Data Processing Addendum and Subprocessor Disclosure

What it is

How Miro handles personal data on behalf of business customers is governed by a separate Data Processing Addendum, and Miro discloses the third parties it uses to process data in a separate subprocessors list that can change over time.

Why it matters (compliance & governance perspective)

For business customers under GDPR or other data protection laws, the DPA is the operative legal instrument defining Miro's obligations as a data processor, and the subprocessors list determines which third parties may access the personal data you upload to Miro.

Consumer impact (what this means for users)

If your organization is subject to GDPR, CCPA, or similar data protection law, Miro's Data Processing Addendum governs its obligations as a processor of your customers' and employees' personal data, and changes to the subprocessors list may affect whether your data transfer and vendor management obligations remain satisfied.

What you can do

Institutional analysis (Compliance & governance intelligence)

REGULATORY LANDSCAPE: The Customer Data Processing Addendum is the primary instrument for GDPR Article 28 compliance in Miro's B2B relationships. Organizations acting as controllers must ensure the DPA contains all required GDPR provisions, including subject matter and duration of processing, nature and purpose of processing, type of personal data and categories of data subjects, and obligations and rights of the controller. The CCPA's service provider regime similarly requires a written contract limiting the service provider's use of personal information. GOVERNANCE EXPOSURE: High for enterprise customers in GDPR or CCPA-regulated contexts. The adequacy of the DPA and the currency of the subprocessors list are ongoing compliance obligations, not one-time reviews. Changes to the subprocessors list may require controller notification to data subjects or impact transfer mechanism adequacy assessments. JURISDICTION FLAGS: EU/EEA organizations face the highest exposure, as GDPR imposes strict requirements on controller-processor agreements and international data transfers. Organizations transferring personal data to Miro from the EU must confirm that appropriate Standard Contractual Clauses or equivalent transfer mechanisms are in place. UK organizations must comply with UK GDPR and the UK's international transfer framework. CONTRACT AND VENDOR IMPLICATIONS: Legal and procurement teams should execute the Customer Data Processing Addendum as a standalone agreement (if not already incorporated automatically), review the subprocessors list against their own vendor management requirements, and implement a process to receive and assess Miro's advance notice of subprocessor changes as required by GDPR Article 28. COMPLIANCE CONSIDERATIONS: Organizations should conduct a Transfer Impact Assessment for data transfers to Miro if required by their jurisdiction. The DPA should be reviewed annually or upon material changes to Miro's data processing practices. Data subject rights requests relating to personal data processed by Miro should be assessed in the context of the DPA's provisions on controller instructions.

Applicable agencies

Applicable regulations

Provision details

Other risks in this policy

• Content License Grant medium
• AI Features Addendum Incorporation medium
• Account Suspension and Termination medium
• Multi-Document Agreement Structure (Incorporation by Reference) medium
• Governing Law and Dispute Resolution high
• Limitation of Liability medium

Related Analysis

• Meta Removed 438 Sentences From Its Privacy Policy. Here Is What Disappeared.

  ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.

• 23andMe Is Bankrupt. What Happens to Your DNA Now?

  Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.