Cisco can share your personal data with its global family of companies, its business partners and resellers, and third-party service providers, as well as with any company that acquires Cisco or Duo in a future transaction.
This analysis describes what Duo Security's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Your authentication and account data could be transferred to a new company entirely if Cisco or Duo is acquired, and it is routinely shared with resellers and partners who may have their own privacy practices.
Interpretive note: The policy does not enumerate specific sub-processors or resellers by name, making it difficult to assess the full scope of third-party data sharing in practice.
If Cisco is acquired or merges with another company, your authentication logs, device data, and personal identifiers may be transferred to the acquiring entity, potentially under different privacy terms.
How other platforms handle this
We share your personal data with your consent or as necessary to complete any transaction or provide any product you have requested or authorized. We also share data with Microsoft-controlled affiliates and subsidiaries; with vendors or agents working on our behalf for the purposes described in this...
When you ask us to open an Account, we or someone acting for us will ask for information about you and where the money you will put in your Account comes from. We do this for a number of reasons, including to check your credit score and identity, and to meet our legal and regulatory requirements. Ou...
We may share your personal information with third parties, including service providers, financial institutions, regulatory authorities, and fraud prevention agencies, where necessary to provide our services, comply with legal obligations, or protect against fraud and financial crime.
Monitoring
Duo Security has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"We may share your personal data with: Cisco affiliates and subsidiaries; business partners, resellers, and distributors who help us deliver our products and services; service providers acting on our behalf; and other parties with your consent or as required by law. We may also share or transfer your personal data in connection with a merger, acquisition, reorganization, sale of assets, or bankruptcy.— Excerpt from Duo Security's Duo Privacy
REGULATORY LANDSCAPE: GDPR Articles 13 and 14 require that data subjects be informed of the identity of recipients or categories of recipients at the time personal data is collected. Sharing data with resellers and distribution partners creates downstream controller or processor questions that may require separate legal basis analysis under GDPR. CCPA requires disclosure of categories of third parties with whom personal information is shared. GOVERNANCE EXPOSURE: Medium. The corporate transaction transfer provision is standard boilerplate but creates operational exposure in the event of an actual acquisition, as successor entities may not be bound by the same privacy commitments without explicit contractual carry-through. The breadth of sharing with resellers and distributors may require organizations to assess whether their Duo deployment involves a Cisco reseller who receives their data. JURISDICTION FLAGS: EU and UK users are entitled under GDPR to know the specific legal basis for each data sharing relationship. Transfer to non-EEA countries via affiliates or service providers requires an approved transfer mechanism such as Standard Contractual Clauses. California residents have the right to know the specific categories of third parties who receive their data. CONTRACT AND VENDOR IMPLICATIONS: Enterprise procurement teams should confirm in their DPA whether Cisco's resellers and distribution partners are classified as sub-processors and whether those sub-processors are listed or notified. The corporate transaction clause should be reviewed against data portability and notification obligations in the enterprise contract. COMPLIANCE CONSIDERATIONS: Legal teams should map all third-party sharing relationships disclosed in this provision against their own data processing records. Notifications to data subjects or regulators may be required in certain jurisdictions if a corporate transaction materially changes the data controller's identity.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Your authentication and account data could be transferred to a new company entirely if Cisco or Duo is acquired, and it is routinely shared with resellers and partners who may have their own privacy practices.
If Cisco is acquired or merges with another company, your authentication logs, device data, and personal identifiers may be transferred to the acquiring entity, potentially under different privacy terms.
ConductAtlas has identified this type of provision across 1 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Duo Security.