Compliance with Duo
Duo stays at the leading edge of industry standards to ensure we meet all your requirements for a compliant, effective security product. We focus on compliance so you can skip right to the work that matters to you, worry-free.
How Duo Complies
Meeting the standards of the security industry — and your company — is a priority for Duo. We have a team of independent third-party auditors regularly auditing and reviewing our infrastructure and operations to ensure we’re secure enough to support our customers.
Industry Compliance
SOC 2
Our operational processes are Service Organizational Control 2 (SOC 2) compliant, as determined by an independent auditor and outlined by the American Institute of CPAs (AICPA).
FIPS CAVP from NIST
Duo’s two-factor authentication cryptographic algorithms are validated by the National Institute of Standards and Technology (NIST) under Federal Information Processing Standards’ Cryptographic Algorithm Validation Program (FIPS CAVP) for federal deployments.
FedRAMP Moderate
Our two federal-specific editions are Federal Risk and Authorization Management Program (FedRAMP) Authorized at the FedRAMP Moderate Impact Level by the Department of Energy.
EPCS
A Drug Enforcement Agency (DEA)-accredited auditor, Drummond Group, LLC, confirmed that Duo Push satisfies Electronic Prescriptions for Controlled Substances (EPCS) requirements for two-factor authentication.
NIST SP 800-63-3
We built Duo Push and Passcode authentication methods in alignment with NIST SP 800-63-3 Authenticator Assurance Level 2 (AAL2) requirements.
ISO 27001, 27017 and 27018
We are International Organization for Standardization (ISO) 27001:2013, 27017:2015, and 27018:2019 certified. To achieve certification, Duo was audited by an accredited external auditor who verified our control environment and assessed the implementation of controls.
FIPS 140-2
Duo leverages FIPS 140-2 validated cryptographic algorithms in federal deployments to achieve FIPS 140-2 compliance for Duo Mobile Push and Mobile Passcode by default with no configuration required.
International Compliance
Australia: IRAP (including Essential Eight)
The Australian Signals Directorate (ASD)’s Australian Cyber Security Center (ACSC)’s IRAP — the Information Security Registered Assessors Program — provides a framework for assessing the implementation and effectiveness of an organization’s security controls against the Australian government’s security requirements, as outlined in the Information Manual (ISM) and Protective Security Policy Framework (PSPF). In March 2022, Duo underwent a successful external assessment against IRAP controls at the Protected level and demonstrated compliance against the ACSC’s Essential Eight recommendations for cyber security mitigation strategies.
Europe: GDPR
The General Data Protection Regulation (GDPR) affects any organization that collects and handles EU residents' personal data, regardless of where in the world the organization is located. As a provider of secure access solutions, Duo ensures our customers’ data is protected, and we’re committed to GDPR compliance across our organization.
Germany: C5
We are Cloud Computing Compliance Controls Catalog (C5) certified, meeting a set of compliance criteria issued by the German Federal Office for Information Security (BSI). To achieve certification, Duo was audited by a qualified, independent auditor who assessed our implementation of C5 controls and verified their operating effectiveness.
Italy: AgID-qualified Provider of SaaS Solutions
Duo is an AgID-qualified Software as a Service (SaaS) solutions provider, and complies with the principles established by the Digital Italy Agency (AgID). Duo meets organizational requirements outlined by AgID, as well as specific requirements around security, privacy and data protection; performance and scalability; interoperability and portability; and compliance with the relevant Italian and European legislation. We are therefore eligible for the Marketplace Cloud, a digital platform with a catalog of cloud services the Italian public sector can access.
Saudi Arabia: CITC Cloud Computing Regulatory Framework Compliance
As a cloud service provider (CSP) with customers in the Kingdom of Saudi Arabia, Duo is required to comply with business continuity, disaster recovery and risk management related rules and guidelines identified as mandatory by the CITC. We also comply with applicable provisions in the CITC Cloud Computing Regulatory Framework for data classified as Level 1 and Level 2.
Looking for in-depth information about Duo's security and compliance?
We have a wealth of resources to support you.
Data Centers and Hosting
Our data centers are located in 9 countries: the United States, Canada, Ireland, the UK, Australia, Germany, India, Singapore and Japan. They are ISO27001 and SOC2 compliant and maintain 99.999% target service availability goal. Keeping data local helps you align with national data compliance regulations, while giving users confidence that their data is in good hands.
Where's My Data Center?
Customers in the Americas: United States, Canada, Ireland
Customers in Europe, the Middle East and Africa: Ireland, Germany, the UK
Customers in Asia Pacific: Australia, Japan, Singapore, Ireland, the UK, India
Meeting Your Industry's Requirements
Cyber security isn’t just an issue for the security experts or global policymakers — it affects every industry, every user, every day. Duo helps you meet your industry’s privacy requirements so you can focus on standing out.
Federal Government
We offer a FedRAMP Authorized, FIPS-compliant product edition, tailored to meet the strict security requirements of federal agencies and public sector organizations.
State and Local Government
Duo provides help for a range of requirements that affect state and local governments including Criminal Justice Information Services (CJIS), the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI-DSS) and NIST guidelines.
Education: Higher Education
The Family Education Rights and Privacy Act (FERPA) requires institutions to ensure student data privacy, and Duo can help make data security easier to achieve for higher education institutions as well as helping them meet requirements for SOC 2, GDPR and more.
Education: K-12
Duo helps hundreds of school districts adhere to compliance regulations like FERPA, SOC 2 and the K-12 Cybersecurity Act at the high school, middle school and elementary school level.
Financial Services
The Federal Financial Institutions Examination Council (FFIEC), New York State Department of Financial Services (NYDFS) Cybersecurity Regulation and National Association of Insurance Commissioners (NAIC) mandate the use of multi-factor authentication (MFA) to protect access to sensitive data — and Duo’s MFA solutions are poised to meet those needs, as well as NIST and PCI-DSS requirements.
Healthcare
Data security is essential for protecting patient information wherever it goes. We help providers align with HIPAA and EPCS requirements to keep data secure and can even integrate with electronic health records (EHR) for safety throughout the process.
Legal
Duo’s security solutions help legal offices maintain attorney-client privilege and meet the requirements of Model Rules of Professional Conduct rule 1.6(a) from the American Bar Association, which dictates that lawyers shall not reveal client information unless given consent.
Retail
Duo makes securing customers’ payment information easy and effective. We work directly with Payment Security Compliance (PSC) to meet PCI DSS standards through MFA solutions and more.
Additional Compliance Resources
Learn more about how Duo can help you meet your security requirements with user-centric and effective solutions.