S
Mirvo

Legal

Data Processing Addendum

Last updated: May 19, 2026 · Version 1.0

Non-negotiable DPA. As a small organization without dedicated legal staff, Mirvo cannot accept customer-modified versions of this DPA. The provisions herein incorporate standard contractual terms approved by the European Commission and are the same for all subscribers.

Preamble

This Data Processing Addendum (“DPA”) forms part of the Terms of Service between the User (“Data Controller”) and Mirvo ([Mirvo SAS — corporate entity to be incorporated, Address TBD, France]) (“Data Processor”).

This DPA applies when the User is established in the EU/EEA, UK, or Switzerland, or when they process personal data of data subjects in those territories — which is the case for any User conducting GDPR-regulated outbound campaigns.

By agreeing to the Terms of Service, you also agree to this DPA where applicable.

1. Definitions

Data Controller: The entity (User/Subscriber) that determines the purposes and means of processing personal data.
Data Processor: Mirvo, processing personal data on behalf of the Data Controller.
Sub-processor: A third party engaged by Mirvo to process personal data in connection with the Service.
Personal Data Breach: A breach of security leading to accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of or access to personal data.
SCCs: Standard Contractual Clauses approved by Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
DPF: EU-US Data Privacy Framework, recognized as adequate under GDPR for transfers to participating US organizations.

2. Roles and responsibilities

  • User = Data Controller for the prospect contact data imported into Mirvo. The User determines who to contact, for what purpose, and is responsible for having a valid legal basis (e.g., legitimate interest for B2B outbound).
  • Mirvo = Data Processor for that contact data. Mirvo processes it only to deliver the Service — email generation, campaign management, deliverability monitoring — and for no other purpose.
  • Mirvo = Data Controller for subscriber account data (name, email, billing information) — governed by the Privacy Policy.

3. Processing description

In accordance with GDPR Article 28(3), the following describes the processing carried out by Mirvo on behalf of the User:

Subject matter

Provision of B2B outbound email infrastructure and AI-assisted campaign tooling.

Duration

The Subscription period plus applicable retention periods as defined in the Privacy Policy.

Nature of processing

Storage, retrieval, transmission, AI-assisted email draft generation, reply sentiment analysis, and deliverability monitoring.

Categories of data subjects

B2B professionals imported by the User as prospects (decision-makers, potential buyers, business contacts).

Categories of personal data

Business contact data (email address, name, job title, company name, LinkedIn URL), behavioral signals (email opens, clicks, reply detection), and email content (sent and received campaign emails).

4. Sub-processors

Mirvo engages the following sub-processors to deliver the Service. By agreeing to these Terms, you grant general authorization for Mirvo to engage sub-processors, subject to the notification obligations below.

Sub-processorService descriptionLocationTransfer mechanism
Vercel Inc.Hosting, frontend serving, CDNUSA (EU edge available)EU-US DPF + SCCs
Supabase Inc.Database (Postgres), authentication, storageEU (Frankfurt)N/A — EU-resident
Stripe Inc.Payment processingUSAEU-US DPF + SCCs
Resend Inc.Transactional email deliveryUSAEU-US DPF + SCCs
Anthropic PBCAI-powered email generation, sentiment analysisUSAEU-US DPF + SCCs
Instantly.ai (Foo Monk LLC)Outbound email infrastructureUSAEU-US DPF + SCCs
Clay Labs Inc.Prospect data enrichmentUSAEU-US DPF + SCCs
PostHog Inc.Product analytics, session replay (EU project)EU (Frankfurt)N/A — EU-resident

Mirvo will notify Users by email at least 30 days before adding a new sub-processor. Users may object within that period. If the objection cannot be resolved, the User may terminate the Subscription with a pro-rata refund of unused portions.

Mirvo remains liable for the acts and omissions of all sub-processors as if they were Mirvo's own.

5. Security measures

Mirvo implements the following technical and organizational security measures in accordance with GDPR Article 32:

  • Encryption in transit using TLS 1.3; encryption at rest using AES-256
  • Row-Level Security (RLS) enforced at the database level for complete multi-tenant isolation
  • Hardened HTTP security headers (CSP, HSTS, X-Frame-Options, Referrer-Policy)
  • Automated security review integrated into the development pipeline (per-PR)
  • Access controls with role-based permissions; admin access requires separate authentication
  • Audit logging for administrative actions

A full description is available on our Security page.

6. Data subject rights assistance

Mirvo will assist the User in responding to data subject requests (access, erasure, portability, objection) insofar as the relevant data is within Mirvo's systems and technically accessible.

The User, as Data Controller, is responsible for verifying the identity of the requesting data subject and for assessing the legitimacy of each request before acting on it.

7. Personal data breach notification

  • Mirvo will notify the affected User within 48 hours of becoming aware of a Personal Data Breach involving that User's data.
  • The notification will include: the nature of the breach, the categories and approximate number of affected data subjects, the likely consequences, and the measures taken or proposed to address the breach.
  • The User retains the obligation to notify the relevant supervisory authority (e.g., CNIL) within 72 hours of becoming aware of a notifiable breach, per GDPR Article 33.

8. International transfers

For transfers of personal data from the EU/EEA/UK to third countries (primarily the USA), Mirvo applies Standard Contractual Clauses approved by Commission Implementing Decision (EU) 2021/914, Module 2 (Controller to Processor), as the primary transfer mechanism.

The full text of the SCCs is available at: eur-lex.europa.eu/eli/dec_impl/2021/914

For sub-processors participating in the EU-US Data Privacy Framework (DPF), transfers to those sub-processors rely on the DPF adequacy decision in addition to SCCs. Mirvo conducts Transfer Impact Assessments for all US-based sub-processors and applies supplementary measures including data minimization, contractual safeguards, and access logging.

Sub-processors located in the EU (Supabase — Frankfurt; PostHog — EU project) do not involve cross-border transfers of personal data.

9. Audit rights

Mirvo makes available the information necessary to demonstrate compliance with GDPR Article 28, including this DPA, relevant certifications, and security documentation.

Users may request an information-based audit no more than once per calendar year (unless mandated by a regulatory authority). Requests require 30 days' advance notice and are subject to confidentiality obligations. Mirvo may decline on-site audits and instead provide documented evidence of compliance.

10. Termination of DPA

This DPA remains in effect for the duration of the Subscription. Upon termination of the Subscription, Mirvo will, at the User's election, either return or permanently delete all User personal data within 30 days — unless retention is required by applicable law.

Database backups containing User data will be purged within 7 days following the standard backup rotation schedule. Payment records may be retained for up to 10 years as required by French accounting law.

11. Contact

DPA-related inquiries: privacy@mirvo.ai
Postal: [Mirvo SAS, Address TBD, France]