Duo limits the total amount it can be held responsible for to the fees you paid in the last twelve months, and excludes liability for lost profits, business interruption, or indirect damages even if Duo knew those losses were possible.
This analysis describes what Duo Security's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
For organizations relying on Duo for access control to critical systems, the financial recourse available if the service fails is capped at one year of subscription fees, which may be far less than the actual business impact of an authentication outage or security failure.
Interpretive note: Enforceability of the cap in cases of gross negligence or willful misconduct may vary by jurisdiction and applicable law.
This clause means that if Duo's service fails and your organization suffers a significant security incident or operational disruption, the maximum financial compensation you could recover from Duo under these terms is limited to what you paid in the prior year, with no recovery for lost profits or business interruption losses.
How other platforms handle this
TO THE MAXIMUM EXTENT PERMITTED BY LAW, NEITHER WHATNOT NOR ITS SERVICE PROVIDERS INVOLVED IN CREATING, PRODUCING, OR DELIVERING THE SERVICES WILL BE LIABLE FOR ANY INCIDENTAL, SPECIAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES, OR DAMAGES FOR LOST PROFITS, LOST REVENUES, LOST SAVINGS, LOST BUSINESS OPPORT...
In no event will either party's aggregate liability arising out of or related to this Agreement exceed the total fees paid or payable by Customer in the twelve (12) months preceding the claim. In no event will either party be liable for any indirect, incidental, special, consequential, or punitive d...
Except as stated in Section L.3.b, the liability of each party, and its affiliates and licensors, for any damages arising out of or related to these Terms (i) excludes damages that are consequential, incidental, special, indirect, or exemplary damages, including lost profits, business, contracts, re...
Monitoring
Duo Security has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"IN NO EVENT SHALL EITHER PARTY BE LIABLE TO THE OTHER FOR ANY LOSS OF PROFITS, LOSS OF USE, LOSS OF REVENUE, LOSS OF GOODWILL, ANY INTERRUPTION OF BUSINESS, OR FOR ANY INDIRECT, SPECIAL, INCIDENTAL, EXEMPLARY, PUNITIVE OR CONSEQUENTIAL DAMAGES OF ANY CHARACTER, WHETHER BASED ON CONTRACT, TORT, STRICT LIABILITY, OR OTHERWISE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. DUO'S AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT SHALL NOT EXCEED THE FEES PAID OR PAYABLE BY CUSTOMER TO DUO IN THE TWELVE (12) MONTHS PRECEDING THE CLAIM.— Excerpt from Duo Security's Duo Terms of Service
(1) REGULATORY LANDSCAPE: Liability limitation clauses in technology service agreements are generally enforceable under U.S. contract law, though some jurisdictions restrict their application in cases of gross negligence or willful misconduct. For EU customers, consumer-facing limitation clauses may face scrutiny under Unfair Contract Terms Directive frameworks, though this is a B2B agreement and those protections are less directly applicable. The FTC Act is relevant if service availability representations differ materially from actual service performance. (2) GOVERNANCE EXPOSURE: High. The twelve-month fee cap creates material exposure for enterprises where annual Duo subscription costs are modest relative to the value of systems protected. A large organization paying $100,000 annually in Duo fees but protecting systems where an authentication failure could cause millions in losses has limited contractual recourse under these terms. (3) JURISDICTION FLAGS: EU/EEA customers should assess whether the limitation clause is consistent with applicable national contract law. California courts have at times limited enforcement of liability caps where the limitation is found to be unconscionable. Customers in regulated industries such as financial services and healthcare face heightened exposure if authentication failures result in regulatory fines or breach notification costs that exceed the liability cap. (4) CONTRACT AND VENDOR IMPLICATIONS: Procurement teams should assess whether the liability cap is negotiable for enterprise or premier tier contracts. The mutual nature of the cap (applying to both parties) is standard but does not change the asymmetric risk profile where Duo's potential losses are bounded by its fee income while the customer's losses are not. Vendor risk assessments should document this cap and ensure it is reflected in organizational risk registers and cyber insurance coverage. (5) COMPLIANCE CONSIDERATIONS: Legal teams should confirm whether the organization's cyber insurance policy covers losses that exceed or fall outside the scope of Duo's contractual liability. Contract review triggers should include re-evaluation of this cap at each renewal, particularly as the scope of Duo-protected systems expands.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
For organizations relying on Duo for access control to critical systems, the financial recourse available if the service fails is capped at one year of subscription fees, which may be far less than the actual business impact of an authentication outage or security failure.
This clause means that if Duo's service fails and your organization suffers a significant security incident or operational disruption, the maximum financial compensation you could recover from Duo under these terms is limited to what you paid in the prior year, with no recovery for lost profits or business interruption losses.
ConductAtlas has identified this type of provision across 228 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Duo Security.