I have regularly used Miro both for this programme and in my e-learning work at the University. I thought it would be interesting to tackle the data collection and processing flows for a Miro “enterprise customer”. This is laid in several documents, beginning with the Master Cloud Agreement (MCA), and continuing with a Privacy Policy, and various addendums and lists.
Visualisation: Miro Governance
Theme 5: Miro governance visualisation
Visualisation: Miro Governance (PDF)
Data privacy
Miro claims an “eyes off” approach to data, with only user name and email collected for users by default (Miro, 2024c). Further information could be inferred from things such as customer’s organisational hierarchy within Miro (how many/ratio of users at each access level), or user network mapping (eg how many boards is the average user a part of, how are these distributed/siloed), all of which can be collected as part of Miro’s “legitimate interest” in providing and improving the service.
Informed Consent
The MCA defines the “Agreement” between customers and Miro as the “MCA together with all Orders, exhibits, Policies, and the DPA” (Miro, 2024b, s18). For this single service there are multiple documents that must be pulled together and understood as a collective.
I do not recall if I was required to agree to terms of use upon my first login to Miro as a university user. I note that Miro seeks enterprise customer consent on using genAI input/output for training, however standard users must opt out (Miro, 2024a). This may be indicative of broader power and knowledge dynamics at play, whereby institutions with legal obligations to protect staff/student data are more likely to seek and receive specific opt-in/out conditions over blanket consumer terms of service.
Miro agreements do state that customers maintain intellectual property ownership of the content they produce, however it also asserts a right to “use, copy, modify and create derivative works” (Miro, 2024b, s4.1). It currently asserts this is performed only to provide services under the agreement; however, I am not clear on what exactly this includes or excludes. Regardless, in using the service, customers/users consent to these terms and the uses of their data under the agreement written (and interpreted) by the service provider (Komljenovic, 2022; Hillman, 2023).
Data governance
Miro is a multinational SaaS offering and thus must contend with data governance regulations of various countries. There seem to be a few key points to consider:
Data residency
Miro maintains three data residencies covering key geographic and legislative demographics – the US, EU, and Australia (Miro, 2025). Standard users get EU only, with all three available to enterprise. However, this appears mainly to cover board content data. There are key exceptions to this laid out in Miro’s data residency table, such as AI features, third-party integration/apps, SSO integration, and all user data(?!).
Control
It seems the main data collection concern for Miro is not user content, but user behaviour within the platform. This is demonstrated by Miro’s status of Data Controller/owner of Services Data (Miro, 2024d, s2), and forwarding of the idea of customer ownership of user-generated board content (Miro, 2024c). Mindful of Arantes’ Edmodo analysis (2024), this means that upon account deletion, Miro will delete Customer Data but retain Services Data – an example of extracting personal data into private assets (Komljenovic, 2022).
Nestedness
There is also an issue of the nestedness within the Miro platform of sub-processors, vendors (and sub-sub processors and vendors), and third-party service agreements, which entangles users further in a web of nearly incomprehensible contractual interrelationships. This raises practical and ethical issues around a customer’s (or Miro’s) capability to police Nth-party sub-agreements for data misuse (Hillman, 2023). Such concerns will likely be mirrored across the (ed)tech space.
Extracting value from data
Section 12 of the MCA clearly states that Miro retains IP and other rights over generation and use of user data (excluding Customer Content) to improve or develop its own services (Miro, 2024b, s12). This right and sharing of data extends to sub-processors and beyond (Miro, 2024b, s15; Miro, 2024d, s6). We also see Miro reserves the right to combine this with legitimate third-party data.
Platforms such as Miro can leverage the network effects of aggregations of vast collections of data to inform technical, marketing and administrative interventions and developments. Data can be combined, reconfigured, and (re)interrogated as desired (Komljenovic, 2022; Komljenovic, Birch and Sellar, 2024), all the while increasing in value as it accumulates (Komljenovic, 2021; Perrotta and Pangrazio, 2023).
I am interested to see if the analytics dashboard available to University administrators provides useful information, as it is marketed and sold as an enterprise feature (Miro, no date).
Conclusion: Confusion
In this dive into Miro’s data policies I found that it refers differently to data types in different documents. The MCA refers to Usage Data and Customer Content, but the Privacy Policy covers Services Data and Customer Content. Are Services and Usage interchangeable terms?
There is also confusing wording within the same documents. For example, section 2 of the Privacy Policy states that “Customer is the controller for all Customer Content that is also Personal Data”, yet section 3 defines both Customer Content and Services Data under the umbrella of “Personal Data” which seems entirely contrary to the above (Miro, 2024d, s2-3).
