Cisco collects a wide range of personal information about you including your name, contact details, device identifiers, IP address, and detailed logs of every time you authenticate through Duo including what device you used and what application you accessed.
This analysis describes what Duo Security's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Authentication logs are sensitive because they reveal patterns of behavior, work hours, device usage, and application access, and this data is collected automatically every time you log in using Duo.
Interpretive note: The exact retention period for authentication log data is not specified in the public privacy statement and may depend on the applicable DPA for enterprise deployments.
Every Duo authentication event you complete generates a log entry containing your device type, operating system, IP address, and the application you accessed, and this data is held by Cisco under the terms of this policy.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
We collect the following information when you register for and use our services: Account information. You can create a Discord account by providing an email address and creating a username and password. When you create an account, we will assign you a unique identifier. If you choose to, you may pro...
We collect information you provide directly to us, such as when you create an account, contact us for support, sign up for marketing emails, or otherwise communicate with us. The types of information we may collect include your name, email address, postal address, phone number, company name, job tit...
Monitoring
Duo Security has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"We collect personal data about you in the following circumstances: (a) you directly provide it to us, (b) we collect it automatically when you use our websites or products, (c) we obtain it from third parties, or (d) we create it ourselves. The types of personal data we collect include: identifiers (such as name, email address, phone number, postal address, IP address, device identifiers); authentication and usage data (such as login events, authentication method, device type, operating system, and application accessed); geolocation data; and professional information.— Excerpt from Duo Security's Duo Privacy
REGULATORY LANDSCAPE: The breadth of data collected, particularly authentication event logs and device identifiers, engages GDPR Article 5 data minimization and purpose limitation principles for EEA users. The FTC Act is relevant to the adequacy and accuracy of disclosures to US consumers about automatic data collection. CCPA/CPRA requires that California residents be informed of the categories of personal information collected at or before the point of collection. GOVERNANCE EXPOSURE: Medium. The collection of authentication logs including device identifiers and application access patterns is operationally expected for an MFA provider but may raise employee privacy concerns in jurisdictions with strong workplace privacy laws such as Germany, France, and the Netherlands. Organizations deploying Duo for employee authentication should assess whether this collection is disclosed in their own employee privacy notices. JURISDICTION FLAGS: EU and EEA users have rights under GDPR to receive specific information about automated data collection at the time of collection. German Works Council co-determination rights may apply to the deployment of Duo for employee monitoring purposes. California residents have CPRA rights to know the specific categories of personal information collected. CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers should verify that their Data Processing Agreement with Cisco accurately reflects the full scope of authentication log collection described in this provision. Procurement teams should confirm that data retention periods for authentication logs are defined in the DPA and align with organizational retention policies. COMPLIANCE CONSIDERATIONS: Organizations should update internal employee privacy notices to reflect that Duo authentication generates event logs processed by Cisco. Data mapping exercises should include authentication log data flows. Legal teams should confirm whether authentication logs containing IP addresses and device identifiers constitute personal data under applicable law in all deployment jurisdictions.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Netflix updated its Privacy Statement on April 18, 2026, disclosing voice recording collection and expanded household ad profiling for the first time.
Google's Privacy Policy covers Search, Gmail, YouTube, Maps, and every site running Google Analytics. Here is what it actually authorizes.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Authentication logs are sensitive because they reveal patterns of behavior, work hours, device usage, and application access, and this data is collected automatically every time you log in using Duo.
Every Duo authentication event you complete generates a log entry containing your device type, operating system, IP address, and the application you accessed, and this data is held by Cisco under the terms of this policy.
ConductAtlas has identified this type of provision across 10 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Duo Security.