Table of contents
Table of contents
For the previous version of the Customer Data Processing Addendum click here.
For the previous version of the Customer Data Processing Addendum click here.
For the previous version of the Customer Data Processing Addendum click here.
Effective Date: September 17, 2024
This Customer Data Processing Addendum ("DPA") is entered into between RealtimeBoard, Inc., dba Miro ("Miro" or "data importer") and the entity identified as the Customer ("Customer" or "data exporter") and is appended to either (i) the Miro Master Cloud Agreement or Terms of Service (as applicable); or (ii) other electronic or written agreement incorporating this DPA, governing the Customer's access and use of the Miro platform and related services (the "Agreement"). Capitalized terms used but not defined in this DPA shall take the meanings assigned to such terms in the Agreement.
The parties agree that this DPA shall be incorporated into and form part of the Agreement and subject to the provisions therein.
If Customer makes any deletions or revisions to this DPA, those deletions or revisions are hereby rejected and invalid, unless agreed by Miro. Customer's signatory represents and warrants that they have the authority to bind the Customer to this DPA.
"Applicable Privacy Law(s)" means any data protection and privacy laws and regulations, including Data Protection Law, applicable to Miro’s processing of Customer Personal Data.
"Customer Personal Data" means any Customer Content that is Personal Data and/or Personal Information as defined and protected by Applicable Privacy Law(s).
“Data Privacy Framework” or “DPF” means the EU-US Data Privacy Framework, the Swiss-US Data Privacy Framework, and the UK Extension to the EU-US Data Privacy Framework self-certification programs (as applicable) operated by the U.S. Department of Commerce, as may be amended, superseded, or replaced from time to time.
“Data Privacy Framework Principles” or “DPF Principles” means the Data Privacy Framework Principles and Supplemental Principles contained in the relevant Data Privacy Framework, as may be amended, superseded, or replaced from time to time.
"Data Protection Law" means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the "EU GDPR"); (ii) the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (collectively the "UK GDPR"); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); (iv) the Swiss Federal Data Protection Act ("Swiss DPA"), and (v) any and all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (i), (ii) (iii) or (iv); in each case as may be amended or superseded from time to time;
"Miro Subsidiary" means any entity that is directly or indirectly controlled by, controlling or under common control with Miro.
"Restricted Transfer" means: (i) where the EU GDPR applies, a transfer of Personal Data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of Personal Data from the United Kingdom to any other country which is not subject to adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018; and (iii) where the Swiss DPA applies, a transfer of Personal Data from Switzerland to any other country which is not determined to provide adequate protection for Personal Data by the Federal Data Protection and Information Commission or Federal Council (as applicable).
"Standard Contractual Clauses" means: (i) where the EU GDPR or the Swiss DPA applies, the contractual clauses annexed to the European Commission's Implementing Decision (EU) 2021/914 of 4 June 2021 ("EU SCCs"); and (ii) where the UK GDPR applies, standard data protection clauses for processors adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR (specifically, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses) ("UK SCCs"), as applicable in accordance with Section 8 (Data Transfers).
"Security Incident" means any unauthorized or unlawful breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to Customer Personal Data. A "Security Incident" shall not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
"Subprocessor" means any Processor engaged by Miro to process Customer Personal Data.
The terms “Business,” "Controller," "data subject." "Personal Data," “Personal Information,” "Processor," "process(ing)," “Sale,” “Sell,” “Service Provider,” and “Share” have the meanings given to them in Applicable Privacy Law(s). If and to the extent that Applicable Privacy Law(s) do not define such terms, then the definitions given in Data Protection Law will apply.
2.1 The parties acknowledge that regarding the processing of Customer Personal Data, Customer shall be the Controller and Miro shall process Customer Personal Data as a Processor on behalf of Customer.
2.2 Miro will process Customer Personal Data only in accordance with Customer's documented instructions and will not process Customer Personal Data for its own purposes, except as set out in the Agreement and this DPA or where required by applicable law(s). The Agreement, including this DPA, along with Customer’s configuration of any settings or options in the Services (as Customer may be able to modify from time to time), constitute Customer’s complete and final instructions to Miro regarding the Processing of Customer Personal Data, including for purposes of the Standard Contractual Clauses, as may be applicable. Additional Processing instructions (if any) require prior written agreement between the parties.
