Skip to main content

Security Overview

How DuoCircle protects customer data. Written in plain English so a procurement reviewer, a CISO, and a developer can all use the same page. Reviewed 2026-05-06.

DuoCircle has been examined under SOC 2 Type II annually since 2022. The control set summarized below is described in full in the SOC 2 report and in the DPA Schedule 2 we publish at duocircle.com/legal/dpa. The SOC 2 report itself is available under a Bonterms Mutual NDA you can read in advance.

Trust framework at a glance

  • SOC 2 Type II, Trust Services Criteria for Security, Availability, Confidentiality, and Processing Integrity. Annual since 2022.
  • CSA STAR Level 1, public registry, six services.
  • HECVAT Full, current version, available on request for higher education.
  • Bonterms Mutual NDA, published in advance for SOC 2 and pen test summary requests.
  • Annual penetration test, third-party, results summarized for customers under NDA.

Encryption

All customer-facing endpoints require TLS 1.2 or higher with current cipher suites. We disable legacy protocols on production load balancers as soon as our customer base allows. Customer data at rest is encrypted using industry-standard ciphers in our managed databases, object storage, and backup snapshots. Encryption keys are managed by our cloud provider's key management service with separation of duties between key administration and data access.

Access control

Production access uses single sign-on with multi-factor authentication required for every session, every administrator, no exceptions. Access is granted by role with least-privilege defaults and reviewed quarterly. Personnel transferring teams or leaving the company have access revoked the same business day. Customer data is segregated by tenant, and our application stack enforces tenant boundaries at the data layer rather than relying on application code alone.

Monitoring and logging

Production systems emit structured logs to a centralized log store. Real-time alerts cover authentication anomalies, privilege escalations, configuration drift, and abnormal traffic patterns. We operate a 24x7 on-call rotation with documented severity definitions and escalation paths. Logs are retained per the schedule published in our DPA.

Vulnerability management

  • Continuous dependency monitoring for published CVEs in our application stack.
  • Container image scanning at build time, blocking high-severity vulnerabilities before deployment.
  • Annual third-party penetration testing with documented remediation tracking.
  • Internal patching SLAs aligned to severity, with critical issues triaged within hours.

Secure development

Code changes go through peer review before merge. Production deployment requires CI passage, including unit tests, integration tests, and security checks. Secrets are managed through our cloud provider's secret manager and never committed to source control. Pre-commit hooks and CI scanning are configured to catch accidental secret commits.

Vendor management

Every subprocessor with access to personal data goes through a security and privacy review before approval. The review covers SOC 2 or equivalent attestation, data residency, encryption posture, breach notification commitments, subprocessor chain, and exit terms. We do not approve a vendor that cannot meet our minimum bar even if it offers a feature we want. The current subprocessor list is at duocircle.com/legal/subprocessors. Customers receive thirty days notice before any change.

Incident response

We maintain a documented incident response plan covering detection, containment, eradication, recovery, and post-incident review. Severity is classified Critical, High, Medium, or Low. We commit to notify affected customers of Critical or High severity incidents within 48 hours of confirmation, with subsequent updates as new information becomes available. Incident notification is by email to the technical contact on file, with a public status update at status.duocircle.com.

Business continuity and disaster recovery

Our production infrastructure is hosted across multiple availability zones in our primary cloud regions. Critical workloads have documented Recovery Time Objectives and Recovery Point Objectives that we test on a regular cadence. Backups are encrypted, geographically separated from primary storage, and retained per the schedule in our DPA. The Cloud Terms publish three SLA tiers: Standard 99.0%, Premium 99.5%, and Enterprise 99.9% available on signed Order.

Personnel

  • Background checks for employees with access to customer data, where permitted by law.
  • Confidentiality obligations as part of employment agreements.
  • Mandatory annual security and privacy training, with role-specific training for engineering and customer-facing teams.
  • Documented onboarding and offboarding processes that gate access provisioning and revocation.

Physical security

DuoCircle does not operate its own data centers. Physical security is delegated to our cloud and colocation providers, all of whom are independently certified to SOC 2, ISO 27001, or equivalent. Our team works remotely with secured corporate devices, full-disk encryption, MDM enrollment, and remote-wipe capability.

Privacy and data protection

Our Data Protection Addendum at duocircle.com/legal/dpa codifies our GDPR and CCPA commitments. We act as a processor for customer data and as a controller only for limited business contact information our customers provide for account administration. Cross-border transfers are governed by the Standard Contractual Clauses incorporated into the DPA.

Compliance scope statement

DuoCircle's services are designed for general commercial email use. We are not a HIPAA covered entity nor a HIPAA Business Associate by default. We do not currently offer FedRAMP-authorized cloud services. PCI DSS Level 1 cardholder data must not be transmitted in mail bodies through services not specifically provisioned for that data class. Customers with regulatory obligations beyond general commercial use should contact support@duocircle.com before deployment so we can confirm fit.

How to ask us about a control

If your security questionnaire asks about a specific control that is not addressed above, the fastest path is the document request form. Tell us the framework you are mapping to and the controls you need answered. We respond within one business day and most often the same day, with our existing evidence mapped to your form.