The policy distinguishes between Miro's role as a data controller for account, registration, and usage data, and its role as a data processor for content uploaded by enterprise customers to boards, with the latter governed by the Customer Data Processing Addendum.
This analysis describes what Miro's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision establishes two distinct legal frameworks governing different categories of data, requiring enterprise customers to manage compliance obligations under both the privacy policy (for controller-level data) and the DPA (for processor-level board content).
Interpretive note: The precise language defining the controller/processor boundary was not available in the truncated document; this provision reflects Miro's known dual-role structure as described in its published legal framework.
New high-severity provision clarifies Miro's dual role as both data controller and processor in different contexts, affecting user rights and liability allocation.
View full change record →Under this framework, individual users are subject to the privacy policy for account and usage data, while enterprise customers' board content is governed by a separate DPA; the practical scope of each framework depends on how data is classified and how the DPA is executed.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
We may display advertisements on our Services and those advertisements may be targeted to your interests based on your personal information. We may share your personal information with advertising partners for interest-based advertising purposes. You may opt out of interest-based advertising by visi...
Monitoring
Miro has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
1) REGULATORY LANDSCAPE: The controller/processor distinction is foundational to GDPR compliance (Articles 4, 24, 28) and is similarly recognized under UK GDPR. Misclassification of processing roles creates direct regulatory exposure under both frameworks. The relevant supervisory authorities are EU national data protection authorities and the UK ICO. 2) GOVERNANCE EXPOSURE: High for enterprise customers. The policy's assertion that Miro acts as processor only for board content means that account-level and usage-level data flowing to advertising and analytics partners occurs under Miro's controller authority, outside the enterprise DPA. Organizations must assess whether this dual structure is disclosed in their own employee privacy notices and whether it is consistent with their internal data governance policies. 3) JURISDICTION FLAGS: EU and UK enterprise customers face the highest exposure, as GDPR Article 28 requires a written DPA for all processor relationships. The adequacy of Miro's standard DPA for EU/UK compliance should be reviewed by data protection officers. California enterprise customers should assess whether controller-level data sharing by Miro triggers any obligations under CPRA. 4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise procurement and legal teams should ensure the Customer Data Processing Addendum is executed, review its scope to confirm it covers all board content categories, and assess whether the subprocessors list is current. The DPA's scope should be compared against the privacy policy to identify any data categories that fall outside processor coverage. 5) COMPLIANCE CONSIDERATIONS: Data protection officers should map data flows to confirm which categories fall under controller versus processor treatment, update records of processing activities accordingly, and verify that DPA terms satisfy Article 28 requirements including sub-processor notification obligations.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision establishes two distinct legal frameworks governing different categories of data, requiring enterprise customers to manage compliance obligations under both the privacy policy (for controller-level data) and the DPA (for processor-level board content).
Under this framework, individual users are subject to the privacy policy for account and usage data, while enterprise customers' board content is governed by a separate DPA; the practical scope of each framework depends on how data is classified and how the DPA is executed.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Miro.