2.3 Each party shall comply with its obligations under Applicable Privacy Law(s) in respect of any Customer Personal Data. Without prejudice to the foregoing, Customer is responsible for determining whether the Services are appropriate for the storage and processing of Customer Personal Data under Applicable Privacy Law(s) and for the accuracy, quality and legality of the Customer Personal Data and the means by which it acquired Customer Personal Data. Customer further agrees that it has provided notice and obtained all consents, permissions and rights necessary for Miro and its Sub-processors to lawfully process Customer Personal Data for the purposes contemplated by the Agreement (including this DPA).
2.4 Miro shall promptly notify Customer if it makes a determination that Customer's instructions infringe Applicable Privacy Law(s) (but without obligation to actively monitor Customer's compliance with Applicable Privacy Law(s) and in such event, Miro shall not be obligated to undertake such Processing until such time as the Customer has updated its processing instructions and Miro has determined that the incidence of non-compliance has been resolved.
2.5 Details of Data Processing:
2.5.1 Subject matter: The subject matter of the data processing under this DPA is the Customer Personal Data.
2.5.2 Duration: As between Customer and Miro, the duration of the processing is the term of the Agreement plus any period after the termination or expiry of the Agreement during which Miro will process Customer Personal Data in accordance with the Agreement.
2.5.3 Purpose: Miro will process Customer Personal Data as necessary to perform the Services pursuant to the Agreement, as further instructed by Customer in its use of the Services.
2.5.4 Nature of the processing: The provision of the Services as described in the Agreement and initiated by the Customer from time to time.
2.5.5 Types of Customer Personal Data: Any Customer Personal Data submitted to the Services under Customer's Miro account.
2.5.6 Categories of data subjects: The data subjects could include Customer's employees, consultants, agents and third parties authorized to access and use the Services as Users under Customer's Miro account and any other data subjects whose Customer Personal Data is submitted to Miro by Customer and/or its Users through the Services.
3.1 Customer grants Miro a general authorization to subcontract the processing of Customer Personal Data to Subprocessors, including those listed at: https://miro.com/static/legal/Miro-Current-Subprocessors-List.pdf (or such other successor URL) ("Subprocessor List").
3.2 If Miro engages a new or replacement Subproccessor, Miro will:
3.2.1 update the Subprocessor List;
3.2.2 impose substantially the same data protection terms on any Subprocessor it engages as contained in this DPA (including data transfer provisions, where applicable); and
3.2.3 remain liable to Customer for any breach of this DPA caused by an act, error or omission of such Subprocessor.
3.3 If Customer elects to be notified at least ten (10) days prior to Miro engaging a new or replacement Subprocessor, Customer must subscribe to such notifications via the customer notification portal here;
3.4 Customer may object to Miro’s appointment of any new or replacement Subprocessor promptly in writing within thirty (30) days after receipt of notice in accordance with (3.2.1) and on reasonable grounds related to Subprocessor's ability to comply with Applicable Privacy Law(s). In such a case, the parties shall discuss Customer´s concerns in good faith with a view to achieving a commercially reasonable resolution. If the parties cannot reach such resolution, Miro shall have the right, at its sole discretion, to either not appoint the disputed Subprocessor, or permit Customer to suspend or terminate the applicable Order and/or the Agreement. These procedures are Customer’s exclusive remedy and Miro’s entire liability for resolving Customer’s objections to Miro’s appointment of Subprocessor’s under this DPA.
4.1 Miro shall reasonably cooperate with Customer to enable Customer to respond to any requests, complaints or other communications from data subjects and regulatory or judicial bodies relating to the processing of Customer Personal Data, including requests from data subjects seeking to exercise their rights under Applicable Privacy Law(s). In the event that any such request, complaint or communication is made directly to Miro, Miro shall, once it has identified the request is from or related to a data subject for whom the Customer is responsible, pass this onto Customer and shall not respond to such communication without Customer's express authorization (unless required to do so in order to comply with applicable law(s)).
4.2 To the extent Miro is required under Applicable Privacy Law(s), Miro will assist Customer to conduct a data protection impact assessment and, where legally required, consult with applicable data protection authorities in respect of any proposed processing activity that presents a high risk to data subjects.
