This Data Processing Addendum (“DPA”) amends and forms part of the written agreement between Customer and Motif Land Inc. (“14.ai”) (collectively, “the parties”) for the provision of services to Customer (the “Agreement”). This DPA prevails over any conflicting term of the Agreement but does not otherwise modify the Agreement.
a. “Data Protection Law” means all laws that apply to the Processing of Personal Data under the Agreement, including European Data Protection Law and the laws and regulations of the United States and its states, as amended from time to time, to the extent such laws and regulations apply to the relevant party.
b. “European Data Protection Law” means the General Data Protection Regulation (EU) 2016/679 ("GDPR") and all other privacy and data protection laws of the European Economic Area (“EEA”), and their respective Member States, Switzerland and the United Kingdom (“UK”) and all laws implementing or supplementing the foregoing.
c. “Personal Data” means any information that reasonably relates, directly or indirectly, to an identified or identifiable natural person that 14.ai may Process on Customer’s behalf in performing the services under the Agreement.
d. “Processing” (including its cognate "Process”) means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
e. “Security Incident” means a breach of security leading to the unauthorized or unlawful access by a third party, or confirmed accidental or unlawful destruction, loss or alteration, of Personal Data.
f. “Standard Contractual Clauses” means (i) Module 2 of the Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as currently set out at https://eurlex.europa.eu/eli/dec_impl/2021/914/oj (the “EU SCCs”), and (ii) where the UK GDPR applies, the EU SCCs as supplemented by the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the Commissioner under S119A(1) Data Protection Act 2018 (the “UK SCCs”).
2.1. The subject matter, nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects are set out in Annex I.
2.2. 14.ai agrees that it will Process Personal Data only in accordance with the Agreement and this DPA. To the extent applicable, 14.ai will Process Personal Data as a “processor” or “service provider” as such terms are defined under applicable Data Protection Law.
3.1. When 14.ai Processes Personal Data, it will:
a. Process the Personal Data in accordance with Customer's documented instructions as described in the Agreement or this DPA. 14.ai will notify Customer if it considers that an instruction from Customer is in breach of Data Protection Law, unless it is prohibited from doing so by law on important grounds of public interest.
b. Assist Customer, taking into account the nature of the Processing and the information available to 14.ai, in complying with Customer's obligations to respond to requests concerning Personal Data from individuals under applicable Data Protection Law.
c. Implement and maintain appropriate physical, technical and organizational measures to ensure a level of security appropriate to the risk, which include the technical and organizational measures required by applicable Data Protection Law.
d. Only entrust the Processing of Personal Data to personnel who have undertaken to comply with confidentiality requirements.
e. Upon termination of the Agreement, as instructed by Customer, to the extent that 14.ai retains Personal Data, permit Customer to delete or obtain copies of such Personal Data consistent with the functionality of the Services and applicable law.
3.2. 14.ai certifies that it will not (a) “sell” (as defined in Data Protection Law) the Personal Data; (b) retain, use, or disclose the Personal Data for any purpose other than as permitted under this DPA and in accordance with the Agreement; or (c) retain, use, or disclose the Personal Data other than in the context of the direct relationship with Customer in accordance with the Agreement.
Customer is responsible for the lawfulness of Personal Data processing under or in connection with the services. Customer will (i) provide all required notices and obtain all required consents, permissions and rights necessary under applicable Data Protection Law for 14.ai to lawfully Process Personal Data for the purposes contemplated by the Agreement; (ii) make appropriate use of the services to ensure a level of security appropriate to the particular content of the Personal Data; (iii) comply with all Data Protection Law applicable to the collection of Personal Data and the transfer of such Personal Data to 14.ai; and (iv) ensure its processing instructions comply with applicable laws (including applicable Data Protection Law).
5.1. Customer agrees that 14.ai may use the third-party suppliers listed on its website at https://14.ai/legal/subprocessors to Process Personal Data on its behalf for the provision of the services under the Agreement (each a “Subprocessor”).
5.2. 14.ai will maintain a list of Subprocessors and, prior to authorizing any new Subprocessor to access Personal Data, 14.ai will update the list of Subprocessors. Customer can receive notification of any changes to the list of Subprocessors by subscribing at the link above. If Customer objects to the appointment of such Subprocessor within ten (10) days, it may terminate the portion of the services that cannot be provided without such Subprocessor on written notice to 14.ai that includes Customer’s legitimate and documented grounds for non-approval.
5.3. 14.ai will ensure that any Subprocessors to which it transfers Personal Data enter into written agreements with 14.ai requiring that the Subprocessor abide by terms substantially similar to those contained in this DPA.
5.4. 14.ai will remain liable for any breaches of this DPA caused by its Subprocessors.
6.1. In the event that Customer is subject to European Data Protection Law and the transfer of Personal Data to 14.ai would be restricted in the absence of the Standard Contractual Clauses, the Parties agree that the Standard Contractual Clauses shall be incorporated into this DPA with Customer as the “data exporter” and 14.ai as the “data importer.”
6.2. The Standard Contractual Clauses are further completed as follows: the optional docking clause in Clause 7 is implemented; Clause 9(a) option 2 is implemented and the time period therein is specified as thirty (30) days; the optional redress clause in Clause 11(a) is struck; the governing law in Clause 17 is the law of the Republic of Ireland; the court in Clause 18(b) are the Courts of the Republic of Ireland; and Annex 1, 2 and 3 to the Standard Contractual Clauses are Paragraph 3, 4, and 5 of this DPA respectively. To the extent required by Data Protection Law in the UK, Part 1, tables 1, 2 and 3 of the UK SCCs will be deemed to be completed like its equivalent provisions in the EU SCCs. For the purpose of Part 1, Table 4, the party that may end the UK SCCs in accordance with Section 19 of the UK Addendum is the importer.
