To ensure the security and reliability of our service, we’ve focused our efforts in three key areas: people, process, and technology. With users in mission-critical environments in 42 countries, and uptime exceeding 99.995% since 2010, we’re proud to be able to back our claims with a hard service level guarantee, independent third-party monitoring, and bounties for any reported security issue with our secure two factor authentication service.
Duo employs a full-time security team with operational experience in large-scale systems security (e.g. site security for 40,000 users, data protection for 5 million users, etc.). Our team also includes some of the world’s foremost experts in mobile, application, and network security. Our founders have been responsible for some of the seminal academic and industry advancements in firewall, IDS/IPS, DDoS, and anti-malware technologies; groundbreaking research in OS and mobile platform security; and open-source security technologies used the world over (OpenSSH, OpenBSD, Linux, etc.)
Every aspect of our operation is designed with security in mind, from our handling of customer data, to the code release, upgrade, patch management, and operational security practices incorporating relevant security, policy, and evaluation frameworks such as PCI DSS, Shared Assessments, OWASP, ISO 27001, NIST 800 series, and other best practices and meaningful standards.
Our security processes and architecture have been reviewed and audited by independent third parties including Matasano Security and iSEC Partners on behalf of the discerning, billion-dollar global enterprises we’re honored to have as customers, and the hundreds of smaller customers we’re proud to support.
Duo is secure in both design and implementation. From modern exploit mitigation and defensive programming techniques, to time-honored least-privilege, data classification, and compartmentalization strategies, every component of our technology and infrastructure is the result of a careful, considered, approach to secure systems design and engineering.
Duo's cryptographic algorithms used for our two-factor authentication service have been validated by NIST under FIPS CAVP and leverage the FIPS 140-2 CMVP-validated OpenSSL library. Our NIST certifications are publicly available for review for FIPS 186-3 RSA asymmetric cryptography, the FIPS 180-4 SHS/SHA hash families, and the FIPS 198 HMAC algorithm.
Duo Security complies with the U.S.-E.U. and U.S.-Swiss Safe Harbor frameworks as set forth by the U.S. Department of Commerce (the “Safe Harbor”) regarding the collection, use, and retention of personal data (as defined by the Safe Harbor) from the European Union and Switzerland. To learn more about the Safe Harbor principles of Notice, Choice, Onward Transfer, Security, Data Integrity, Access and Enforcement, please visit http://www.export.gov/safeharbor. See our Safe Harbor certification here: https://safeharbor.export.gov/companyinfo.aspx?id=29663.
Completion of the SOC 2 certification indicates that Duo Security has adopted processes, procedures and controls that have been formally evaluated and tested by an independent accounting and auditing firm. A SOC 2 examination is widely recognized, because it represents that a service organization has been through an evaluation of their control activities as they relate to the applicable Trust Services Principles and Criteria.