Privacy Policy

Last updated: August 28, 2014

Duo Security is committed to protecting the privacy of our customer’s personal information. This Privacy Policy describes how we collect, use, share, transfer and disclose personal information. This Policy applies to the Duo Security website at www.duosecurity.com (the “Website” or the “Site”), the Duo Security Application (the “App”), and the Duo Security, Inc. two-factor authentication service (the “Service”), together the “Service” or “Services.” This policy covers information we collect online, not offline. Terms not otherwise defined in this policy have the meanings assigned to them in Duo Security’s Service Terms and Conditions located at https://www.duosecurity.com/terms. The Site, App and Service are owned and operated by Duo Security, Inc., 123 North Ashley Street, Suite #200, Ann Arbor, MI 48104 (“Duo Security,” “we” or “us”)

Any personally identifiable information (“Personal Data”) collected by the Site, the App or the Service (the “Services”) shall be used only in a manner consistent with this Privacy Policy.   When you sign up for or access the Services, including Blog Updates or newsletters, or when you email us for information, you expressly agree to the use of your information for the purposes described in this Policy If you do not agree with this Privacy Policy or any changes to it, you should not sign up for, use or access the Services or any features of the Services.

Changes to Our Privacy Policy

If we decide to change our Privacy Policy, we will post those changes on this page and update the Privacy Policy modification date. We will also post a notice on our Blog. Please check back regularly to review any changes to this Privacy Policy. This policy was last modified on August 28, 2014.

Safe Harbor

Duo Security complies with the U.S. -E.U. and U.S.-Swiss Safe Harbor frameworks as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Data from the European Union and Switzerland. To learn more about the Safe Harbor programs principles of Notice, Choice, Onward Transfer, Security, Data Integrity, Access and Enforcement, please visit http://www.export.gov/safeharbor. See our Safe Harbor certification here: http://safeharbor.export.gov/companyinfo.aspx?id=24519.

U.S.-EU Safe Harbor Framework

Enforcement

Duosecurity.com uses a self-assessment approach to assure compliance with this Privacy Policy and periodically verifies that the Policy is accurate, comprehensive for the information intended to be covered, prominently displayed, completely implemented and accessible and in conformity with the Safe Harbor Principles.

If you have questions or concerns regarding our compliance with the U.S. E.U. and U.S. Swiss Safe Harbor framework, you should first contact Paul DiMarzo at pdimarzo@duosecurity.com. If you do not receive acknowledgement of your inquiry in 30 days, or your inquiry has not been satisfactorily addressed, you should contact ICDR/AAA, our Safe Harbor Dispute Resolution provider as described below.

Personal Data

Personally Identifiable Information (“Personal Data”) is information about you that is personally identifying, such as your name, email address, or telephone number, and that is not otherwise publicly available. The definition of Personal Data or Personally Identifiable Information depends on your physical location and may include other types of information as well, such as your IP address, depending upon your physical location. Only the definition of Personal Data that applies to your physical location will apply to you under this Privacy Policy.

Information We Collect

Personal Data. Providing Personal Data to us is by opt-in only.  You can opt-in by signing up for or using the Service through the Site or the App, which requires you to create an account and collects your name, email address, and telephone number. Your employer’s service administrator may provide this information on your behalf. We collect this information in order to be able to provide you with the Service and to manage your account. We also collect your company name and assign you an account name based on your company name.

We also collect your email address when you email us for information or sign up for our newsletters and email updates, in order to send you this information. You can unsubscribe from our newsletters and updates by clicking “Unsubscribe” at the bottom of the newsletter or email update.

If you do not opt-in you will not have access to the Services and we will have no way of contacting you to send you updates or respond to your inquiries.   By opting in you are providing your express consent to the collection, use, retention, processing, transfer, and disclosure, including cross-border disclosure, of your Personal Data as explained in this Privacy Policy.

Device Information. We also collect device-specific information (e.g. mobile and desktop) from users in order to provide the Service (such as a user’s hardware model, operating system and web browser versions, unique device identifiers, and mobile network information including phone number). We may need to associate your user’s device -specific information with your Personal Data on a periodic basis in order to confirm you as a user and to check the security on your device.

Service log information. When users use the Service, we may automatically collect and store certain information in server logs. This may include which users (by username) are accessing the Service, how they are accessing the service (including the device-specific information referenced above and type of integration), the dates and times they access the Service, where they are accessing the service (by Internet protocol address) and device event information such as crashes, system activity, and hardware settings. We may need to associate this information with your Personal Data on a periodic basis in order to confirm you as a user and to check the security on your device.

By design, the Service does not allow us to collect your users passwords. In general, we use the information we collect to provide the Service and for billing purposes. We may also use the information we collect to improve the Service for all users.

