Enterprise and business customers may have additional data protection rights and obligations governed by a separate Customer Data Processing Addendum (DPA), which operates alongside but may supersede certain provisions of the standard Privacy Policy.
This analysis describes what Miro's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The existence of a separate DPA means that individual and free-tier users may have fewer contractual data protections than enterprise customers who have negotiated or accepted a formal DPA.
Interpretive note: The specific provisions of the DPA are not reproduced in the truncated document; analysis is based on the document's reference to a separate Customer Data Processing Addendum.
Removal of dedicated DPA provision may indicate integration into general terms or shift away from standalone data processing agreements for enterprise customers.
View full change record →If you use Miro through a business or enterprise account, your data protections may be determined by the DPA your employer has agreed to, not the public Privacy Policy alone. Individual users on free plans rely primarily on the standard Privacy Policy without the enhanced protections a DPA may provide.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
We use information to enhance the quality, reliability, and/or accuracy of our AI Features by creating, developing, training, testing, improving, and maintaining AI and ML models run by Strava or our service providers. We use aggregated, de-identified data for this purpose. We also use personal info...
Monitoring
Miro has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
(1) REGULATORY LANDSCAPE: The DPA structure is designed to satisfy GDPR Article 28 requirements for controller-processor agreements, and equivalent requirements under UK GDPR and CCPA for service provider designations. The adequacy of the DPA for cross-border data transfers (including Standard Contractual Clauses) requires separate verification. (2) GOVERNANCE EXPOSURE: Medium. The layered structure of Privacy Policy plus DPA plus AI Addendum creates compliance complexity. Organizations must verify that all three instruments are aligned and that the DPA adequately covers all processing activities, including those enabled by AI features. (3) JURISDICTION FLAGS: EU and EEA customers face the highest exposure to DPA inadequacy, particularly around international data transfer mechanisms. UK organizations must confirm UK GDPR-compliant transfer mechanisms are in place post-Brexit. (4) CONTRACT AND VENDOR IMPLICATIONS: Procurement teams should request and review the current DPA before onboarding Miro, confirm that the Subprocessors List is incorporated by reference, and establish a notification mechanism for subprocessor changes. The DPA may include audit rights that should be operationalized within vendor management programs. (5) COMPLIANCE CONSIDERATIONS: Organizations should confirm whether the DPA has been countersigned or whether acceptance occurs through online click-through, as the mechanism affects enforceability in some jurisdictions. Data mapping should reflect the DPA's processing activities and retention schedules.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The existence of a separate DPA means that individual and free-tier users may have fewer contractual data protections than enterprise customers who have negotiated or accepted a formal DPA.
If you use Miro through a business or enterprise account, your data protections may be determined by the DPA your employer has agreed to, not the public Privacy Policy alone. Individual users on free plans rely primarily on the standard Privacy Policy without the enhanced protections a DPA may provide.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Miro.