Your organization is responsible for everything that happens under your Duo account, including how your administrators and end users use the service, and must notify Duo promptly if you discover a security breach.
This analysis describes what Duo Security's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This clause places the operational and legal burden of managing all end-user activity squarely on the customer organization, meaning that misuse by an employee or misconfiguration by an admin is the customer's responsibility, not Duo's.
If an administrator misconfigures Duo's authentication policies or an employee misuses their account access, your organization bears the responsibility and liability for those outcomes, not Duo.
Cross-platform context
See how other platforms handle Customer Responsibility for End-User Management and similar clauses.
Compare across platforms →Monitoring
Duo Security has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Customer is responsible for all activity occurring under Customer's accounts and shall abide by all applicable local, state, national and foreign laws, treaties and regulations in connection with Customer's use of the Services. Customer shall: (i) notify Duo promptly of any unauthorized use of any password or account or any other known or suspected breach of security; (ii) report to Duo promptly and use reasonable efforts to stop immediately any copying or distribution of Content that is known or suspected by Customer or Customer's Users to be unauthorized.— Excerpt from Duo Security's Duo Terms of Service
(1) REGULATORY LANDSCAPE: Customer responsibility clauses are standard in enterprise SaaS and generally consistent with how regulators assign data controller or business operator obligations. Under GDPR, the customer organization is typically the data controller for employee authentication data, making this allocation of responsibility legally coherent. HIPAA similarly places primary compliance obligations on covered entities rather than technology vendors. (2) GOVERNANCE EXPOSURE: Medium. The breadth of 'all activity occurring under Customer's accounts' could encompass unauthorized actions by compromised administrator credentials, which creates a risk that customers bear liability for incidents that originate from Duo's own platform vulnerabilities. The interaction between this clause and the warranty disclaimer should be flagged in vendor assessments. (3) JURISDICTION FLAGS: EU/EEA data controllers should ensure their internal policies and data processing agreements align with this allocation of responsibility, as GDPR Article 5 places accountability obligations on the controller. (4) CONTRACT AND VENDOR IMPLICATIONS: Organizations should ensure their acceptable use policies, administrator training programs, and incident response procedures address the obligations this clause creates. Indemnification provisions should be reviewed to determine whether this customer responsibility allocation extends to third-party claims. (5) COMPLIANCE CONSIDERATIONS: Incident response plans should include the Duo notification obligation for security breaches. Compliance teams should assess whether internal breach notification procedures trigger the requirement to notify Duo, and at what threshold.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This clause places the operational and legal burden of managing all end-user activity squarely on the customer organization, meaning that misuse by an employee or misconfiguration by an admin is the customer's responsibility, not Duo's.
If an administrator misconfigures Duo's authentication policies or an employee misuses their account access, your organization bears the responsibility and liability for those outcomes, not Duo.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Duo Security.