4.3 Taking into account the nature of the processing, Customer agrees that it is unlikely that Miro would become aware that Customer Personal Data transferred under the DPF and/or Standard Contractual Clauses, as may be applicable, is inaccurate or outdated. Nonetheless, if Miro becomes aware that Customer Personal Data transferred under the DPF and/or Standard Contractual Clauses, as may be applicable, is inaccurate or outdated, it will inform Customer without undue delay. Miro will reasonably cooperate with Customer to erase or rectify inaccurate or outdated Customer Personal Data transferred hereunder.
5.1 Miro will ensure that any personnel tasked with the processing of Customer Personal Data are subject to an appropriate duty of confidentiality (whether a contractual or statutory duty) and that they process Customer Personal Data only for the purpose of delivering the Services.
5.2 Miro will implement and maintain reasonable and appropriate technical and organizational security measures with the aim of protecting Customer Personal Data from Security Incidents in accordance with the measures listed in Exhibit 2 ("Security Measures"). Customer acknowledges that the Security Measures are subject to technical progress and development and that Miro may update or modify the Security Measures from time to time, provided that such updates and modifications do not degrade or diminish overall security of the Services.
In the event of a Security Incident, Miro shall inform Customer without undue delay and will provide written details of the Security Incident to Customer, including the type of data affected and the identity of affected person(s), once such information becomes known or available to Miro. Miro shall, to the extent possible, provide timely information and cooperation to Customer to allow Customer to fulfill its data breach reporting obligations under Applicable Privacy Law(s) and shall take reasonable steps to remedy or mitigate the effects of the Security Incident. The obligations herein shall not apply to Security Incidents that are caused by the Customer or its Users.
7.1 Upon request, Miro shall provide copies of any certifications, audit report summaries and/or other relevant documentation it holds, where reasonably required by Customer to verify Miro's compliance with this DPA.
7.2 While it is the parties' intention ordinarily to rely on Miro's obligations set forth in Section 7.1 to verify Miro's compliance with this DPA, following a confirmed Security Incident or where a data protection authority requires it, Customer may provide Miro with thirty (30) days’ prior written notice requesting that a third-party conduct an audit of Miro's operations and facilities ("Audit"); provided that: (i) any Audit shall be conducted at Customer’s expense; (ii) the parties shall mutually agree upon the scope, timing and duration of the Audit; (iii) the Audit shall not unreasonably impact Miro's regular operations.
7.3 Any written responses or Audit described in this Section 7 shall be subject to the confidentiality provisions of the Agreement. The parties agree that any audit provisions described in Clause 8.9 of EU SCCs, where applicable, shall be carried out in accordance with this Section 7 (Security Reports & Instructions).
8.1 Customer Personal Data that Miro processes under the Agreement may be processed in any country in which Miro, its Miro Subsidiaries and Sub-processors maintain facilities to perform the Services, as further detailed in the Subprocessor List. Miro shall not process or transfer Customer Personal Data (nor permit such data to be processed or transferred) outside of EEA, Switzerland or UK, unless it first takes such measures as are necessary to ensure the transfer is in compliance with Data Protection Law.
8.2 The parties agree that the DPF applies with respect to Restricted Transfers of Customer Personal Data to the US from the EEA and/or Switzerland as Miro is certified under the DPF program and complies with the DPF Principles when processing such Customer Personal Data. If Miro’s certification under the DPF is revoked or otherwise invalidated, Miro shall inform Customer where applicable and upon request, take reasonable and appropriate steps to remediate any unauthorized processing by providing an Alternative Transfer Mechanism (such as Standard Contractual Clauses), as outlined in this Section.
8.3 The parties agree that where the DPF does not apply with respect to a Restricted Transfer, the Standard Contractual Clauses are hereby incorporated and will apply, completed with the following modifications as may be applicable:
8.3.1 Where Customer is a Controller of Customer Personal Data protected by the EU GDPR: Module 2 of the EU SCCs applies between Customer as "data exporter" (notwithstanding that the Customer may be an entity located outside the EEA) and Miro as "data importer" on the following basis: (i) in Clause 7, the optional docking clause will apply, (ii) in Clause 9, Option 2 will apply, and the time period for prior notice of Sub-Processor changes shall be as set out in this DPA, (iii) in Clause 11, the optional language shall not apply, (iv) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Dutch law, (v) in Clause 18(b), disputes shall be resolved before the courts of the Netherlands, (vi) Annex 1 to the EU SCCs will be deemed to incorporate Exhibit 1 to this DPA and (vii) Annex 2 to the EU SCCs will be deemed to incorporate Exhibit 2 of this DPA.
