Skip navigation

Compliance with Duo

Duo stays at the leading edge of industry standards to ensure we meet all your requirements for a compliant, effective security product. We focus on compliance so you can skip right to the work that matters to you, worry-free.

How Duo Complies

Meeting the standards of the security industry — and your company — is a priority for Duo. We have a team of independent third-party auditors regularly auditing and reviewing our infrastructure and operations to ensure we’re secure enough to support our customers.

Industry Compliance

A compliance logo for SOC 2 SOC 2 which is a voluntary compliance standard for service organizations, developed by the American Institute of CPAs (AICPA), which specifies how organizations should manage customer data


Our operational processes are Service Organizational Control 2 (SOC 2) compliant, as determined by an independent auditor and outlined by the American Institute of CPAs (AICPA).

An icon image for FIPS (Federal Information Processing Standards) indicating that Duo's two-factor authentication cryptographic algorithms are validated for federal government deployments


Duo’s two-factor authentication cryptographic algorithms are validated by the National Institute of Standards and Technology (NIST) under Federal Information Processing Standards’ Cryptographic Algorithm Validation Program (FIPS CAVP) for federal deployments.

Two-Factor Authentication for Epic

A logo image for FedRAMP (Federal Risk and Authorization Management Program) that is a compliance mandate for the federal government

FedRAMP Moderate

Our two federal-specific editions are Federal Risk and Authorization Management Program (FedRAMP) Authorized at the FedRAMP Moderate Impact Level by the Department of Energy.

Duo Solutions for the Federal Government

A logo for EPCS (Electronic Prescriptions for Controlled Substances), a compliance based certification which is given to organizations who satisfy requirements for two-factor authentication


A Drug Enforcement Agency (DEA)-accredited auditor, Drummond Group, LLC, confirmed that Duo Push satisfies Electronic Prescriptions for Controlled Substances (EPCS) requirements for two-factor authentication.

Meeting EPCS Compliance with 2FA

A company logo for NIST which stands for the National Institute of Standards and Technology

NIST SP 800-63-3

We built Duo Push and Passcode authentication methods in alignment with NIST SP 800-63-3 Authenticator Assurance Level 2 (AAL2) requirements.

Duo Alignment with NIST

A compliance logo for ISO which is the world's best-known standard for information security management systems

ISO 27001, 27017 and 27018

We are International Organization for Standardization (ISO) 27001:2013, 27017:2015, and 27018:2019 certified. To achieve certification, Duo was audited by an accredited external auditor who verified our control environment and assessed the implementation of controls.

In Search of ISO Certification

A logo image of FIPS-140 (Federal Information Processing Standards) cryptographic certification that Duo leverages FIPS 140-2 validated cryptographic algorithms in federal deployments to achieve FIPS 140-2 compliance for Duo Mobile Push and Mobile Passcode by default with no configuration required

FIPS 140-2

Duo leverages FIPS 140-2 validated cryptographic algorithms in federal deployments to achieve FIPS 140-2 compliance for Duo Mobile Push and Mobile Passcode by default with no configuration required.

Duo for Epic Documentation

International Compliance

A logo for IRAP which stands for Information Security Registered Assessors Program

Australia: IRAP (including Essential Eight)

The Australian Signals Directorate (ASD)’s Australian Cyber Security Center (ACSC)’s IRAP — the Information Security Registered Assessors Program — provides a framework for assessing the implementation and effectiveness of an organization’s security controls against the Australian government’s security requirements, as outlined in the Information Manual (ISM) and Protective Security Policy Framework (PSPF). In March 2022, Duo underwent a successful external assessment against IRAP controls at the Protected level and demonstrated compliance against the ACSC’s Essential Eight recommendations for cyber security mitigation strategies.

Duo for Essential Eight

A logo image of GDPR (General Data Protection Regulation) showcasing that Duo's secure access solution is GDPR compliant

Europe: GDPR

The General Data Protection Regulation (GDPR) affects any organization that collects and handles EU residents' personal data, regardless of where in the world the organization is located. As a provider of secure access solutions, Duo ensures our customers’ data is protected, and we’re committed to GDPR compliance across our organization.

Duo for GDPR

A cloud shaped image with C5 (Cloud Computing Compliance Controls Catalog) written indicating Duo's implementation of C5 compliance controls and verification of operation effectiveness in Germany.

Germany: C5 

We are Cloud Computing Compliance Controls Catalog (C5) certified, meeting a set of compliance criteria issued by the German Federal Office for Information Security (BSI). To achieve certification, Duo was audited by a qualified, independent auditor who assessed our implementation of C5 controls and verified their operating effectiveness.

