Your organization is responsible for everything that happens under your Duo account, including how your administrators and end users use the service, and must notify Duo promptly if you discover a security breach.
This analysis describes what Duo Security's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This clause places the operational and legal burden of managing all end-user activity squarely on the customer organization, meaning that misuse by an employee or misconfiguration by an admin is the customer's responsibility, not Duo's.
If an administrator misconfigures Duo's authentication policies or an employee misuses their account access, your organization bears the responsibility and liability for those outcomes, not Duo.
How other platforms handle this
This policy applies to you and anyone using the Services on your behalf, including your end users. You are responsible for ensuring that your use of the Services, and the use of the Services by others on your behalf, complies with this Policy.
You are solely responsible for ensuring the accuracy and completeness of all information you provide to Gusto in connection with the Services, including employee information, compensation data, and any other data necessary for Gusto to perform payroll processing and tax filing services on your behal...
You are solely responsible for your use of the Service and for all Inputs you make available to Pika, whether by uploading them through the Service or otherwise making them accessible to others. You are also solely responsible for any Outputs generated via the Service. You assume all risk associated...
Monitoring
Duo Security has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Customer is responsible for all activity occurring under Customer's accounts and shall abide by all applicable local, state, national and foreign laws, treaties and regulations in connection with Customer's use of the Services. Customer shall: (i) notify Duo promptly of any unauthorized use of any password or account or any other known or suspected breach of security; (ii) report to Duo promptly and use reasonable efforts to stop immediately any copying or distribution of Content that is known or suspected by Customer or Customer's Users to be unauthorized.— Excerpt from Duo Security's Duo Terms of Service
(1) REGULATORY LANDSCAPE: Customer responsibility clauses are standard in enterprise SaaS and generally consistent with how regulators assign data controller or business operator obligations. Under GDPR, the customer organization is typically the data controller for employee authentication data, making this allocation of responsibility legally coherent. HIPAA similarly places primary compliance obligations on covered entities rather than technology vendors. (2) GOVERNANCE EXPOSURE: Medium. The breadth of 'all activity occurring under Customer's accounts' could encompass unauthorized actions by compromised administrator credentials, which creates a risk that customers bear liability for incidents that originate from Duo's own platform vulnerabilities. The interaction between this clause and the warranty disclaimer should be flagged in vendor assessments. (3) JURISDICTION FLAGS: EU/EEA data controllers should ensure their internal policies and data processing agreements align with this allocation of responsibility, as GDPR Article 5 places accountability obligations on the controller. (4) CONTRACT AND VENDOR IMPLICATIONS: Organizations should ensure their acceptable use policies, administrator training programs, and incident response procedures address the obligations this clause creates. Indemnification provisions should be reviewed to determine whether this customer responsibility allocation extends to third-party claims. (5) COMPLIANCE CONSIDERATIONS: Incident response plans should include the Duo notification obligation for security breaches. Compliance teams should assess whether internal breach notification procedures trigger the requirement to notify Duo, and at what threshold.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This clause places the operational and legal burden of managing all end-user activity squarely on the customer organization, meaning that misuse by an employee or misconfiguration by an admin is the customer's responsibility, not Duo's.
If an administrator misconfigures Duo's authentication policies or an employee misuses their account access, your organization bears the responsibility and liability for those outcomes, not Duo.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Duo Security.