---
title: "DuoCircle Trust Center"
description: "DuoCircle invests in keeping a SOC 2 Type II in good standing year after year. Request our security and compliance documents under a Bonterms Mutual NDA, no procurement gauntlet."
image: "https://trust.duocircle.com/og-default.png"
canonical: "https://trust.duocircle.com/"
---

SOC 2 Type II since 2022 

# Security and compliance evidence,on request, without the procurement gauntlet. 

DuoCircle invests real time and money in keeping a SOC 2 Type II in good standing year after year, an annual CSA STAR self-assessment for the products that need it, and a current HECVAT for higher education. Your organization may need more, less, or different evidence than that. Whatever you need, here is where to get it.

[Request documents ](/request/) [Read security overview](/security/) 

Bonterms Mutual NDA, published before you ask Same-day turnaround in most cases Annual penetration testing, summary available 

SOC 2 Type II

Since 2022

Annual examination, all four trust criteria

CSA STAR

6 services

Level 1 self-assessment, public registry

Customers since

2014

Over 50,000 organizations to date

From request to report

One signature

No redlines, no procurement maze

Why this page exists 

## We do the work, so your team does not have to repeat it.

Maintaining a SOC 2 Type II in good standing is not a checkbox. It is an annual examination by an independent CPA firm, a control environment our security team runs every day of the year, and a set of policies we keep current and tested. We invest in it because we believe security work should be visible, audited, and reusable, not reinvented for every new vendor questionnaire.

Your organization may need more than that, or less, or something different. Higher education sees HECVAT. Public sector sees CJIS or StateRAMP. Healthcare sees HIPAA. Financial services sees PCI or NYDFS 500\. Most of these standards overlap with the SOC 2 control set we already operate. We can usually map our existing evidence to whatever framework you have to file against, instead of asking your team to start from a blank questionnaire.

On this page you will find what we publish openly, what we share under a standardized NDA you can read in advance, and how to ask for the rest.

Public, no NDA 

## Start here. No signature required.

The fastest way through early-stage diligence is the evidence we publish openly. Most procurement teams find what they need below before they ever email us.

### CSA STAR Registry

Level 1 self-assessment (CAIQ Lite, subset of CCM v4.1) for six services in the Cloud Security Alliance public registry. Renewed annually. Read it before you reach out.

[See per-product STAR entries ](/compliance/) 

### Subprocessor list

Every third-party vendor that processes personal data on our behalf, mandatory and optional, with role and headquarters. Customers receive thirty days notice before any change.

[View subprocessors ](https://www.duocircle.com/legal/subprocessors/) 

### Bonterms Mutual NDA

We use the standardized Bonterms Mutual NDA, published openly so your legal team can review it before any conversation begins. Read once, sign anywhere.

[Review the NDA ](https://www.duocircle.com/legal/mutual-nda/) 

### Security overview

Encryption, access control, monitoring, vendor management, and incident response, written for humans rather than auditors. The plain-English version of our security posture.

[Read security overview ](/security/) 

### Policy catalog

The titles, owners, and review cadence of every policy in our information security program. Catalog public, contents under NDA. Use it to scope your questionnaire.

[See the catalog ](/policies/) 

### Responsible disclosure

How to report a security issue, our acknowledgment commitment, scope, and the safe harbor we extend to good-faith research that follows responsible disclosure norms.

[Reporting policy ](/responsible-disclosure/) 

### Open-source notices

Third-party open-source components in our installable email-security products for HCL Notes and Domino. Verbatim mirror of the THIRD-PARTY-NOTICES.txt shipped in the installer.

[View notices ](/open-source/) 

Under NDA 

## When you need the auditor's letterhead, sign once and we will send it.

The Bonterms Mutual NDA is a standardized two-way agreement we publish in advance. Most exchanges complete the same business day. No redlines, no procurement maze, no surprise terms.

| Document                         | What it is                                                                                                       | Cadence            |
| -------------------------------- | ---------------------------------------------------------------------------------------------------------------- | ------------------ |
| SOC 2 Type II report             | Independent CPA examination, all four Trust Services Criteria. Hancock Askew & Co, LLP.                          | Annual, since 2022 |
| HECVAT Full                      | Higher Education Community Vendor Assessment Toolkit, current version. For colleges and universities.            | Reviewed annually  |
| Penetration test summary         | Executive summary from our annual third-party pen test, methodology, scope, and remediation status.              | Annual             |
| Information security policy pack | Our written policies covering access control, change management, incident response, vendor management, and more. | Reviewed annually  |
| Custom questionnaire response    | If your standard form is not on this list, send it. We map answers from existing evidence where possible.        | On request         |

