Data Processing Addendum (GDPR)

Updated: 1 June 2026

When this applies

This addendum applies automatically to business customers who use Miradoes to process personal data of their own end users via Bifrost (e.g. the AI reads WooCommerce orders that contain customer data).

Roles

You are the Data Controller for your customers data. Miradoes is the Data Processor within the bounds of the services provided.

Subprocessors

Stripe (billing), Cloudflare (CDN/security), our transactional email service. Full updated list on request; we notify in writing of major changes 30 days in advance.

International transfers

Stripe may transfer data outside the EU via Standard Contractual Clauses. Cloudflare similar. All our subprocessors are GDPR-certified or have equivalent mechanisms.

Technical measures

HTTPS, at-rest encryption for secrets, bcrypt password hashes, 2FA, activity log, limited retention, principle of least privilege.

Breach notification

We notify you within 48h of detecting a breach that affects your data. Details, estimated impact, mitigation, contact for clarifications.

Data return / deletion

On contract termination, or on request, we return or permanently delete data within 30 days, beyond legal retention obligations.

Audit

Enterprise customers can request an annual compliance report at dpa@miradoes.com.