8.3.2 Where Customer is a Controller of Customer Personal Data protected by the Swiss DPA: Module 2 of the EU SCCs applies between Customer as "data exporter" and Miro as "data importer" on the preceding basis and additionally: (i) in Clause 13 the competent supervisory authority shall be the Swiss Federal Data Protection and Information Commission; (ii) the term Member State must not be interpreted in such a way as to exclude Data Subjects in Switzerland from enforcing their rights in their place of habitual residence in accordance with Clause 18(c), (iii) and all references to the EU GDPR in this DPA are also deemed to refer to the Swiss DPA.
8.3.3 Where Customer is a Processor on behalf of a third party Controller of Customer Personal Data protected by the EU GDPR: Module 3 of the EU SCCs applies between Customer as "data exporter" (notwithstanding that Customer or the third party Controller may be an entity located outside the EEA) and Miro as "data importer" on the following basis: (i) in Clause 7, the optional docking clause will apply, (ii) in Clause 9, Option 2 will apply, the time period for prior notice of Sub-Processor changes shall be as set out in this DPA, and Miro shall fulfill its Sub-Processor notification obligations as set out in this DPA; (iii) in Clause 11, the optional language shall not apply, (iv) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Dutch law, (v) in Clause 18(b), disputes shall be resolved before the courts of the Netherlands, (vi) Annex 1 to the EU SCCs will be deemed to incorporate Exhibit 1 to this DPA and (vii) Annex 2 to the EU SCCs will be deemed to incorporate Exhibit 2 of this DPA.
8.3.4 Where Customer is a Processor on behalf of a third party Controller of Customer Personal Data protected by the Swiss DPA: Module 3 of the EU SCCs applies between Customer as "data exporter" and Miro as "data importer" on the preceding basis and additionally: (i) in Clause 13 the competent supervisory authority shall be the Swiss Federal Data Protection and Information Commission; (ii) the term Member State must not be interpreted in such a way as to exclude data subjects in Switzerland from enforcing their rights in their place of habitual residence in accordance with Clause 18(c), (iii) and all references to the EU GDPR in this DPA are also deemed to refer to the Swiss DPA.
8.3.5 Where Customer is a Controller or Processor of Customer Personal Data protected by the UK GDPR, the EU SCCs apply, completed with the following modifications, as may be applicable: each party will be deemed to have signed the “UK Addendum to the EU Standard Contractual Clauses” (“UK Addendum”) issued by the Information Commissioner’s Office under Section 119 A of the United Kingdom Data Protection Act 2018, (ii) the EU SCCs shall be deemed amended as specified by the UK Addendum in respect of the transfer of Customer Personal Data, (iii) in Table 1 of the UK Addendum, the parties’ contact information is located in Exhibit 1 of this Addendum, (iv) in Table 2 of the UK Addendum, information on the Standard Contractual Clauses, modules and selected clauses is located in Section 8.3 above, (v) Table 3 of the UK Addendum shall be deemed completed with the information set out at Exhibits 1 & 2 of this Addendum, and (vi) in Table 4 of the UK Addendum, either party may end the UK Addendum in accordance with its terms and the respective box for each is deemed checked (“UK SCCs”).
8.4 If Miro adopts an alternative lawful data export mechanism for the transfer of Customer Personal Data not described in this DPA ("Alternative Transfer Mechanism"), the Alternative Transfer Mechanism shall apply instead of any applicable transfer mechanism described in this DPA (but only to the extent such Alternative Transfer Mechanism complies with Data Protection Law and extends to the territories to which the relevant Customer Personal Data is transferred).
Upon Customer's request during the Agreement Subscription Term and/or at termination or expiry of this DPA, Miro shall delete or return to Customer all Customer Personal Data in its possession in accordance with Miro’s then-current data deletion timelines and policies, which may be requested by Customer at any time. This requirement shall not apply to the extent that Miro is required by any applicable law to retain some or all of the Customer Personal Data, or to Customer Personal Data archived on back-up systems, which data Miro shall isolate and protect from any further processing except to the extent required by such law. The parties agree that confirmation of the deletion of Customer Personal Data shall be provided by Miro to Customer upon Customer's written request.
