Cisco does not commit to specific maximum retention periods for authentication logs or other personal data in this public statement, meaning your data may be retained for an indefinite period based on Cisco's internal business judgment.
ConductAtlas has identified this type of provision across 115 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Duo Security.