C5 Solution Brief

An image of AGID, a Digital Italy Agency (AgID) that has certified Duo's security compliance in Italy

Italy: AgID-qualified Provider of SaaS Solutions 

Duo is an AgID-qualified Software as a Service (SaaS) solutions provider, and complies with the principles established by the Digital Italy Agency (AgID). Duo meets organizational requirements outlined by AgID, as well as specific requirements around security, privacy and data protection; performance and scalability; interoperability and portability; and compliance with the relevant Italian and European legislation. We are therefore eligible for the Marketplace Cloud, a digital platform with a catalog of cloud services the Italian public sector can access.

AgID Certification to Provide Cloud Services in Italy

Logo image of CITC, (Cloud Computing Regulatory Framework Compliance) of Saudi Arabia stating Duo's compliance comply with business continuity, disaster recovery and risk management related regulations and guidelines.

Saudi Arabia: CITC Cloud Computing Regulatory Framework Compliance 

As a cloud service provider (CSP) with customers in the Kingdom of Saudi Arabia, Duo is required to comply with business continuity, disaster recovery and risk management related rules and guidelines identified as mandatory by the CITC. We also comply with applicable provisions in the CITC Cloud Computing Regulatory Framework for data classified as Level 1 and Level 2.

Duo and CITC’s Cloud Computing Regulatory Framework

A person using a laptop, with icons of a lock and a fingerprint in the background.

Looking for in-depth information about Duo's security and compliance?

We have a wealth of resources to support you.

Explore the Cisco Trust Portal

Data Centers and Hosting

Our data centers are located in 9 countries: the United States, Canada, Ireland, the UK, Australia, Germany, India, Singapore and Japan. They are ISO27001 and SOC2 compliant and maintain 99.999% target service availability goal. Keeping data local helps you align with national data compliance regulations, while giving users confidence that their data is in good hands.

Where's My Data Center?

  • Customers in the Americas: United States, Canada, Ireland

  • Customers in Europe, the Middle East and Africa: Ireland, Germany, the UK

  • Customers in Asia Pacific: Australia, Japan, Singapore, Ireland, the UK, India

World map with checks on Duo's 9 data center locations: USA, Canada, Ireland, UK, Australia, Germany, India, Singapore, Japan

Meeting Your Industry's Requirements

Cyber security isn’t just an issue for the security experts or global policymakers — it affects every industry, every user, every day. Duo helps you meet your industry’s privacy requirements so you can focus on standing out.

Image of a government building

Federal Government

We offer a FedRAMP Authorized, FIPS-compliant product edition, tailored to meet the strict security requirements of federal agencies and public sector organizations.

Federal Solutions

icon of a flag

State and Local Government

Duo provides help for a range of requirements that affect state and local governments including Criminal Justice Information Services (CJIS), the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI-DSS) and NIST guidelines.

State and Local Government Solutions

book icon representing the education sector of the market

Education: Higher Education

The Family Education Rights and Privacy Act (FERPA) requires institutions to ensure student data privacy, and Duo can help make data security easier to achieve for higher education institutions as well as helping them meet requirements for SOC 2, GDPR and more.

Higher Education Solutions

icon of a school representing the education market

Education: K-12

Duo helps hundreds of school districts adhere to compliance regulations like FERPA, SOC 2 and the K-12 Cybersecurity Act at the high school, middle school and elementary school level.

K-12 Solutions

Image icon of money representing the financial services industry

Financial Services

The Federal Financial Institutions Examination Council (FFIEC), New York State Department of Financial Services (NYDFS) Cybersecurity Regulation and National Association of Insurance Commissioners (NAIC) mandate the use of multi-factor authentication (MFA) to protect access to sensitive data — and Duo’s MFA solutions are poised to meet those needs, as well as NIST and PCI-DSS requirements. 

Finance Solutions

An icon image of a hospital


Data security is essential for protecting patient information wherever it goes. We help providers align with HIPAA and EPCS requirements to keep data secure and can even integrate with electronic health records (EHR) for safety throughout the process.

Healthcare Solutions

An icon image of of scales representing the legal industry


Duo’s security solutions help legal offices maintain attorney-client privilege and meet the requirements of Model Rules of Professional Conduct rule 1.6(a) from the American Bar Association, which dictates that lawyers shall not reveal client information unless given consent.

Legal Solutions

credit card icon with a lock and key icon below it indicating needing to keep that credit card secure


Duo makes securing customers’ payment information easy and effective. We work directly with Payment Security Compliance (PSC) to meet PCI DSS standards through MFA solutions and more.

Retail Solutions

Additional Compliance Resources

Learn more about how Duo can help you meet your security requirements with user-centric and effective solutions.