[Request documents](/request/) [See compliance program](/compliance/) 

How it works 

## Three steps. One signature. Same business day.

1

### Read the NDA before you ask

We publish the Bonterms Mutual NDA at duocircle.com/legal/mutual-nda. Your legal team can review it on their own time.

2

### Submit the request form

Tell us who you are, the legal entity name, the authorized signer, and which documents you need. The form takes a minute.

3

### Sign and receive

We countersign the NDA and send the documents you asked for. Same business day in most cases, no procurement gauntlet.

If your organization requires its own NDA form, send it. We accept reasonable customer paper without comment in the great majority of cases.

Per-product compliance pages 

## Each product has its own compliance page.

Many enterprise procurement teams need product-specific evidence rather than corporate-level evidence. Each product publishes its own compliance page with the CSA STAR registry entry, supported standards, and the data residency picture for that service.

- [ AutoSPF ](https://autospf.com/compliance/)
- [ DMARC Report ](https://dmarcreport.com/compliance/)
- [ Phishing Protection ](https://phishprotection.com/compliance/)
- [ Outbound SMTP ](https://outboundsmtp.com/compliance/)
- [ Tenant Migration ](https://tenantmigration.com/compliance/)
- [ Alumni Forwarding ](https://alumniforwarding.com/compliance/)
- [ Mail Flow Monitoring ](https://mailflowmonitoring.com/compliance/)
- [ NuReply ](https://nureply.com/compliance/)
- [ InboxIssue ](https://inboxissue.com/compliance/)

## Ready to move the procurement step into the past?

Tell us what you need. We will turn it around the same business day in most cases.

[Request documents](/request/) [Email support@duocircle.com ](mailto:support@duocircle.com)

```json
{"@context":"https://schema.org","@type":"Organization","name":"DuoCircle LLC","url":"https://trust.duocircle.com","logo":{"@type":"ImageObject","url":"https://trust.duocircle.com/duocircle-logo.png"},"description":"DuoCircle Trust Center publishes our security posture, compliance program, and standardized vendor assessment responses for enterprise procurement teams.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://www.facebook.com/duocirclellc","https://x.com/duocirclellc"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://trust.duocircle.com/request/"},"knowsAbout":["SOC 2 Type II","CSA STAR","HECVAT","Vendor Security Assessment","Cloud Security","Email Security Compliance","Information Security Policies","Subprocessor Management","Data Protection Addendum"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"DuoCircle LLC","url":"https://trust.duocircle.com","description":"DuoCircle Trust Center publishes our security posture, compliance program, and standardized vendor assessment responses for enterprise procurement teams.","publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://trust.duocircle.com","logo":{"@type":"ImageObject","url":"https://trust.duocircle.com/duocircle-logo.png"},"description":"DuoCircle Trust Center publishes our security posture, compliance program, and standardized vendor assessment responses for enterprise procurement teams.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}}
```

```json
{"@context":"https://schema.org","@type":"WebPage","name":"DuoCircle Trust Center","description":"DuoCircle invests in keeping a SOC 2 Type II in good standing year after year. Request our security and compliance documents under a Bonterms Mutual NDA, no procurement gauntlet.","about":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"mainEntity":{"@type":"ItemList","name":"Trust Center documents","itemListElement":[{"@type":"ListItem","position":1,"name":"SOC 2 Type II report (under NDA)"},{"@type":"ListItem","position":2,"name":"CSA STAR Registry entries (public)"},{"@type":"ListItem","position":3,"name":"HECVAT Full (under NDA, higher education)"},{"@type":"ListItem","position":4,"name":"Information security policy pack"},{"@type":"ListItem","position":5,"name":"Subprocessor list"},{"@type":"ListItem","position":6,"name":"Penetration test executive summary (under NDA)"},{"@type":"ListItem","position":7,"name":"Bonterms Mutual NDA cover page"}]}}
```