What are the institutional and regulatory implications of this document?

(1) REGULATORY LANDSCAPE: The agreement engages GDPR (particularly Article 28 processor obligations), CCPA (as Duo processes personal data on behalf of business customers), and potentially HIPAA where customers operate in healthcare. The FTC Act's prohibition on unfair or deceptive practices is also relevant to service availability representations. Customers should not assume the base service terms satisfy GDPR processor agreement requirements without a separate Data Processing Addendum. (2) GO…

How does Duo Security's Duo Terms of Service affect users?

This agreement primarily affects business customers and IT administrators who deploy Duo's authentication services for their organizations, placing responsibility for user management, configuration, and authorized use on the customer rather than Duo. The liability cap limits financial recourse if the service fails, which is material for organizations depending on Duo for access control to sensitive or regulated systems. You can request a Data Processing Addendum from Duo if your organization op…

How often is Duo Security's Duo Terms of Service updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when Duo Security updates this document?

Yes. Watcher subscribers ($9.99/month) can add Duo Security to their watchlist and receive same-day email alerts whenever this document or any other Duo Security document changes.

CA-D-000695

Duo Terms of Service

Duo Security

Last change detected May 5, 2026 Terms of service

SHA-256: 5f8a6adfabd4b78bc5f… 1 version captured 0 changes documented

Create free account

Track 1 platform and get the weekly governance digest. No credit card required.

View original document at Duo Security ↗

This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology

8 Total

1 High severity

4 Medium severity

3 Low severity

Summary

This is the legal agreement between you (or your organization) and Duo Security governing your use of Duo's multi-factor authentication and identity security services. The most important thing to know is that the agreement caps Duo's financial liability for service failures at the amount you paid in the prior twelve months, which could be significant if your organization relies on Duo to protect access to critical systems and experiences a major outage or breach. If you are an administrator deploying Duo for your organization, review whether a separate Data Processing Addendum is needed to meet your privacy compliance obligations.

Technical / Legal Breakdown

This document governs the contractual relationship between Duo Security (a Cisco company) and customers who purchase or use Duo's identity security and multi-factor authentication services, establishing rights and obligations under a click-through or order-form agreement. The terms authorize Duo to collect and process authentication logs, device telemetry, and usage data generated by end users of the service, and the agreement states that customers (as administrators) bear primary responsibility for configuring the service, managing end-user accounts, and ensuring authorized use. The liability limitation provisions cap Duo's aggregate liability at fees paid in the prior twelve months, and the agreement disclaims all implied warranties, which are standard enterprise SaaS constructs though materially significant for businesses relying on Duo for access control to sensitive systems. The document engages GDPR, CCPA, and potentially HIPAA given Duo's healthcare vertical positioning, and customers in regulated industries should evaluate whether the data processing terms and subprocessor arrangements satisfy their sector-specific compliance obligations. Organizations in the EU/EEA should specifically assess whether applicable Data Processing Addenda are in place, as the base terms alone may not satisfy GDPR Article 28 processor agreement requirements.

Institutional Analysis

Institutional analysis available with Professional

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Professional.

Start Professional free trial

High — 1 provision

Limitation of Liability Compare →

Duo limits the total amount it can be held responsible for to the fees you paid in the last twelve months, and excludes liability for lost profits, business interruption, or indirect damages even if Duo knew those losses were possible.

Added May 7, 2026 Standard Seen across 228 platforms

Medium — 4 provisions

Disclaimer of Warranties Compare →

Duo makes no guarantees that the service will work without errors, be continuously available, or be completely secure, and disclaims all implied warranties about the quality or fitness of the service.

Added May 9, 2026 Standard Seen across 228 platforms
Customer Responsibility for End-User Management

Your organization is responsible for everything that happens under your Duo account, including how your administrators and end users use the service, and must notify Duo promptly if you discover a security breach.

Added May 9, 2026 Rare
Data Processing and Privacy Obligations Compare →

Duo's data processing obligations for personal data are governed by a separate Data Processing Agreement (DPA) that is incorporated by reference into these terms, which means customers need to locate and review that separate document to understand their full privacy rights and Duo's data handling obligations.

Added May 9, 2026 Standard Seen across 189 platforms
Termination for Cause Compare →

Either party can terminate the agreement immediately if the other party commits a serious breach and does not fix it within 30 days of being notified, or if either party enters bankruptcy or insolvency proceedings.

Added May 9, 2026 Standard Seen across 210 platforms

Low — 3 provisions

Intellectual Property and License Grant Compare →

Duo grants you a limited right to use the service for your own internal business purposes only during the subscription period, and all ownership of the software and service remains with Duo.

Added May 9, 2026 Standard Seen across 198 platforms
Acceptable Use Restrictions Compare →

You and your users are prohibited from reselling, reverse engineering, or misusing the service in ways that harm Duo's platform or other users, including sending spam, transmitting malware, or attempting unauthorized access.

Added May 7, 2026 Standard Seen across 179 platforms
Governing Law and Dispute Resolution Compare →

Any legal disputes about this agreement will be handled under California law and must be brought in courts in Santa Clara County, California.

Added May 7, 2026 Standard Seen across 189 platforms