Skip navigation

Compliance with Duo

Duo stays at the leading edge of industry standards to ensure we meet all your requirements for a compliant, effective security product. We focus on compliance so you can skip right to the work that matters to you, worry-free.

How Duo Complies

Meeting the standards of the security industry — and your company — is a priority for Duo. We have a team of independent third-party auditors regularly auditing and reviewing our infrastructure and operations to ensure we’re secure enough to support our customers.

Industry Compliance


Our operational processes are Service Organizational Control 2 (SOC 2) compliant, as determined by an independent auditor and outlined by the American Institute of CPAs (AICPA).


Duo’s two-factor authentication cryptographic algorithms are validated by the National Institute of Standards and Technology (NIST) under Federal Information Processing Standards’ Cryptographic Algorithm Validation Program (FIPS CAVP) for federal deployments.

Two-Factor Authentication for Epic

FedRAMP Moderate

Our two federal-specific editions are Federal Risk and Authorization Management Program (FedRAMP) Authorized at the FedRAMP Moderate Impact Level by the Department of Energy.

Duo Solutions for the Federal Government


A Drug Enforcement Agency (DEA)-accredited auditor, Drummond Group, LLC, confirmed that Duo Push satisfies Electronic Prescriptions for Controlled Substances (EPCS) requirements for two-factor authentication.

Meeting EPCS Compliance with 2FA

NIST SP 800-63-3

We built Duo Push and Passcode authentication methods in alignment with NIST SP 800-63-3 Authenticator Assurance Level 2 (AAL2) requirements.

Duo Alignment with NIST

ISO 27001, 27017 and 27018

We are International Organization for Standardization (ISO) 27001:2013, 27017:2015, and 27018:2019 certified. To achieve certification, Duo was audited by an accredited external auditor who verified our control environment and assessed the implementation of controls.

In Search of ISO Certification

FIPS 140-2

Duo leverages FIPS 140-2 validated cryptographic algorithms in federal deployments to achieve FIPS 140-2 compliance for Duo Mobile Push and Mobile Passcode by default with no configuration required.

Duo for Epic Documentation

International Compliance

Australia: IRAP (including Essential Eight)

The Australian Signals Directorate (ASD)’s Australian Cyber Security Center (ACSC)’s IRAP — the Information Security Registered Assessors Program — provides a framework for assessing the implementation and effectiveness of an organization’s security controls against the Australian government’s security requirements, as outlined in the Information Manual (ISM) and Protective Security Policy Framework (PSPF). In March 2022, Duo underwent a successful external assessment against IRAP controls at the Protected level and demonstrated compliance against the ACSC’s Essential Eight recommendations for cyber security mitigation strategies.

Duo for Essential Eight

Europe: GDPR

The General Data Protection Regulation (GDPR) affects any organization that collects and handles EU residents' personal data, regardless of where in the world the organization is located. As a provider of secure access solutions, Duo ensures our customers’ data is protected, and we’re committed to GDPR compliance across our organization.

Duo for GDPR

Germany: C5 

We are Cloud Computing Compliance Controls Catalog (C5) certified, meeting a set of compliance criteria issued by the German Federal Office for Information Security (BSI). To achieve certification, Duo was audited by a qualified, independent auditor who assessed our implementation of C5 controls and verified their operating effectiveness.

C5 Solution Brief

Italy: AgID-qualified Provider of SaaS Solutions 

Duo is an AgID-qualified Software as a Service (SaaS) solutions provider, and complies with the principles established by the Digital Italy Agency (AgID). Duo meets organizational requirements outlined by AgID, as well as specific requirements around security, privacy and data protection; performance and scalability; interoperability and portability; and compliance with the relevant Italian and European legislation. We are therefore eligible for the Marketplace Cloud, a digital platform with a catalog of cloud services the Italian public sector can access.

AgID Certification to Provide Cloud Services in Italy

Saudi Arabia: CITC Cloud Computing Regulatory Framework Compliance 

As a cloud service provider (CSP) with customers in the Kingdom of Saudi Arabia, Duo is required to comply with business continuity, disaster recovery and risk management related rules and guidelines identified as mandatory by the CITC. We also comply with applicable provisions in the CITC Cloud Computing Regulatory Framework for data classified as Level 1 and Level 2.

Duo and CITC’s Cloud Computing Regulatory Framework

A person using a laptop, with icons of a lock and a fingerprint in the background.

Looking for in-depth information about Duo's security and compliance?

We have a wealth of resources to support you.

Explore the Cisco Trust Portal

Data Centers and Hosting

Our data centers are located in 9 countries: the United States, Canada, Ireland, the UK, Australia, Germany, India, Singapore and Japan. They are ISO27001 and SOC2 compliant and maintain 99.999% target service availability goal. Keeping data local helps you align with national data compliance regulations, while giving users confidence that their data is in good hands.

Where's My Data Center?

  • Customers in the Americas: United States, Canada, Ireland

  • Customers in Europe, the Middle East and Africa: Ireland, Germany, the UK

  • Customers in Asia Pacific: Australia, Japan, Singapore, Ireland, the UK, India

World map with checks on Duo's 9 data center locations: USA, Canada, Ireland, UK, Australia, Germany, India, Singapore, Japan

Meeting Your Industry's Requirements

Cyber security isn’t just an issue for the security experts or global policymakers — it affects every industry, every user, every day. Duo helps you meet your industry’s privacy requirements so you can focus on standing out.

Federal Government

We offer a FedRAMP Authorized, FIPS-compliant product edition, tailored to meet the strict security requirements of federal agencies and public sector organizations.

Federal Solutions

State and Local Government

Duo provides help for a range of requirements that affect state and local governments including Criminal Justice Information Services (CJIS), the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI-DSS) and NIST guidelines.

State and Local Government Solutions

Education: Higher Education

The Family Education Rights and Privacy Act (FERPA) requires institutions to ensure student data privacy, and Duo can help make data security easier to achieve for higher education institutions as well as helping them meet requirements for SOC 2, GDPR and more.

Higher Education Solutions

Education: K-12

Duo helps hundreds of school districts adhere to compliance regulations like FERPA, SOC 2 and the K-12 Cybersecurity Act at the high school, middle school and elementary school level.

K-12 Solutions

Financial Services

The Federal Financial Institutions Examination Council (FFIEC), New York State Department of Financial Services (NYDFS) Cybersecurity Regulation and National Association of Insurance Commissioners (NAIC) mandate the use of multi-factor authentication (MFA) to protect access to sensitive data — and Duo’s MFA solutions are poised to meet those needs, as well as NIST and PCI-DSS requirements. 

Finance Solutions


Data security is essential for protecting patient information wherever it goes. We help providers align with HIPAA and EPCS requirements to keep data secure and can even integrate with electronic health records (EHR) for safety throughout the process.

Healthcare Solutions


Duo’s security solutions help legal offices maintain attorney-client privilege and meet the requirements of Model Rules of Professional Conduct rule 1.6(a) from the American Bar Association, which dictates that lawyers shall not reveal client information unless given consent.

Legal Solutions


Duo makes securing customers’ payment information easy and effective. We work directly with Payment Security Compliance (PSC) to meet PCI DSS standards through MFA solutions and more.

Retail Solutions

Additional Compliance Resources

Learn more about how Duo can help you meet your security requirements with user-centric and effective solutions.