What are the institutional and regulatory implications of this document?

(1) REGULATORY LANDSCAPE: The agreement engages GDPR (particularly Article 28 processor obligations), CCPA (as Duo processes personal data on behalf of business customers), and potentially HIPAA where customers operate in healthcare. The FTC Act's prohibition on unfair or deceptive practices is also relevant to service availability representations. Customers should not assume the base service terms satisfy GDPR processor agreement requirements without a separate Data Processing Addendum. (2) GO…

How does Duo Security's Duo Terms of Service affect users?

The agreement places responsibility for user management, configuration, access authorization, and compliance with applicable laws on the customer organization rather than Duo. Customers receive financial recourse for service failures limited to twelve months of fees paid, which establishes the maximum amount recoverable regardless of actual losses incurred. Organizations subject to data protection regulations must separately negotiate a Data Processing Addendum with Duo to satisfy processor agr…

How often is Duo Security's Duo Terms of Service updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when Duo Security updates this document?

Yes. Monitor subscribers ($19/month) can add Duo Security to their watchlist and receive same-day email alerts whenever this document or any other Duo Security document changes.

CA-D-000695

Duo Terms of Service

Duo Security

Last change detected May 5, 2026 Terms of service

SHA-256: 5f8a6adfabd4b78bc5f… 1 version captured 0 changes documented

Create free account

Track 1 platform and get the weekly governance digest. No credit card required.

View original document at Duo Security ↗

This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology

8 Total

1 High severity

4 Medium severity

3 Low severity

Summary

This agreement governs the terms under which organizations and administrators access and deploy Duo Security's multi-factor authentication and identity security services. The agreement establishes that Duo's liability for service failures, outages, or breaches is capped at the fees paid by the customer in the prior twelve months. Organizations requiring compliance with data protection regulations such as GDPR or HIPAA must request a separate Data Processing Addendum to establish Duo's obligations as a data processor.

Technical / Legal Breakdown

This document governs the contractual relationship between Duo Security (a Cisco company) and customers who purchase or use Duo's identity security and multi-factor authentication services, establishing rights and obligations under a click-through or order-form agreement. The terms authorize Duo to collect and process authentication logs, device telemetry, and usage data generated by end users of the service, and the agreement states that customers (as administrators) bear primary responsibility for configuring the service, managing end-user accounts, and ensuring authorized use. The liability limitation provisions cap Duo's aggregate liability at fees paid in the prior twelve months, and the agreement disclaims all implied warranties, which are standard enterprise SaaS constructs though materially significant for businesses relying on Duo for access control to sensitive systems. The document engages GDPR, CCPA, and potentially HIPAA given Duo's healthcare vertical positioning, and customers in regulated industries should evaluate whether the data processing terms and subprocessor arrangements satisfy their sector-specific compliance obligations. Organizations in the EU/EEA should specifically assess whether applicable Data Processing Addenda are in place, as the base terms alone may not satisfy GDPR Article 28 processor agreement requirements.

Institutional Analysis

Institutional analysis available with Compliance

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Compliance.

Start Compliance free trial

High — 1 provision

Limitation of Liability Compare →

Duo limits the total amount it can be held responsible for to the fees you paid in the last twelve months, and excludes liability for lost profits, business interruption, or indirect damages even if Duo knew those losses were possible.

Added May 7, 2026 Standard Seen across 252 platforms

Medium — 4 provisions

Disclaimer of Warranties Compare →

Duo makes no guarantees that the service will work without errors, be continuously available, or be completely secure, and disclaims all implied warranties about the quality or fitness of the service.

Added May 9, 2026 Standard Seen across 252 platforms
Customer Responsibility for End-User Management Compare →

Your organization is responsible for everything that happens under your Duo account, including how your administrators and end users use the service, and must notify Duo promptly if you discover a security breach.

Added May 9, 2026 Standard Seen across 252 platforms
Data Processing and Privacy Obligations Compare →

Duo's data processing obligations for personal data are governed by a separate Data Processing Agreement (DPA) that is incorporated by reference into these terms, which means customers need to locate and review that separate document to understand their full privacy rights and Duo's data handling obligations.

Added May 9, 2026 Standard Seen across 284 platforms
Termination for Cause Compare →

Either party can terminate the agreement immediately if the other party commits a serious breach and does not fix it within 30 days of being notified, or if either party enters bankruptcy or insolvency proceedings.

Added May 9, 2026 Standard Seen across 199 platforms

Low — 3 provisions

Intellectual Property and License Grant Compare →

Duo grants you a limited right to use the service for your own internal business purposes only during the subscription period, and all ownership of the software and service remains with Duo.

Added May 9, 2026 Standard Seen across 242 platforms
Acceptable Use Restrictions Compare →

You and your users are prohibited from reselling, reverse engineering, or misusing the service in ways that harm Duo's platform or other users, including sending spam, transmitting malware, or attempting unauthorized access.

Added May 7, 2026 Standard Seen across 179 platforms
Governing Law and Dispute Resolution Compare →

Any legal disputes about this agreement will be handled under California law and must be brought in courts in Santa Clara County, California.

Added May 7, 2026 Standard Seen across 217 platforms