// Trust & Security Report

    RealtimeBoard, Inc. dba Miro logo

    RealtimeBoard, Inc. dba Miro

    Miro AI Innovation Workspace (collaborative online whiteboard with AI features)

    Certifications held

    8

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    ISO/IEC 27001 (ISMS)
    HELD

    ISO/IEC 27001 Certificate | View | Download

    Verify on trust.miro.com
    ISO/IEC 42001:2023 (AI Management System)
    HELD

    Miro among the first to attain AI management systems standard ISO 42001 (Aug 19, 2025). Get peace of mind with Miro's attainment of ISO 42001 AI management system standard.

    Verify on miro.com
    SOC 2 Type II
    HELD

    SOC 2 Type II Report 2025-2026 | Request access ... Mar 16, 2026: Miro 2026 SOC 2 Type II Report Now Available

    Verify on trust.miro.com
    SOC 3
    HELD

    SOC 3 System and Organization Controls Report 2025-2026 | View | Download

    Verify on trust.miro.com
    GDPR (EU/US)
    HELD

    EU/US GDPR | General Data Protection Regulation ... GDPR COMPLIANT

    Verify on miro.com
    CCPA
    HELD

    CCPA | California Customer Privacy Act

    Verify on miro.com
    Microsoft SSPA
    HELD

    Microsoft SSPA | Microsoft Supplier Security and Privacy Assurance

    Verify on miro.com
    HIPAA
    HELD

    No HIPAA attestation found on Miro's trust center, security, or AI-trust pages.

    Verify on trust.miro.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Data residency available in EU, US, Australia (AUS), and Japan. AWS is the primary infrastructure subprocessor (US default, residency available for AUS/EU/US).

    Miro's AI Trust page states plainly: 'Your data is never used to train Miro AI models.' AI features are powered by third-party model subprocessors (Anthropic listed for AI Functionality, US; Microsoft referenced in the privacy policy: 'the AI features may share limited data with Microsoft in connection with the use of the AI features and to monitor compliance with codes of conduct'). Enterprise admins get granular AI controls: block AI/MCP on sensitive boards, native prompt-redaction, custom AI terms-of-service banners, AI-vs-human content attribution logs, and the option to bring their own model API key. Governed under ISO/IEC 42001.

    // Security controls

    Penetration testing

    Yes - third-party pen testing; 'Miro Penetration Test Summary 2025-2026' available for request in the Trust Center.

    trust.miro.com

    Bug bounty / vulnerability disclosure

    Yes - public bug bounty program on HackerOne (hackerone.com/miro). Trust Center also provides a 'Report a vulnerability' channel and security@miro.com contact.

    hackerone.com

    Access control

    MFA for all systems, role-based access control, SSO integration, just-in-time privileged access, automated/biannual access reviews, account lockout and session timeout.

    trust.miro.com

    AI governance controls

    ISO 42001 management system, admin control over AI features, AI activity audit logging, AI data handling and training restrictions, built-in prompt redaction and moderation, ongoing surveillance audits.

    trust.miro.com

    Operational security

    Annual + semi-annual risk assessments, formal security policies, incident response plan with post-incident root cause analysis, internal security audits/monitoring, cybersecurity insurance.

    trust.miro.com

    Enterprise Guard

    Optional advanced data-governance add-on: sensitive data discovery/classification, content lifecycle management, legal discovery and preservation. Uses Google LLC as subprocessor for sensitive data discovery.

    miro.com

    Security whitepaper

    Downloadable security & compliance whitepaper covering infrastructure, operational, and product security layers.

    miro.com

    // Products & data scope

    Miro Free / individual planConsumer / individual whiteboard

    data: Personal account data + Customer Content on boards. Subject to standard Privacy Policy and Terms of Service. AI features available but enterprise admin governance controls not present.

    Entry tier; no contractual data-residency selection.

    Miro Business / Team plansTeam collaboration (paid)

    data: Organization-controlled Customer Content; billing data collected. DPA available. Standard SOC 2 / ISO 27001 covered services.

    Org admin controls; covered by Master Cloud Agreement / Customer DPA.

    Miro EnterpriseEnterprise collaboration platform

    data: Data residency selection (EU/US/AUS/Japan), SSO, advanced AI governance (prompt redaction, AI scope blocking, attribution logs, BYO model API key).

    Full enterprise security and compliance posture; targets security-conscious enterprises (Accenture, Deloitte, CVS Health, PepsiCo, Microsoft listed as customers).

    Enterprise Guard (add-on)Data governance / DLP add-on

    data: Sensitive-data discovery and classification, lifecycle management, legal hold/eDiscovery. Adds Google LLC as a subprocessor for sensitive data discovery.

    Optional advanced governance layer on top of Enterprise.

    Miro AI featuresAI workspace features (across plans)

    data: AI interaction data is part of Services Data. Powered by third-party models (Anthropic, Microsoft). Customer data is NOT used to train Miro AI models. Governed by ISO 42001 and separate AI Terms.

    Distinct AI Terms in legal hub; data shared with model subprocessors only to deliver the feature.

    Miro Developer Platform / MCPAPI / developer integrations

    data: Governed by Developer Terms of Use and Marketplace Terms. Third-Party Services may exchange Customer Content per customer-granted permissions.

    250+ apps and integrations; MCP connector support for agentic workflows.

    // What to watch

    • Bug bounty platform: a public HackerOne program (hackerone.com/miro) is confirmed; some third-party sources also reference Bugcrowd, so the canonical platform should be treated as HackerOne with possible Bugcrowd history.
    • No HIPAA attestation found - relevant for healthcare buyers; treat as not offered unless Miro confirms.
    • Trust Center is operated via Wolfia; SOC 2 Type II, ISO 42001 certificate, and pen test summary require access request (gated, not publicly downloadable). SOC 3 and ISO 27001 certificate are publicly viewable/downloadable.

    // At a glance

    Pricing model

    Freemium SaaS - Free tier plus paid Business, Enterprise, and add-ons (Enterprise Guard); education/startup/NPO programs.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on RealtimeBoard, Inc. dba Miro's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.miro.com

    > Browse all vendor trust reports