We will retain your information for as long as your account is active or as needed to provide you the Services. We will retain and use your and your users’ information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.

Do We Share Information with Third Parties?

Duo Security may transmit or share information with its third party vendors and hosting partners to provide the necessary hardware, software, networking, storage, and other technology and services required to operate and maintain the Service, which may require that users’ information be transferred. Although Duo Security owns the software, code, databases, all rights to the Duo Security service, you retain all rights to your data.

Duo Security also uses third party intermediaries to send out emails on our behalf and to provide customer support including via live chat software. We provide customer emails to our third party vendor who sends our emails on our behalf for these purposes only. Third party intermediaries and vendors are not authorized to use your information for any other purpose.

We may disclose such information to respond to subpoenas, court orders, or legal process, or to establish or exercise our legal rights or defend against legal claims. We may also share such information if we believe it is necessary in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of our Service Terms and Conditions, or as otherwise required by law.

Credit Card Information

Credit or debit card information and personal financial account information is considered “Sensitive Information.” We do not collect credit card, debit card or personal financial account information when you sign up for the Service, because we use a third party vendor, Recurly, to process our subscription billing. When you provide payment information to sign up for the Service you provide it directly to Recurly and not to Duosecurity.com. When you sign up for the Service, you will automatically be routed to the Recurly website to provide the information Recurly deems necessary to process your transaction. Recurly is a third party vendor and has its own privacy policy, which may be different from ours. This Privacy Policy does not cover Recurly and Duosecurity.com is not covered by Recurly’s privacy policy. To learn about Recurly’s privacy practices, please read their privacy policy at http://recurly.com/legal/privacy.

Accessing and Updating Your Personal Data

You can modify your account information at anytime by using the Service administrative interface available at https://admin.duosecurity.com or by emailing our customer support at support@duosecurity.com. We will respond to your request to access within 30 days.

Cookies

When you visit the Site or use the Services, we use session “cookies” — a piece of information stored on your computer — to allow us to uniquely identify your browser while you are logged in and to enable Duo Security to process your online transactions. We do not link the information we store in cookies to any Personal Data you submit while on our Site. Session cookies also help us confirm your identity and are required in order to login into your account. Duo Security uses persistent cookies that only Duo Security can read and use, to identify you as a Duo Security customer and make it easier for you to log into your account. Users who disable their web browsers’ ability to accept cookies will be able to browse our Website, but will not be able to access or take advantage of the Service. For further information about disabling or blocking cookies, please see ‘Can I withdraw my consent?’ in our Cookie Policy at https://www.duosecurity.com/cookies.

The use of cookies by our partners is not covered by our Privacy Policy. We do not have access or control over these cookies. Our partners use session ID cookies to trace user movement on the site.

Clear Gifs

We employ or our third party advertising partner employs a software technology called clear gifs (also known as “Web Beacons” or “Web Bugs”), that help us better manage content on our site by informing us what content is effective. Clear gifs are tiny graphics with a unique identifier, similar in function to cookies, and are used to track the online movements of Website users. In contrast to cookies, which are stored on a user’s computer hard drive, clear gifs are embedded invisibly on Web pages and are about the size of the period at the end of this sentence.

We use clear gifs in our HTML-based emails to let us know which emails have been opened by recipients. This allows us to gauge the effectiveness of certain communications and the effectiveness of our marketing campaigns.

Website Log Files

As is true of most Websites, we and our third party utility-tracking partners gather certain information automatically and store it in log files. This information includes internet protocol (IP) addresses, browser type, internet service provider (ISP), referring/exit pages, operating system, date/time stamp and clickstream data.

We use this information, which does not identify individual users, to analyze trends, to administer the site, to track users’ movements around the site and to gather demographic information about our user base as a whole.

Protection of Information

Duo Security maintains reasonable security measures to protect your information from loss, destruction, misuse, unauthorized access or disclosure. These technologies help ensure that your data is safe, secure, and only available to you and to those you provided authorized access (e.g., your users). However, no data transmission over the Internet or information storage technology can be guaranteed to be 100% secure. If you have any questions about security on our Website, you can contact us at security@duosecurity.com.

Links to Other Sites

Our Website contains links to other sites that are not owned or controlled by Duo Security. Please be aware that we, Duo Security, are not responsible for the privacy practices of such other sites. We encourage you to be aware when you leave our site and to read the privacy statements of each and every Website that collects personally identifiable information. This privacy statement applies only to information collected by our Website and Service.

Public Forums

Our Website offers publicly accessible blogs or community forums. You should be aware that any information you provide in these areas may be read, collected, and used by others who access them. To request removal of your personal information from our blog or community forum, contact us at privacy@duosecurity.com. In some cases, we may not be able to remove your personal information, in which case we will let you know if we are unable to do so and why.

