Skip to main content
SOC 2 Type II since 2022

Security and compliance evidence, on request, without the procurement gauntlet.

The DuoCircle Trust Center is where organizations get DuoCircle's security and compliance evidence: a SOC 2 Type II examination maintained annually since 2022, CSA STAR Level 1 self-assessments for six services, and a current HECVAT Full for higher education. Public documents need no signature, and NDA-gated documents like the SOC 2 report are shared under the standardized Bonterms Mutual NDA, with same-day turnaround in most cases.

Bonterms Mutual NDA, published before you ask Same-day turnaround in most cases Annual penetration testing, summary available
SOC 2 Type II
Since 2022
Annual examination, all four trust criteria
CSA STAR
6 services
Level 1 self-assessment, public registry
Customers since
2014
Over 50,000 organizations to date
From request to report
One signature
No redlines, no procurement maze
Why this page exists

We do the work, so your team does not have to repeat it.

Maintaining a SOC 2 Type II in good standing is not a checkbox. It is an annual examination by an independent CPA firm, a control environment our security team runs every day of the year, and a set of policies we keep current and tested. We invest in it because we believe security work should be visible, audited, and reusable, not reinvented for every new vendor questionnaire.

Your organization may need more than that, or less, or something different. Higher education sees HECVAT. Public sector sees CJIS or StateRAMP. Healthcare sees HIPAA. Financial services sees PCI or NYDFS 500. Most of these standards overlap with the SOC 2 control set we already operate. We can usually map our existing evidence to whatever framework you have to file against, instead of asking your team to start from a blank questionnaire.

On this page you will find what we publish openly, what we share under a standardized NDA you can read in advance, and how to ask for the rest.

Public, no NDA

Start here. No signature required.

The fastest way through early-stage diligence is the evidence we publish openly. Most procurement teams find what they need below before they ever email us.

CSA STAR Registry

Level 1 self-assessment (CAIQ Lite, subset of CCM v4.1) for six services in the Cloud Security Alliance public registry. Renewed annually. Read it before you reach out.

See per-product STAR entries

Subprocessor list

Every third-party vendor that processes personal data on our behalf, mandatory and optional, with role and headquarters. Customers receive thirty days notice before any change.

View subprocessors

Bonterms Mutual NDA

We use the standardized Bonterms Mutual NDA, published openly so your legal team can review it before any conversation begins. Read once, sign anywhere.

Review the NDA

Security overview

Encryption, access control, monitoring, vendor management, and incident response, written for humans rather than auditors. The plain-English version of our security posture.

Read security overview

Policy catalog

The titles, owners, and review cadence of every policy in our information security program. Catalog public, contents under NDA. Use it to scope your questionnaire.

See the catalog

Responsible disclosure

How to report a security issue, our acknowledgment commitment, scope, and the safe harbor we extend to good-faith research that follows responsible disclosure norms.

Reporting policy

Open-source notices

Third-party open-source components in our installable email-security products for HCL Notes and Domino. Verbatim mirror of the THIRD-PARTY-NOTICES.txt shipped in the installer.

View notices
Published in advance

The contract stack, published before you ask.

The same philosophy as our NDA applies to every agreement you would normally have to request: the full stack is public at duocircle.com/legal, versioned and ready for your legal team before any conversation begins.

Cloud Terms

The master terms every DuoCircle service runs under. Read them before a trial, attach them to a PO, no countersignature needed to review.

Read the Cloud Terms

Data Processing Agreement

Our DPA for GDPR and UK processing, incorporating the public subprocessor list. Ready for your privacy team's review as-is.

Read the DPA

Service Level Agreement

The availability commitment we make and the service credits that apply when we miss it, defined measurably rather than aspirationally.

Read the SLA

Acceptable Use Policy

What we allow on the platform, what we do not, and how enforcement works. Written so your compliance team can quote it directly.

Read the AUP

AI Addendum

The terms that govern AI-assisted features: what data they may touch, what they may not, and the commitments that apply. Published before your AI review asks.

Read the AI Addendum

The full legal library

Privacy, cookies, accessibility, trademarks, law-enforcement requests, vulnerability disclosure, and the rest, all in one public index.

Browse duocircle.com/legal
Pricing policy

Pricing is part of trust.

Every product publishes its price on its own site, and the same price applies to every organization. A public company, a funded startup, and a ten-person shop pay the same number for the same thing. Where a discount exists, it is published, not negotiated.

What moves your price

  • The service and plan you choose, each published on its product site
  • How many domains a service covers, with published multi-domain volume tiers
  • Volume, where a service is metered by messages, mailboxes, or users
  • Engagement scope for one-time expert services (for example, enforcement to p=quarantine versus p=reject)
  • Published programs: MSP and channel partner pricing, and public-sector programs like CIS CyberMarket

What never moves it

  • ×The size of your company or the recognizability of your logo
  • ×Negotiating stamina: there is no secret price behind the published one
  • ×Time of quarter: no end-of-quarter discounts that punish customers who bought in March
  • ×Procurement leverage: the ten-person shop and the enterprise see the same list

If a quote ever deviates from a published price, it should be a published program (volume tier, partner, public sector), and you are entitled to ask which one.

Under NDA

When you need the auditor's letterhead, sign once and we will send it.

The Bonterms Mutual NDA is a standardized two-way agreement we publish in advance. Most exchanges complete the same business day. No redlines, no procurement maze, no surprise terms.

Document
SOC 2 Type II report
HECVAT Full
Penetration test summary
Information security policy pack
Custom questionnaire response
How it works

Three steps. One signature. Same business day.

1

Read the NDA before you ask

We publish the Bonterms Mutual NDA at duocircle.com/legal/mutual-nda. Your legal team can review it on their own time.

2

Submit the request form

Tell us who you are, the legal entity name, the authorized signer, and which documents you need. The form takes a minute.

3

Sign and receive

We countersign the NDA and send the documents you asked for. Same business day in most cases, no procurement gauntlet.

If your organization requires its own NDA form, send it. We accept reasonable customer paper without comment in the great majority of cases.

Per-product compliance pages

Each product has its own compliance page.

Many enterprise procurement teams need product-specific evidence rather than corporate-level evidence. Each product publishes its own compliance page with the CSA STAR registry entry, supported standards, and the data residency picture for that service.

Ready to move the procurement step into the past?

Tell us what you need. We will turn it around the same business day in most cases.