Skip to content
M·01
Legal · Data Processing Agreement

DPA. Signable in app.

Last updated 2026-04-01 · version 2.0. Forms part of the Terms when you process personal data through Misano.

ProcessorPoint FM Services s.r.o.
Sub-processorsSee list
EU residencySupabase · Frankfurt
Other legal pages:TermsPrivacySub-processors
M·02
01

Roles

You (the customer) are the data controller for any personal data you upload to Misano. We (Point FM Services s.r.o.) are the data processor.

This DPA applies to the extent you process personal data subject to GDPR (or equivalent EU/EEA, UK, or Swiss law) through Misano.

02

Scope of processing

We process the personal data you upload — names, contact details, beneficial-owner data extracted from registries, financial filings, KB notes — solely to provide the Misano product to you.

We do not process your data for our own purposes, for marketing, or for any third party. We do not use your data to train AI models.

03

Sub-processors

We use Supabase (database), Anthropic and OpenAI (LLM inference), Exa (web search at your direction), Stripe (payments), and Resend (transactional email). The current list is published at /legal/sub-processors and updated whenever it changes.

We give you 30 days’ notice of any new sub-processor. If you object, you may terminate the affected service for cause.

04

Security measures

Encryption at rest (AES-256) and in transit (TLS 1.3). Per-tenant isolation at the database (row-level security). Access logging with audit trail. Backup retention 30 days. Yearly third-party penetration test.

See /security for the operational detail.

05

International transfers

Customer data is stored in the EU (Supabase Frankfurt). Where any sub-processor (notably Anthropic) operates infrastructure outside the EU, transfers are made under EU Standard Contractual Clauses (SCCs) and supplementary measures as required by the EDPB.

06

Data subject rights

We assist you in responding to access, rectification, deletion, and portability requests from your data subjects, within the timelines required by GDPR.

07

Breach notification

We notify you of a personal data breach without undue delay and at the latest within 48 hours of becoming aware, with all the information required under GDPR Art. 33.

08

Audit

Once per year, you may request a written audit of our security practices. We respond with our current trust report, sub-processor list, and an answered security questionnaire within 30 working days.

09

Term and termination

This DPA runs for the duration of your subscription. On termination, we delete your personal data within 90 days, except where retention is required by law (notably for invoicing under Czech accounting law).

10

Contact

Data protection questions: founder@misano.ai. Formal notices: legal@misano.ai.