This Data Processing Agreement ("DPA") forms part of the Master Subscription Agreement between Mira Labs, Inc. ("Mira," "Processor") and the entity using the Service ("Customer," "Controller").
1 · Parties
Processor: Mira Labs, Inc., 568 Bergen Street, Brooklyn NY 11217, USA. Data Protection Officer: Karim Aleem · privacy@sibuor.com. EU Representative: Mira Europe Lda, R. da Boavista 41, 1200-066 Lisbon, Portugal.
Controller: The Customer entity, as identified during account registration. Customer is deemed to enter this DPA on behalf of itself and its Affiliates.
2 · Definitions
Capitalised terms have the meanings given in the GDPR, UK GDPR, or applicable Data Protection Law. "Customer Data" means any Personal Data Mira processes on Customer's behalf. "Subprocessor" means any third party engaged by Mira to process Customer Data. "TOMs" are the Technical and Organisational Measures described in Section 7.
3 · Subject matter & duration
The subject matter is the provision of the Mira Service. The duration is the term of the Agreement. The nature and purpose is to enable the Service: ingesting, storing, classifying, and replying to messages on Customer's behalf, and producing audits and analytics for Customer. The types of Personal Data are (a) Customer identifiers, (b) end-user identifiers and communications content, (c) operational metadata. Categories of data subjects: Customer's employees, contractors, and end-users.
4 · Processor obligations
- Process Customer Data only on documented instructions from Controller (the Agreement and Customer's in-product configurations constitute such instructions).
- Ensure persons authorised to process Customer Data are under written confidentiality obligations.
- Implement the TOMs in Section 7.
- Assist Controller in responding to data-subject requests within the statutory timeframes.
- Cooperate with supervisory authorities on request.
- Not train, fine-tune, or otherwise improve any model accessible to any party other than Controller using Customer Data.
5 · Subprocessors
Customer authorises Mira to engage the following Subprocessors as of the Effective Date. Mira shall provide not less than 30 days' prior notice of any addition or replacement. Customer may object in writing within that window; if objection is sustained, the parties shall negotiate in good faith, failing which Customer may terminate the affected Service.
| Subprocessor | Service provided | Categories of data | Location |
|---|---|---|---|
| Amazon Web Services, Inc. | Hosting, storage, KMS, monitoring | All Customer Data | US-east-1 · EU-west-1 |
| Stripe, Inc. | Payments & Stripe Connect deposit links | Customer billing & end-user payment metadata | US · IE |
| OpenAI, OpCo, LLC | LLM inference (no training on API data; ≤30-day retention for abuse review) | Message content, in transit only | US |
| Postmark · ActiveCampaign LLC | Transactional email delivery | Customer & end-user emails | US |
| Plain Systems Limited | Customer support inbox & tickets | Customer identifiers & support content | UK · DE |
| Twilio Inc. | SMS/iMessage delivery | Phone numbers, message content | US · IE |
| Cloudflare, Inc. | CDN, WAF, DDoS protection | Connection metadata only | Global edge |
Subprocessor list as of 14 Jan 2026 · v2.4. Subscribe to subprocessor changes →
6 · Assisting with data subject rights
Mira shall provide reasonable assistance to Controller in fulfilling Customer's obligations under Articles 12 — 22 GDPR (access, rectification, erasure, restriction, portability, objection). In-product tools enable Controller to action most requests without Mira involvement. Where escalation is required, Mira responds inside ten (10) business days.
7 · Security measures (Technical & Organisational Measures)
- Encryption. TLS 1.3 in transit; AES-256-GCM at rest; per-tenant data keys wrapped by AWS KMS CMKs.
- Access control. SSO + hardware MFA for staff; least-privilege roles; JIT production access with second-engineer approval and 4-hour expiry.
- Network. VPC isolation per environment; zero-trust mesh; private endpoints for all subprocessor egress where supported.
- Logging & monitoring. Immutable audit log of all production access; 24/7 on-call with human triage in < 5 minutes.
- Resilience. Multi-AZ Postgres, 35-day PITR, 90-day encrypted snapshots in a second region.
- Personnel. Background checks, annual security training, signed confidentiality + IP assignment.
- Disposal. Cryptographic erasure on key revocation; full backup purge within 90 days of account deletion.
- Certifications. SOC 2 Type II, ISO 27001:2022, PCI DSS SAQ-A. See Security for current attestations.
8 · International transfers
Where Customer Data is transferred from the EEA, UK, or Switzerland to a third country not deemed adequate, transfers are made pursuant to: (a) the EU Standard Contractual Clauses (Module 2: Controller to Processor) adopted by Commission Decision (EU) 2021/914, with Module 3 substituted where Mira engages a sub-processor; (b) the UK International Data Transfer Addendum (UK IDTA) v2022; (c) the Swiss FDPIC clauses by reference. Customer may elect EU-only data residency in Settings → Privacy.
9 · Personal data breach notification
Mira shall notify Controller without undue delay and in any event within seventy-two (72) hours of becoming aware of a Personal Data Breach involving Customer Data, providing: (a) a description of the nature of the breach; (b) categories and approximate number of data subjects and records affected; (c) likely consequences; (d) measures taken or proposed. Notification is delivered to the email address on file plus the in-product banner.
10 · Audits
Mira makes available all information necessary to demonstrate compliance, including the most recent SOC 2 Type II and ISO 27001 reports (NDA-bound, available via the Trust portal). Once per twelve (12) months, Customer may request an audit with thirty (30) days' notice, at Customer's expense, of areas not covered by the existing reports. Audits shall not unreasonably interfere with Mira's operations.
11 · Termination & return / deletion
On termination of the Agreement, Customer may export all Customer Data via the in-product tools for thirty (30) days. Mira shall thereafter delete all Customer Data, including from backups (subject to the 90-day backup purge cycle), and provide written certification on request.