This Data Processing Agreement (“DPA”) is entered into between the customer (“Customer”) and Miranda Network SL (Granadilla de Abona, Santa Cruz de Tenerife, Spain), operator of MakeRVN(“Processor”), and forms part of the Terms of Service. It applies where the Processor processes personal data on behalf of the Customer in connection with the Service and reflects the requirements of Article 28 of the GDPR. Capitalized terms not defined here have the meaning given in the GDPR.
1. Roles of the parties
With respect to personal data processed through the Service on the Customer’s behalf, the Customer is the controller (or processor on behalf of its own controllers) and MakeRVN / Miranda Network SL is the processor. The Customer is responsible for establishing a valid legal basis for the processing and for the lawfulness of its instructions.
2. Subject matter & duration
The subject matter of the processing is the provision of the Service. Processing continues for the duration of the agreement and until deletion or return of personal data in accordance with Section 9. Details are set out in Annex I.
3. Nature & purpose of processing
The Processor processes personal data to provide marketing-attribution, deep-linking, measurement and analytics functionality, including matching attribution signals, computing attribution results, and forwarding conversion events to advertising platforms via their server-side conversions APIs, in each case in accordance with the Customer’s documented instructions (including configuration within the Service).
4. Categories of data subjects & personal data
Data subjects:the Customer’s end users (app installers and users) and the Customer’s authorized users and personnel.
Categories of personal data: online and device identifiers, click identifiers (e.g. fbclid, ttclid), IP address and user-agent, device, session and app event metadata, deep-link data, subscription and purchase events, and account/contact details of authorized users. The Service is not intended for special categories of personal data, and the Customer must not submit such data.
5. Processor obligations
The Processor will:
- Process personal data only on the Customer’s documented instructions, including with regard to international transfers, unless required by law (in which case it will inform the Customer unless legally prohibited).
- Ensure persons authorized to process personal data are bound by confidentiality obligations.
- Implement appropriate technical and organizational measures as described in Annex II.
- Assist the Customer, taking into account the nature of the processing, in responding to data-subject requests (access, rectification, erasure, restriction, portability, objection).
- Assist the Customer in ensuring compliance with security, breach notification, data protection impact assessments and prior consultation obligations (Articles 32–36 GDPR).
- Make available information necessary to demonstrate compliance with Article 28 and contribute to audits as described in Section 8.
6. Sub-processors
The Customer provides general authorization for the Processor to engage sub-processors to process personal data, subject to written terms imposing data-protection obligations no less protective than this DPA. The current sub-processors are:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Application hosting, authentication and database | EU / US |
| Stripe | Subscription billing and payment processing | US / EU |
| Meta | Conversions API (server-side event forwarding) | US |
| Conversions / Ads API (server-side event forwarding) | US | |
| TikTok | Events API (server-side event forwarding) | US |
The Processor will inform the Customer of any intended changes concerning the addition or replacement of sub-processors, giving the Customer the opportunity to object on reasonable data-protection grounds. The Processor remains liable for the acts and omissions of its sub-processors.
7. International transfers
Where the provision of the Service involves the transfer of personal data outside the EEA, such transfers are made on the basis of an adequacy decision or appropriate safeguards, principally the European Commission’s Standard Contractual Clauses (“SCCs”) together with any required supplementary measures. The SCCs are incorporated into this DPA by reference where applicable.
8. Personal data breach notification
The Processor will notify the Customer without undue delayafter becoming aware of a personal data breach affecting the Customer’s personal data, and will provide information reasonably available to assist the Customer in meeting its own breach notification obligations under Articles 33 and 34 GDPR.
9. Audits
The Processor will make available information necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer. Audits will be conducted on reasonable prior notice, no more than once per year (except following a breach or where required by a supervisory authority), during business hours, and subject to confidentiality.
10. Return & deletion on termination
Upon termination of the Service, and at the Customer’s choice, the Processor will delete or return all personal data processed on the Customer’s behalf and delete existing copies, unless retention is required by law. Backups are deleted in the ordinary course according to the Processor’s retention cycle.
Annex I — Details of processing
| Controller | The Customer |
|---|---|
| Processor | Miranda Network SL (MakeRVN), Granadilla de Abona, Santa Cruz de Tenerife, Spain |
| Subject matter | Provision of mobile-app attribution and analytics services. |
| Duration | For the term of the agreement and until return or deletion of personal data. |
| Nature & purpose | Attribution matching, deep-linking, measurement, analytics and forwarding of conversion events to advertising platforms. |
| Categories of data subjects | The Customer’s end users and authorized personnel. |
| Categories of personal data | Device and online identifiers, click identifiers, IP address and user-agent, device and event metadata, subscription events, and account/contact data. |
| Special categories | None intended; the Customer must not submit special-category data. |
Annex II — Technical & organizational measures
The Processor maintains the following technical and organizational security measures, which may be updated as the Service evolves provided the level of protection is not diminished:
| Measure | Description |
|---|---|
| Encryption | TLS for data in transit; encryption at rest for stored personal data. |
| Access control | Role-based access, least-privilege principles, unique accounts and strong authentication for personnel. |
| Pseudonymization & minimization | Data minimization and pseudonymization where feasible for attribution processing. |
| Confidentiality & integrity | Confidentiality undertakings, network controls and integrity monitoring. |
| Availability & resilience | Backups, redundancy and disaster-recovery procedures. |
| Logging & monitoring | Audit logging, security monitoring and alerting for anomalous activity. |
| Secure development | Secure SDLC, code review, dependency management and change control. |
| Vendor management | Due diligence and data-protection terms with sub-processors. |
| Testing & evaluation | Regular review and testing of the effectiveness of security measures. |
For a fuller description of our security program, see our Security page. Questions about this DPA can be sent to makervn@mirandanetwork.es or makervn@mirandanetwork.es.