Duo's data processing obligations for personal data are governed by a separate Data Processing Agreement (DPA) that is incorporated by reference into these terms, which means customers need to locate and review that separate document to understand their full privacy rights and Duo's data handling obligations.
This analysis describes what Duo Security's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Incorporating data protection obligations by reference to a separate DPA means customers must actively identify and review an additional document to understand how their users' authentication data is processed, stored, and protected, which is critical for GDPR and CCPA compliance.
Interpretive note: The adequacy of privacy protections depends on the content of the separately referenced DPA and Privacy Data Sheet, which are not included in this document.
Your organization's rights and protections regarding how Duo handles personal data collected during authentication (such as device identifiers, login timestamps, and IP addresses) are defined in a separate Data Processing Agreement, not in these base terms alone.
How other platforms handle this
Cloudflare's current Privacy Policy is incorporated into this Agreement by this reference and is located at https://www.cloudflare.com/privacypolicy/. In addition, by using the Services, you acknowledge and agree that internet transmissions are never completely private or secure.
If you access or use any of Oura's location-based services, such as by enabling GPS-based activity tracking through our Services, Oura may process the approximate or precise location of your device while the service is active. This data may be obtained via your device's service provider network ID, ...
AWS processes Customer Content you submit to Amazon Bedrock in accordance with the AWS Customer Agreement and applicable data protection terms. AWS does not use Customer Content processed by Amazon Bedrock to train Amazon's foundation models without your consent.
Monitoring
Duo Security has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"To the extent that Duo processes any Personal Data (as defined in the Duo Privacy Data Sheet) on behalf of Customer in connection with Customer's use of the Services, the terms of the Duo Data Processing Agreement ('DPA'), which are hereby incorporated by reference into this Agreement, shall apply and the parties agree to comply with such terms.— Excerpt from Duo Security's Duo Terms of Service
(1) REGULATORY LANDSCAPE: The incorporation-by-reference of a DPA is standard for GDPR-compliant SaaS vendors and satisfies the Article 28 requirement for a written processor agreement, provided the DPA itself contains all required elements. CCPA similarly requires contractual restrictions on service providers. HIPAA Business Associate Agreement requirements should be assessed separately if the customer is a covered entity or business associate. (2) GOVERNANCE EXPOSURE: Medium. The adequacy of data processing protections depends entirely on the content of the referenced DPA, which must be separately reviewed. If the DPA is amended by Duo without adequate notice, the customer's GDPR Article 28 compliance could be affected. (3) JURISDICTION FLAGS: EU/EEA customers should confirm that the DPA includes Standard Contractual Clauses or another approved transfer mechanism if authentication data is processed outside the EEA. California customers should verify that the DPA includes CCPA service provider restrictions. Healthcare customers should confirm whether a separate HIPAA Business Associate Agreement is required. (4) CONTRACT AND VENDOR IMPLICATIONS: Procurement teams should obtain and review the current version of the Duo DPA and Privacy Data Sheet before contract execution. Any changes to subprocessors should trigger a review of the DPA's subprocessor notification and objection procedures. (5) COMPLIANCE CONSIDERATIONS: Data mapping exercises should document all personal data categories processed by Duo on the customer's behalf, including authentication metadata, device trust signals, and login event logs. The DPA version in effect at contract execution should be archived for audit purposes.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
We read the privacy policies and terms of service of 38 AI platforms. Here is what they say about training, retention, arbitration, and liability.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Incorporating data protection obligations by reference to a separate DPA means customers must actively identify and review an additional document to understand how their users' authentication data is processed, stored, and protected, which is critical for GDPR and CCPA compliance.
Your organization's rights and protections regarding how Duo handles personal data collected during authentication (such as device identifiers, login timestamps, and IP addresses) are defined in a separate Data Processing Agreement, not in these base terms alone.
ConductAtlas has identified this type of provision across 6 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Duo Security.