Data Processing Addendum
Version 1.0 -- Effective 2026-04-28
This Data Processing Addendum ("DPA") forms part of the Master Services Agreement, Terms of Service, or other written or electronic agreement between MIRegistry, L.L.C. ("MIR", "Processor") and the customer entity using MIR's services ("Customer", "Controller") (the "Agreement"). It governs MIR's processing of Personal Data on Customer's behalf and reflects the parties' obligations under Regulation (EU) 2016/679 ("GDPR"), the UK Data Protection Act 2018 and UK GDPR, the Swiss Federal Act on Data Protection, and equivalent data protection laws applicable to the Customer.
How this DPA is incorporated. By using MIR's services, Customer agrees to this DPA. Customer does not need to sign and return a paper copy. Customers requiring a counter-signed DPA may request one from privacy@mirregistry.com; the substantive terms below are not negotiable except with respect to fields explicitly marked as customer-configurable (notification contacts, sub-processor objections, applicable supervisory authority).
1. Definitions
2. Scope, roles, and instructions
This DPA applies whenever MIR processes Personal Data on behalf of Customer in connection with MIR's services. With respect to such Personal Data:
- Customer is the Controller (or, where Customer is itself a Processor for an upstream Controller, Customer is a Processor and MIR is a Sub-processor; this DPA applies analogously);
- MIR is the Processor;
- The sub-processors listed at /sub-processors are authorized Sub-processors as of the Effective Date.
MIR will process Personal Data only on documented instructions from Customer. Customer's documented instructions consist of:
- The Agreement and this DPA;
- Customer's configuration of the services (e.g. enabling SSO, configuring rate limits, designating notification contacts);
- Customer's submission of events, claims, and queries through MIR's APIs and dashboards; and
- Any further written instructions provided by Customer to MIR's privacy contact.
If MIR believes a Customer instruction violates applicable data protection law, MIR will inform Customer in writing without undue delay. MIR may suspend processing under that instruction until the matter is resolved.
3. Subject matter, duration, nature, purpose, and categories
The required Article 28(3) particulars are:
| Subject matter | MIR's provision of participation history infrastructure as described in the Agreement. |
| Duration | The term of the Agreement, plus the post-termination return/deletion period set out in Section 11. |
| Nature and purpose of processing | Storage and querying of behavioral events submitted by Customer or its partner platforms; computation of deterministic tier signals, claim status, and policy recommendations; provision of audit logs and evidence trails; account and billing administration. |
| Type of Personal Data | Hashed external identifiers (SHA-256 of partner-supplied user IDs); event metadata (event type, weight, occurredAt timestamp, optional event ID for idempotency); claim records; account contact information for Customer's administrators; technical and security logs (IP address, request metadata). |
| Categories of Data Subjects | End users and entities about whom Customer or Customer's partner platforms submit events; Customer's administrative users; agents and service accounts registered by Customer. |
| Special categories of personal data | None. MIR does not solicit or accept special category data (GDPR Article 9). Customer warrants it will not submit special category data through MIR's APIs except as expressly permitted in writing by MIR in advance. |
4. Security of processing (Article 32)
MIR implements and maintains appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Current measures are summarized at /security and at minimum include:
- Pseudonymization of partner-supplied external identifiers using SHA-256 hashing prior to storage
- Encryption in transit (TLS 1.2+) and at rest (provider-managed for managed databases)
- Role-based access controls with least-privilege defaults
- Multi-factor authentication on all administrative paths
- Centralized audit logging of API access, authentication events, and policy evaluations
- Tier-based rate limiting and per-endpoint anomaly detection
- Automated backups with point-in-time recovery
- Segregation of customer environments via tenant identifiers and access scoping
- Annual external penetration testing
- Documented vulnerability disclosure process
MIR reviews these measures periodically and updates them as appropriate. MIR will not materially diminish the security measures during the term of the Agreement without Customer's prior written consent.
5. Confidentiality
MIR ensures that personnel authorized to process Personal Data are bound by confidentiality obligations, whether by contract or by statutory duty, and have received appropriate data protection training. Access to Customer Data is granted on a documented need-to-know basis.
6. Sub-processors
Customer authorizes MIR to engage Sub-processors to process Personal Data, subject to the terms of this Section 6.
The current list of Sub-processors is published at /sub-processors. MIR will provide at least 30 days' advance notice of any addition or replacement of a Sub-processor by updating that page and notifying Customer's designated billing or admin contact.
Customer may object to a new Sub-processor on reasonable data protection grounds within the notice period by writing to privacy@mirregistry.com. MIR will work in good faith to address the objection. If MIR cannot accommodate the objection, Customer may terminate the affected portion of the services without penalty by written notice within 30 days of MIR's response.
MIR enters into a written agreement with each Sub-processor that imposes data protection obligations equivalent to those in this DPA. MIR remains liable to Customer for the acts and omissions of its Sub-processors with respect to Personal Data.
7. International transfers
Where MIR transfers Personal Data of EU/EEA, UK, or Swiss data subjects outside their respective jurisdictions, the transfer is conducted under one of the following mechanisms, in order of preference: (a) processing in an EEA region of the relevant Sub-processor; (b) European Commission adequacy decision for the destination country; (c) Standard Contractual Clauses (Module 2 -- Controller to Processor, or Module 3 -- Processor to Sub-processor, as applicable), supplemented by the UK IDTA or the Swiss-specific addendum where applicable; or (d) other lawful transfer mechanisms approved by the relevant supervisory authority.