I would be keen to see some legislative movement towards simplification or homogenisation of data agreements and “plain language” explainers, and hope a more transparent system would allow lay users such as staff and students to have more knowledge of what, how, and why their data is processed, hence more influence on institutional policy and beyond (Hillman, 2023).
Putting that aside, the Miro sub-processor list includes Microsoft, Google and Amazon. In affiliated roles, these platforms will likely have access to Miro’s Services Data. A focus on data privacy is important, but perhaps there is not sufficient legislative and governmental cognisance of the information (and therefore power) imbalance created by massive data cross-aggregation fed by platforms built upon platforms integrating more platforms.
References
Arantes, J. (2024) ‘Educational data brokers: using the walkthrough method to identify data brokering by edtech platforms’, Learning, Media and Technology, 49(2), pp. 320–333. Available at: https://doi.org/10.1080/17439884.2022.2160986.
Hillman, V. (2023) ‘Bringing in the technological, ethical, educational and social-structural for a new education data governance’, Learning, Media and Technology, 48(1), pp. 122–137. Available at: https://doi.org/10.1080/17439884.2022.2052313.
Komljenovic, J. (2021) ‘The rise of education rentiers: digital platforms, digital data and rents’, Learning, Media and Technology, 46(3), pp. 320–332. Available at: https://doi.org/10.1080/17439884.2021.1891422.
Komljenovic, J. (2022) ‘The future of value in digitalised higher education: why data privacy should not be our biggest concern’, Higher Education, 83(1), pp. 119–135. Available at: https://doi.org/10.1007/s10734-020-00639-7.
Komljenovic, J., Birch, K. and Sellar, S. (2024) ‘Monetising Digital Data in Higher Education: Analysing the Strategies and Struggles of EdTech Startups’, Postdigital Science and Education, 6(4), pp. 1196–1215. Available at: https://doi.org/10.1007/s42438-024-00505-0.
Miro (2024a) AI features addendum, https://miro.com/. Available at: https://miro.com/legal/ai-features-addendum/ (Accessed: 21 March 2025).
Miro (2024b) Master Cloud Agreement, https://miro.com/. Available at: https://miro.com/legal/master-cloud-agreement/ (Accessed: 22 March 2025).
Miro (2024c) Master Cloud Agreement guide, https://miro.com/. Available at: https://miro.com/legal/miro-mca-guide/ (Accessed: 21 March 2025).
Miro (2024d) Privacy Policy, https://miro.com/. Available at: https://miro.com/legal/privacy-policy/ (Accessed: 23 March 2025).
Miro (2025) Data residency at Miro, Miro Help Center. Available at: https://help.miro.com/hc/en-us/articles/23084283851026-Data-residency-at-Miro (Accessed: 22 March 2025).
Miro (no date) Pricing, https://miro.com/. Available at: https://miro.com/pricing/ (Accessed: 23 March 2025).
Perrotta, C. and Pangrazio, L. (2023) ‘The critical study of digital platforms and infrastructures: Current issues and new agendas for education technology research’, Education Policy Analysis Archives, 31. Available at: https://doi.org/10.14507/epaa.31.7952.
25 March 2025 at 21:14
This is truly excellent work, Chris. Your visualisation is informative and well presented. You show evidence of thorough understanding of the topic. I appreciate that you explicitly included key terms and artefacts, i.e. data subjects, controllers, processors, etc. It is fascinating that you managed to put a story together of how Miro can monetise data; and I am quite surprised that they explicitly state that service data is their IP. Just in case you are interested in this topic, Ben Williamson and I wrote a little bit about how service data is sometimes hard to disassociate from personal data and thus, the legitimacy for service data monetisation can be questioned. No need to read or look, but just FYI: https://www.ei-ie.org/en/item/28484:behind-the-platforms-safeguarding-intellectual-property-rights-and-academic-freedom-in-higher-education
I would only comment that integration with third parties for data processing might still support the original service and, in legal terms, the legitimate interest of the service provider. In other words, if AWS hosts Miro data, it doesn’t necessarily mean that AWS also accesses Miro data and uses it for its own services. But depending on the arrangements, Miro might share data for processing with other vendors… You describe that bit very well.
I appreciate your insight that data flows and processing should be explained better in lay terms and that individuals as end users could have a better say in what is happening with their data.
I look forward to reading your final reflection on the blog activity, and then your final assignment.
28 March 2025 at 12:47
Hi Janja,
Thanks, I will definitely have a look at the executive summary!
I had an enlightening but also quite frustrating time trying to read through and unpack the various documents that Miro provides as part of the “Agreement” – bouncing between things to understand who and what is being discussed.
I find it interesting that a single digital platform can itself be considered a collection of processes and artefacts built upon various subprocessor platforms. I do agree with your point about subprocessors not necessarily having access to Miro/user data.