The terms reference a Customer Data Processing Addendum (CDPA), accessible at miro.com/legal/customer-data-processing-addendum/, which governs Miro's processing of personal data on behalf of customers, particularly relevant for GDPR Article 28 compliance.
This analysis describes what Miro's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The CDPA establishes Miro's obligations as a data processor under GDPR and similar frameworks, defining the legal basis and conditions under which customer personal data is processed. Enterprise customers are required to assess the CDPA to satisfy their own controller-level compliance obligations.
Interpretive note: The CDPA is referenced by the Terms of Service but its substantive provisions are contained in a separate document; compliance implications depend on the CDPA's specific content.
The agreement incorporates a separate Customer Data Processing Addendum that governs how personal data processed through Miro boards and services is handled under data protection law. Business customers acting as data controllers under GDPR should review the CDPA in conjunction with the Subprocessors List.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
We use information to enhance the quality, reliability, and/or accuracy of our AI Features by creating, developing, training, testing, improving, and maintaining AI and ML models run by Strava or our service providers. We use aggregated, de-identified data for this purpose. We also use personal info...
Monitoring
Miro has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
(1) REGULATORY LANDSCAPE: The CDPA directly implicates GDPR Article 28, which requires a written contract between controllers and processors. CCPA service provider obligations are also relevant for California-based business customers. The CDPA's provisions on international data transfers may engage GDPR Chapter V requirements and applicable Standard Contractual Clauses. (2) GOVERNANCE EXPOSURE: High for enterprise customers in EU/EEA jurisdictions. The CDPA determines whether Miro's processing activities satisfy controller obligations, and any gaps in its coverage could create regulatory exposure for customer organizations. (3) JURISDICTION FLAGS: EU/EEA customers face the highest exposure; UK GDPR applies post-Brexit for UK customers; Swiss data protection law (nDSG) is relevant for Swiss operations. US healthcare and financial services customers should assess whether CDPA terms satisfy HIPAA Business Associate Agreement requirements or equivalent. (4) CONTRACT AND VENDOR IMPLICATIONS: The CDPA is a standard procurement requirement for enterprise SaaS; legal teams should confirm it includes audit rights, breach notification timelines, subprocessor change notification procedures, and data deletion obligations. The published Subprocessors List should be reviewed as part of vendor due diligence. (5) COMPLIANCE CONSIDERATIONS: Controllers should map all personal data categories processed through Miro and confirm the CDPA covers those categories. Transfer impact assessments may be required for international data transfers to Miro's subprocessors. Annual review of the Subprocessors List is advisable given permitted subprocessor changes.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The CDPA establishes Miro's obligations as a data processor under GDPR and similar frameworks, defining the legal basis and conditions under which customer personal data is processed. Enterprise customers are required to assess the CDPA to satisfy their own controller-level compliance obligations.
The agreement incorporates a separate Customer Data Processing Addendum that governs how personal data processed through Miro boards and services is handled under data protection law. Business customers acting as data controllers under GDPR should review the CDPA in conjunction with the Subprocessors List.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Miro.