The EU General Data Protection Regulation (GDPR) went into effect on May 25, 2018.
If you're based in the EU or do business in the EU, GDPR has a long reach. If you have any EU personal data in your Miso account, such as names, email addresses, ID numbers, or… anything personally identifiable, then GDPR applies. You are a Controller of personal data under GDPR, so you need to enter into GDPR-compliant data processing agreements with any online services and third party vendors you rely on, including Basecamp. These agreements are commonly called a Data Processing Addendum, or DPA.
Mido uses third party subprocessors, such as cloud computing providers and customer support software, to provide our services. We enter into GDPR-compliant data processing agreements with each subprocessor, and require the same of them. List of Miso subprocessors.