Testimonials

We post customer testimonials on our Site, which may contain Personal Data. We do obtain the customer’s consent via email prior to posting the testimonial to post their name along with their testimonial. If you want your testimonial removed please contact us at privacy@duosecurity.com.

Surveys

From time to time we may provide you the opportunity to participate in contests or surveys. If you participate, we will request certain Personal Data from you at the time of the survey. Participation in these surveys or contests is completely voluntary and you have a choice whether or not to disclose this information. The requested information typically includes contact information, such as email or phone number.

We use this information to improve our service to send our customers update on how we are improving the service based on their feedback.

Choice and Consent

By emailing us, signing up for updates or the Service or by using our Services, you expressly consent to the collection, use, retention, transfer and disclosure, including cross-border disclosure, of your information as described in this Privacy Policy.  Each time you email us, sign up for or use our Service, you are giving your express consent to the collection, use, retention, transfer and disclosure, including cross-border disclosure, of your information as described in this Privacy Policy.   If you wish to opt out and withdraw your consent, you may do so at any time by writing to: privacy@duosecurity.com. If you opt out and withdraw your consent you will no longer be able to use the Service or receive updates and we will not have any means by which to respond to your inquiries.
 

International or Cross-Border Transfer of Your Personal Data and Your Express Agreement

Given that the Internet operates in a global environment and that transfer of your data is necessary to process your registration and use of the Services, to provide updates, and to respond to your inquiries, using the Internet to collect and process Personal Data necessarily involves the transmission of data on an international, or cross-border, basis.  By signing up for or using the Services, and/or by communicating with us by email, you acknowledge and expressly consent to our processing and disclosure of your Personal Data in this way.   The Personal Data of users who are located outside the U.S. will be transferred outside of each eligible country to the United States where our servers are located and where it will be processed and stored on servers owned and operated by Amazon Web Services (“AWS”), which participates in the EU-US Safe Harbor program. You may view the AWS privacy policy at http://aws.amazon.com/privacy. The U.S. does not provide an adequate level of protection according to EU data protection regulations. We will take all steps reasonably necessary to ensure that users’ Personal Data is treated securely and in accordance with the EU/US Safe Harbor Principles and the Terms and Conditions for the Site in respect of such transfer, but will not otherwise take steps to ensure compliance with applicable laws in each user’s country of residence. By registering for or using the Service, by signing up for updates, or by sending us emails, you expressly agree to such transfer and disclosure.

By accessing signing up for or using the Services, sending us email, or by signing up for email updates, you provide your express consent to our disclosure of your Personal Data to our Subcontractors for the purposes described in this Privacy Policy.

California Do Not Track Disclosures and Other Disclosures under CalOppa

We currently do not honor Do Not Track signals. Personal Data collected by us as described in this Privacy Policy is not maintained in personally identifiable form in combination with any identifier collected by cookies, web beacons, or other technologies.

Children’s Online Privacy Protection Act Compliance

We are in compliance with the requirements of COPPA (Children’s Online Privacy Protection Act), as we do not collect any information from anyone under 13 years of age.  The Site and its content are directed to people who are at least 18 years of age or older.  

Access to Your Information

You have a right to access, review, change, update or delete your Personal Data at any time by contacting us at privacy@duosecruity.com or by postal mail at Duo Security, Inc., 123 North Ashley Street, Suite #200, Ann Arbor, MI 48104 (“Data Controller” and “Data Recipient”).

Contact Us About Complaints, Questions, Comments, Notices and Disputes

In compliance with the US-EU and US-Swiss Safe Harbor Principles, Duosecurity.com commits to resolving complaints about your privacy and our collection or use of your Personal Data. Users with a need to provide a Notice to us under this Policy or our Terms of Use, or European Union or Swiss residents with inquiries or complaints regarding this Privacy Policy should first contact us:

Duosecurity.com has further committed to refer unresolved privacy complaints under the US-EU and US-Swiss Safe Harbor Principles to an independent dispute resolution mechanism, the International Center for Dispute Resolution/American Arbitration Association (ICDR/AAA), operated by the American Arbitration Association. If you do not receive timely acknowledgment of your complaint, or if Duosecurity.com does not satisfactorily address your complaint, please visit the AAA EU SAFE HARBOR web site at http://www.icdr.org to obtain more information or to file a complaint.

Business Transactions

Duo Security may assign or transfer this privacy policy, and your user account and related information and data, to any person or entity that acquires or is merged with Duo Security.

Terms of Service

When you access and use the Service, you are subject to the Duo Security Terms of Service available for review at https://www.duosecurity.com/terms.