By accepting this DPA, Customer and MIR are deemed to have entered into the SCCs (Module 2, where Customer is Controller, or Module 3, where Customer is Processor and MIR a Sub-processor) on the following terms:
- Clause 7 (docking clause): applicable
- Clause 9 (sub-processor authorization): Option 2, with the 30-day prior notice in Section 6 of this DPA
- Clause 11 (redress): the optional independent dispute resolution language is not selected
- Clause 17 (governing law): the law of the EU Member State in which the data exporter is established (or, if that state is not an EU/EEA Member State, Ireland)
- Clause 18 (forum): the courts of the same Member State (or, where applicable, Ireland)
- Annex I (Parties, transfer description): populated by reference to the Agreement and Section 3 of this DPA
- Annex II (technical and organizational measures): populated by reference to Section 4 of this DPA and the security documentation at /security
- Annex III (sub-processors): populated by reference to /sub-processors
8. Personal Data Breach
MIR will notify Customer's designated security contact without undue delay, and in any event within 24 hours, after becoming aware of a Personal Data Breach affecting Customer Data. The notification will follow the timeline and format described at /incident-response and will include, to the extent then known:
- The nature of the breach, including categories and approximate number of Data Subjects and records affected
- The likely consequences of the breach
- The measures taken or proposed to address the breach and mitigate adverse effects
- The name and contact details of MIR's coordination contact for the incident
MIR will provide reasonable cooperation and information to enable Customer to comply with its own breach notification obligations to supervisory authorities and Data Subjects, including under GDPR Articles 33 and 34.
9. Assistance with Data Subject rights
MIR provides functionality within the services that enables Customer to respond to requests from Data Subjects to exercise their rights under applicable data protection law (including access, rectification, erasure, restriction, portability, and objection). On Customer's documented request and at no additional charge, MIR will assist Customer with such requests where the Data Subject's data cannot be located or actioned by Customer using the in-product functionality.
Where a Data Subject contacts MIR directly with a rights request, MIR will, where it can identify the responsible Customer, refer the Data Subject to that Customer and notify the Customer of the request without undue delay. MIR will not respond substantively to such a request without Customer's instruction except as required by applicable law.
In all cases where MIR is instructed to delete Personal Data in response to a Data Subject erasure request, Customer acknowledges that the deletion may break the temporal continuity of behavioral history for the relevant identifier. The deletion is preserved over MIR's interest in maintaining a continuous record.
10. DPIAs and consultation
Taking into account the nature of the processing and the information available to MIR, MIR will provide Customer with reasonable assistance to support Customer's data protection impact assessments and prior consultations with supervisory authorities under GDPR Articles 35 and 36.
11. Return and deletion on termination
On termination or expiration of the Agreement, and at Customer's election, MIR will either return Customer Data to Customer in a structured, commonly used, machine-readable format, or delete Customer Data from MIR's production systems within 30 days, in either case subject to (a) any retention required by applicable law and (b) routine backup retention cycles, after which residual data is overwritten.
If Customer does not specify an election within 30 days of termination, MIR may delete Customer Data after providing 14 days' written notice to Customer.
MIR will, on Customer's request, certify in writing that Customer Data has been returned or deleted in accordance with this Section 11.
12. Audit
MIR makes available to Customer the information necessary to demonstrate compliance with this DPA and applicable data protection law, including the security documentation at /security, this DPA, the sub-processor list, and -- where MIR holds them -- relevant third-party security and privacy attestations from MIR's Sub-processors.
Customer may, at its own cost and no more than once per calendar year (except where required by applicable law or following a confirmed Personal Data Breach), audit MIR's compliance with this DPA. Customer agrees that, where reasonable, audit obligations may be satisfied by:
- MIR's own current third-party security and privacy attestations (when issued); or
- A pooled audit conducted on behalf of multiple customers; or
- A documented questionnaire response based on industry-standard frameworks (CAIQ, SIG, ISO 27001 controls).
An on-site audit may be conducted only with at least 30 days' prior written notice, during MIR's normal business hours, in a manner that does not unreasonably interfere with MIR's operations or other customers, and subject to confidentiality obligations protecting MIR and other customers' information.
13. Liability
Each party's liability under this DPA is subject to the limitations of liability set out in the Agreement, except that nothing in this DPA limits any liability that cannot be limited under applicable data protection law.
14. Conflict and survival
If there is any conflict between the terms of the Agreement and this DPA, this DPA prevails with respect to MIR's processing of Personal Data on Customer's behalf. The provisions of this DPA that by their nature are intended to survive termination -- including Section 8 (with respect to incidents discovered after termination), Section 11, and Section 12 -- survive termination.
15. Governing law and forum
This DPA is governed by the law and forum specified in the Agreement, except that, to the extent the SCCs apply under Section 7, the governing law and forum specified in those SCCs apply to the SCCs.
16. Updates
MIR may update this DPA from time to time to reflect changes in applicable law, supervisory authority guidance, or MIR's services. MIR will provide at least 30 days' advance notice of any material change, and Customer's continued use of the services after the effective date of the change constitutes acceptance. Where Customer objects to a material change on reasonable data protection grounds, the dispute resolution process in Section 6 applies by analogy.
17. Contact
Privacy and data protection inquiries: privacy@mirregistry.com
Data subject requests received by MIR directly will be acknowledged and forwarded to the responsible Customer within 5 business days.