DuoCircle has been examined under SOC 2 Type II annually since 2022 by an independent CPA firm. We are CSA STAR registered for six product services. Our control environment is documented, audited, and publicly verifiable to the extent appropriate. The full SOC 2 report is available to customers and serious prospects under a Mutual NDA we publish in advance, so the only step between you and the report is a single signature on a form you have already read.
SOC 2 Type II
| Item | Detail |
|---|---|
| Trust Services Criteria | Security, Availability, Confidentiality, Processing Integrity |
| Standard | AICPA SSAE 18 / Trust Services Principles 2017 (TSP section 100A) |
| Type | Type II, with reporting period of operating effectiveness |
| Cadence | Annually since 2022 |
| Auditor | Hancock Askew & Co, LLP |
| Audience | Users with a business need, under Mutual NDA |
Trust Center
Our standard security and compliance documentation is published at trust.duocircle.com, including SOC 2 Type II reports, security policies, and standardized vendor assessment responses. Most enterprise procurement teams find what they need there without having to ask. The SOC 2 Type II report itself is gated behind the Mutual NDA below, which you can read in advance.
How to request the SOC 2 report
- Review the NDA. We publish the Bonterms Mutual NDA at /legal/mutual-nda/ with our cover-page values. Read it before you reach out.
- Email legal@duocircle.com to request the report. Tell us the legal entity name and the email of the authorized signer.
- Sign electronically. Most exchanges complete within one business day.
- Receive the report. Same business day in most cases, immediately on receipt of the executed NDA.
No procurement gauntlet, no redline cycles, no two-week back-and-forth. If your organization requires its own NDA form, send it. We accept reasonable customer paper without comment in the great majority of cases.
CSA STAR Registry
Public trust posture, no NDA required. The CSA STAR self-description summarizes our compliance environment without disclosing the SOC 2 report itself. Use it for early-stage diligence.
| Item | Detail |
|---|---|
| Registry entry | cloudsecurityalliance.org/star/registry/duocircle |
| Level | Level 1, CAIQ Lite, subset of CCM v4.1 |
| Services listed | Alumni Forwarding, AutoSPF, DMARC Report, Outbound SMTP, Phishing Protection, Tenant Migration |
| Cadence | Annual self-assessment |
Technical and organizational security measures
The current control set is summarized below and described in full in DPA Schedule 2.
- Encryption in transit using TLS 1.2 or higher for all customer-facing endpoints
- Encryption at rest for databases, object storage, and backups using industry-standard ciphers
- Multi-factor authentication required for all production system access and all administrative interfaces
- Role-based access controls with least-privilege defaults; quarterly access reviews
- Centralized logging, real-time alerting, and 24x7 on-call rotation
- Vulnerability scanning, dependency monitoring, and timely patching
- Independent penetration testing on a regular cadence
- Documented incident response procedures with named breach-notification responsibilities
- Background checks for employees with access to customer data, where permitted by law
- Mandatory annual security training for all personnel
- Vendor security review for any subprocessor with access to customer data
Reporting a vulnerability
If you believe you have found a security issue in any DuoCircle product, email security@duocircle.com. We acknowledge reports within one business day and most often the same day. We do not require a CVE pre-assignment; we just want the details. We do not pursue legal action against good-faith security research that follows responsible disclosure norms (no destructive testing, no exfiltration of customer data, reasonable embargo on public disclosure, and a real way to reach you).
Compliance scope statement
DuoCircle’s services are designed for general commercial email use. We are not a HIPAA covered entity nor a HIPAA Business Associate by default. We do not currently offer FedRAMP-authorized cloud services. PCI DSS Level 1 cardholder data must not be transmitted in mail bodies through services not specifically provisioned for that data class. Customers with regulatory obligations beyond general commercial use should contact legal@duocircle.com before deployment so we can confirm fit.
Earlier versions
The document previously published as the DuoCircle SOC 2 Reports page is superseded by this Security and Compliance statement.
Questions about this document?
DuoCircle LLC, 5965 Village Way, Suite 105-234, San Diego, CA 92130. Email legal@duocircle.com for legal inquiries, or support@duocircle.com for everything else.