Hello,
Our organization has used the free version for some time and like the Miro tool, we are undoing a process so we can get the paid version. We needed a GDPR check done by our Data Protection Officer. He looked at the links to the DPA and GDPR Privacy Policy by Miro and said that Miro was likely compliant but we need a Transfer Impact Assessment to finalize the review. Specifically he said (emphasis mine):
According to https://help.miro.com/hc/en-us/articles/6491838039570-EU-Data-Center-Residency, all data processed by Miro is stored exclusively on servers in the EU. The main data center is located in Ireland, with a second data center in Frankfurt. However, the following functions may involve data transfers to the USA:
- When personal data is shared in the context of customer support
- If users choose to share data with integrated third-party providers
- Data processed by sub-processors, sub-processors can be found at the following list (https://miro.com/legal/documents/Miro-Current-Subprocessors-List.pdf)
- Usage data
Miro provides an DPA, which is available at https://miro.com/legal/documents/Miro-Data-Processing-Addendum.pdf.
This incorporates and individualizes the EU standard contractual clauses.
In addition, he refers to a list with TOM's, which can be viewed at https://miro.com/legal/documents/Miro-Security-Policy.pdf.
The agreement meets the requirements of Art. 28 (3) GDPR.
Since personal data may be transferred to countries outside the EU when using Miro, a TIA (Transfer Impact Assessment) must be carried out in accordance with clause 14 of the standard contractual clauses
This in order to determine whether the measures taken by Miro ensure an adequate level of data protection.
Only then, in my estimation (DPO), can we conclusively say whether the tool can be used in a privacy-compliant manner."