To the extent that Miro processes Customer Personal Data of Users who are residents of the US state of California, the parties agree as follows:
10.1 Customer is a Business and Miro is a Service Provider. Customer’s transfer of Customer Personal Data to Miro is not a Sale, and Miro provides no monetary or other valuable consideration to Customer in exchange for Customer Personal Data. Miro processes Customer Personal Data solely as a Service Provider on Customer’s behalf for one or more business purposes as described in the Agreement or as otherwise permitted of Service Providers under Applicable Privacy Laws.
10.2 Miro shall not “Sell” or “Share” Customer Personal Data and Miro agrees to comply with all applicable requirements of the CCPA as modified by the CPRA, and if and to the extent agreed between Customer and Miro in writing as set forth in this DPA.
10.3 As applicable to the Services, Miro shall reasonably assist Customer in responding (at Customer’s expense) to any request from a data subject (including “verifiable consumer requests”, as such term is defined in the CCPA), relating to the processing of Customer Personal Data under the Agreement.
11.1 Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between any provision in this DPA and any provision in the Agreement, this DPA prevails. With effect from the effective date, this DPA is part of, and incorporated into the Agreement.
11.2 In no event does this DPA restrict or limit the rights of any data subject or of any competent supervisory authority.
11.3 Any claim or remedy Customer may have against Miro, its employees, agents and Subprocessors, arising under or in connection with this DPA, whether in contract, tort (including negligence) or under any other theory of liability, shall to the maximum extent permitted by law be subject to the limitations and exclusions of liability in the Agreement. Accordingly, any reference in the Agreement to the liability of a party means the aggregate liability of that party under and in connection with the Agreement and this DPA together.
11.4 This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Applicable Privacy Law(s).
11.5 If any part of this DPA is held unenforceable, the validity of all remaining parts will not be affected.
A. LIST OF PARTIES
Data exporter(s):
Name: The entity identified as the "Customer" in the DPA.
Address: The address for the Customer associated with its Miro account or otherwise specified in the DPA or this Agreement.
Contact person’s name, position and contact details: The contact details associated with Customer's account, or otherwise specified in this DPA or the Agreement.
Activities relevant to the data transferred under these Clauses: The activities specified in Exhibit 1(B) of the DPA
Signature and date: See execution block in the DPA to which these Clauses are appended.
Role (controller/processor): Controller
Data importer(s):
Name: RealtimeBoard, Inc. dba Miro (“Miro”)
Address: 201 Spear Street, Suite 1100, San Francisco, CA 94105
Contact person’s name, position and contact details: privacy(a)miro.com
Activities relevant to the data transferred under these Clauses: The activities specified in Exhibit 1(B) of the DPA
Signature and date: See execution block in the DPA to which these Clauses are appended.
Role (controller/processor): Processor
В. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred: The categories of data subjects are described in Section 2.5 (Details of Processing) of the DPA.
Categories of personal data transferred: The personal data is described in Section 2.5 (Details of Processing) of the DPA.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: N/A. The data exporter is prohibited from submitting special categories of data to the Services.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Continuous basis depending on the use of the Services by data exporter.
Nature of the processing: The nature of the processing is described in Section 2.5 (Details of Processing) of the DPA.
Purpose(s) of the data transfer and further processing: The processing purposes are described in Section 2.5 (Details of Processing) of the DPA.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: The data exporter determines the duration of processing in accordance with the terms of the DPA.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: The subject matter, nature and duration of the processing are described in Section 2.5 (Details of Processing) of the DPA.
C. COMPETENT SUPERVISORY AUTHORITY
The Customer's competent supervisory authority will be determined in accordance with the Data Protection Law.
TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons:
Miro uses reasonable technical and organizational measures designed to protect the Service and Customer Content as described in the Security Policy.
For transfers to (sub-) processors, also describe the specific technical and organizational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter:
The technical and organizational measures taken by the data importer to assist the data exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679 are set out in Section 4 (Cooperation) of the DPA.