Security and compliance evidence, on request, without the procurement gauntlet.
The DuoCircle Trust Center is where organizations get DuoCircle's security and compliance evidence: a SOC 2 Type II examination maintained annually since 2022, CSA STAR Level 1 self-assessments for six services, and a current HECVAT Full for higher education. Public documents need no signature, and NDA-gated documents like the SOC 2 report are shared under the standardized Bonterms Mutual NDA, with same-day turnaround in most cases.
- SOC 2 Type II
- Since 2022
- Annual examination, all four trust criteria
- CSA STAR
- 6 services
- Level 1 self-assessment, public registry
- Customers since
- 2014
- Over 50,000 organizations to date
- From request to report
- One signature
- No redlines, no procurement maze
We do the work, so your team does not have to repeat it.
Maintaining a SOC 2 Type II in good standing is not a checkbox. It is an annual examination by an independent CPA firm, a control environment our security team runs every day of the year, and a set of policies we keep current and tested. We invest in it because we believe security work should be visible, audited, and reusable, not reinvented for every new vendor questionnaire.
Your organization may need more than that, or less, or something different. Higher education sees HECVAT. Public sector sees CJIS or StateRAMP. Healthcare sees HIPAA. Financial services sees PCI or NYDFS 500. Most of these standards overlap with the SOC 2 control set we already operate. We can usually map our existing evidence to whatever framework you have to file against, instead of asking your team to start from a blank questionnaire.
On this page you will find what we publish openly, what we share under a standardized NDA you can read in advance, and how to ask for the rest.
Start here. No signature required.
The fastest way through early-stage diligence is the evidence we publish openly. Most procurement teams find what they need below before they ever email us.
CSA STAR Registry
Level 1 self-assessment (CAIQ Lite, subset of CCM v4.1) for six services in the Cloud Security Alliance public registry. Renewed annually. Read it before you reach out.
See per-product STAR entriesSubprocessor list
Every third-party vendor that processes personal data on our behalf, mandatory and optional, with role and headquarters. Customers receive thirty days notice before any change.
View subprocessorsBonterms Mutual NDA
We use the standardized Bonterms Mutual NDA, published openly so your legal team can review it before any conversation begins. Read once, sign anywhere.
Review the NDASecurity overview
Encryption, access control, monitoring, vendor management, and incident response, written for humans rather than auditors. The plain-English version of our security posture.
Read security overviewPolicy catalog
The titles, owners, and review cadence of every policy in our information security program. Catalog public, contents under NDA. Use it to scope your questionnaire.
See the catalogResponsible disclosure
How to report a security issue, our acknowledgment commitment, scope, and the safe harbor we extend to good-faith research that follows responsible disclosure norms.
Reporting policyOpen-source notices
Third-party open-source components in our installable email-security products for HCL Notes and Domino. Verbatim mirror of the THIRD-PARTY-NOTICES.txt shipped in the installer.
View noticesThe contract stack, published before you ask.
The same philosophy as our NDA applies to every agreement you would normally have to request: the full stack is public at duocircle.com/legal, versioned and ready for your legal team before any conversation begins.
Cloud Terms
The master terms every DuoCircle service runs under. Read them before a trial, attach them to a PO, no countersignature needed to review.
Read the Cloud TermsData Processing Agreement
Our DPA for GDPR and UK processing, incorporating the public subprocessor list. Ready for your privacy team's review as-is.
Read the DPAService Level Agreement
The availability commitment we make and the service credits that apply when we miss it, defined measurably rather than aspirationally.
Read the SLAAcceptable Use Policy
What we allow on the platform, what we do not, and how enforcement works. Written so your compliance team can quote it directly.
Read the AUPAI Addendum
The terms that govern AI-assisted features: what data they may touch, what they may not, and the commitments that apply. Published before your AI review asks.
Read the AI AddendumThe full legal library
Privacy, cookies, accessibility, trademarks, law-enforcement requests, vulnerability disclosure, and the rest, all in one public index.
Browse duocircle.com/legalPricing is part of trust.
Every product publishes its price on its own site, and the same price applies to every organization. A public company, a funded startup, and a ten-person shop pay the same number for the same thing. Where a discount exists, it is published, not negotiated.
What moves your price
- ✓The service and plan you choose, each published on its product site
- ✓How many domains a service covers, with published multi-domain volume tiers
- ✓Volume, where a service is metered by messages, mailboxes, or users
- ✓Engagement scope for one-time expert services (for example, enforcement to p=quarantine versus p=reject)
- ✓Published programs: MSP and channel partner pricing, and public-sector programs like CIS CyberMarket
What never moves it
- ×The size of your company or the recognizability of your logo
- ×Negotiating stamina: there is no secret price behind the published one
- ×Time of quarter: no end-of-quarter discounts that punish customers who bought in March
- ×Procurement leverage: the ten-person shop and the enterprise see the same list
If a quote ever deviates from a published price, it should be a published program (volume tier, partner, public sector), and you are entitled to ask which one.
When you need the auditor's letterhead, sign once and we will send it.
The Bonterms Mutual NDA is a standardized two-way agreement we publish in advance. Most exchanges complete the same business day. No redlines, no procurement maze, no surprise terms.
| Document |
|---|
| SOC 2 Type II report |
| HECVAT Full |
| Penetration test summary |
| Information security policy pack |
| Custom questionnaire response |
Three steps. One signature. Same business day.
Read the NDA before you ask
We publish the Bonterms Mutual NDA at duocircle.com/legal/mutual-nda. Your legal team can review it on their own time.
Submit the request form
Tell us who you are, the legal entity name, the authorized signer, and which documents you need. The form takes a minute.
Sign and receive
We countersign the NDA and send the documents you asked for. Same business day in most cases, no procurement gauntlet.
If your organization requires its own NDA form, send it. We accept reasonable customer paper without comment in the great majority of cases.
Each product has its own compliance page.
Many enterprise procurement teams need product-specific evidence rather than corporate-level evidence. Each product publishes its own compliance page with the CSA STAR registry entry, supported standards, and the data residency picture for that service.
Ready to move the procurement step into the past?
Tell us what you need. We will turn it around the same business day in most cases.