// Trust & Security Report
RealtimeBoard, Inc. dba Miro
Miro AI Innovation Workspace (collaborative online whiteboard with AI features)
Certifications held
8
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on miro.com“Miro among the first to attain AI management systems standard ISO 42001 (Aug 19, 2025). Get peace of mind with Miro's attainment of ISO 42001 AI management system standard.”
Verify on trust.miro.com“SOC 2 Type II Report 2025-2026 | Request access ... Mar 16, 2026: Miro 2026 SOC 2 Type II Report Now Available”
Verify on trust.miro.com“SOC 3 System and Organization Controls Report 2025-2026 | View | Download”
Verify on miro.com“EU/US GDPR | General Data Protection Regulation ... GDPR COMPLIANT”
Verify on miro.com“Microsoft SSPA | Microsoft Supplier Security and Privacy Assurance”
Verify on trust.miro.com“No HIPAA attestation found on Miro's trust center, security, or AI-trust pages.”
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Data residency available in EU, US, Australia (AUS), and Japan. AWS is the primary infrastructure subprocessor (US default, residency available for AUS/EU/US).
Miro's AI Trust page states plainly: 'Your data is never used to train Miro AI models.' AI features are powered by third-party model subprocessors (Anthropic listed for AI Functionality, US; Microsoft referenced in the privacy policy: 'the AI features may share limited data with Microsoft in connection with the use of the AI features and to monitor compliance with codes of conduct'). Enterprise admins get granular AI controls: block AI/MCP on sensitive boards, native prompt-redaction, custom AI terms-of-service banners, AI-vs-human content attribution logs, and the option to bring their own model API key. Governed under ISO/IEC 42001.
// Security controls
Penetration testing
Yes - third-party pen testing; 'Miro Penetration Test Summary 2025-2026' available for request in the Trust Center.
trust.miro.comBug bounty / vulnerability disclosure
Yes - public bug bounty program on HackerOne (hackerone.com/miro). Trust Center also provides a 'Report a vulnerability' channel and security@miro.com contact.
hackerone.comAccess control
MFA for all systems, role-based access control, SSO integration, just-in-time privileged access, automated/biannual access reviews, account lockout and session timeout.
trust.miro.comAI governance controls
ISO 42001 management system, admin control over AI features, AI activity audit logging, AI data handling and training restrictions, built-in prompt redaction and moderation, ongoing surveillance audits.
trust.miro.comOperational security
Annual + semi-annual risk assessments, formal security policies, incident response plan with post-incident root cause analysis, internal security audits/monitoring, cybersecurity insurance.
trust.miro.comEnterprise Guard
Optional advanced data-governance add-on: sensitive data discovery/classification, content lifecycle management, legal discovery and preservation. Uses Google LLC as subprocessor for sensitive data discovery.
miro.comSecurity whitepaper
Downloadable security & compliance whitepaper covering infrastructure, operational, and product security layers.
miro.com// Products & data scope
data: Personal account data + Customer Content on boards. Subject to standard Privacy Policy and Terms of Service. AI features available but enterprise admin governance controls not present.
Entry tier; no contractual data-residency selection.
data: Organization-controlled Customer Content; billing data collected. DPA available. Standard SOC 2 / ISO 27001 covered services.
Org admin controls; covered by Master Cloud Agreement / Customer DPA.
data: Data residency selection (EU/US/AUS/Japan), SSO, advanced AI governance (prompt redaction, AI scope blocking, attribution logs, BYO model API key).
Full enterprise security and compliance posture; targets security-conscious enterprises (Accenture, Deloitte, CVS Health, PepsiCo, Microsoft listed as customers).
data: Sensitive-data discovery and classification, lifecycle management, legal hold/eDiscovery. Adds Google LLC as a subprocessor for sensitive data discovery.
Optional advanced governance layer on top of Enterprise.
data: AI interaction data is part of Services Data. Powered by third-party models (Anthropic, Microsoft). Customer data is NOT used to train Miro AI models. Governed by ISO 42001 and separate AI Terms.
Distinct AI Terms in legal hub; data shared with model subprocessors only to deliver the feature.
data: Governed by Developer Terms of Use and Marketplace Terms. Third-Party Services may exchange Customer Content per customer-granted permissions.
250+ apps and integrations; MCP connector support for agentic workflows.
// What to watch
- Bug bounty platform: a public HackerOne program (hackerone.com/miro) is confirmed; some third-party sources also reference Bugcrowd, so the canonical platform should be treated as HackerOne with possible Bugcrowd history.
- No HIPAA attestation found - relevant for healthcare buyers; treat as not offered unless Miro confirms.
- Trust Center is operated via Wolfia; SOC 2 Type II, ISO 42001 certificate, and pen test summary require access request (gated, not publicly downloadable). SOC 3 and ISO 27001 certificate are publicly viewable/downloadable.
// At a glance
Pricing model
Freemium SaaS - Free tier plus paid Business, Enterprise, and add-ons (Enterprise Guard); education/startup/NPO programs.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on RealtimeBoard, Inc. dba Miro's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.miro.com