7.1. Upon Customer’s request, 14.ai will provide Customer with reasonable cooperation and assistance to the extent required to fulfill Customer’s obligation under European Data Protection Law to:
a. Reply to investigations and inquiries from data protection regulators.
b. Carry out a data protection impact assessment related to the services, where Client does not otherwise have access to the relevant information necessary to perform such assessment.
7.2. Unless prohibited by Data Protection Law, 14.ai must inform Customer without undue delay if 14.ai:
a. Receives a request, complaint or other inquiry regarding the Processing of Personal Data;
b. Receives a binding or non-binding request to disclose Personal Data from law enforcement, courts or any government body;
c. Is subject to a legal obligation that requires 14.ai to Process Personal Data in contravention of Customer’s instructions; or
d. Is otherwise unable to comply with Data Protection Law or this DPA.
7.3. Upon becoming aware of a Security Incident, 14.ai will inform Customer without undue delay and will provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Customer to allow Customer to fulfill its data breach reporting obligations under applicable Data Protection Law.
8.1. 14.ai will make available to Customer at Customer’s request information which is necessary to demonstrate compliance with this DPA and allow for any audits, including inspections, conducted by Customer or another auditor, as requested by Customer.
8.2. To the extent 14.ai makes available to Customer confidential summary reports ("Audit Report") prepared by third-party security professionals, Customer agrees to accept such Audit Report, subject to confidentiality requirements, in satisfaction of its audit right; however, if Customer can demonstrate that it requires additional information, beyond the Audit Report, then Customer may request, at Customer's cost, 14.ai to provide for an audit subject to reasonable confidentiality procedures, which will: (i) not include access to any information that could compromise confidential information relating to other 14.ai customers or suppliers, 14.ai's technical and organizational measures, or any trade secrets; and (ii) be performed upon not less than thirty (30) days’ notice, during regular business hours and in such a manner as not to unreasonably interfere with 14.ai’s normal business activities.
9.1. If there is any conflict between this DPA and the Agreement, this DPA will prevail to the extent of that conflict in connection with the Processing of Personal Data.
9.2. If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, then the invalidity or unenforceability of such provision does not affect any other provision of this DPA and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.
9.3. Notwithstanding anything to the contrary in the Agreement or this DPA, the liability of each party under this DPA is subject to the limitations of liability set out in the Agreement.
9.4. This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement.
Customer is the controller and the data exporter and 14.ai is the processor and the data importer.
14.ai’s provision of the services to Customer.
Personal Data will be retained only transiently or for a short duration to transmit the Personal Data from Customer’s chosen source to Customer’s chosen destination.
14.ai will process Customer Personal Data for the purposes of providing the services to Customer under the agreement.
As and when the services are used.
Any Personal Data selected by Customer in connection with Customer’s use of the services.
The services are not intended to Process special categories of data.
Any data subjects of the Personal Data selected by Customer.
The competent supervisory authority is the Irish Data Protection Commission.
14.ai shall implement and maintain the controls listed in this Annex II in accordance with industry standards generally accepted by information security professionals as necessary to reasonably protect Personal Data during storage, processing and transmission.
Technical and organizational measures to prevent unauthorized persons from gaining access to the data Processing systems available in premises and facilities (including databases, application servers and related hardware), where Personal Data are Processed, include: (a) establishing security areas, restriction of access paths; (b) establishing access authorizations for employees and third parties; (c) access control system (ID reader, magnetic card, chip card); (d) key management, card-keys procedures; (e) door locking (electric door openers etc.); (f) security staff, janitors; (g) surveillance facilities, video/CCTV monitor, alarm system; and (h) Securing decentralized data Processing equipment and personal computers.
Technical and organizational measures to prevent data Processing systems from being used by unauthorized persons include: (a) user identification and authentication procedures; (b) ID/password security procedures (special characters, minimum length, change of password); (c) automatic blocking (e.g. password or timeout); (d) monitoring of break-in-attempts and automatic turn-off of the user ID upon several erroneous passwords attempts; (e) creation of one master record per user, user-master data procedures per data Processing environment; and (f) encryption of archived data media.
Technical and organizational measures to ensure that persons entitled to use a data Processing system gain access only to such Personal Data in accordance with their access rights, and that Personal Data cannot be read, copied, modified or deleted without authorization, include: (a) internal policies and procedures; (b) control authorization schemes; (c) differentiated access rights (profiles, roles, transactions and objects); (d) monitoring and logging of accesses; (e) disciplinary action against employees who access Personal Data without authorization; (f) reports of access; (g) access procedure; (h) change procedure; (i) deletion procedure; and (j) encryption.
Technical and organizational measures to ensure that Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media (manual or electronic), and that it can be verified to which companies or other legal entities Personal Data are disclosed, include: (a) encryption/tunneling; (b) logging; and (c) transport security.
Technical and organizational measures to monitor whether Personal Data have been entered, changed or removed (deleted), and by whom, from data Processing systems, include: (a) logging and reporting systems; and (b) audit trails and documentation.
Technical and organizational measures to ensure that Personal Data are Processed solely in accordance with the instructions of the Controller include: (a) unambiguous wording of the contract; (b) formal commissioning (request form); and (c) criteria for selecting the Processor.
Technical and organizational measures to ensure that Personal Data are protected against accidental destruction or loss (physical/logical) include: (a) backup procedures; (b) mirroring of hard disks (e.g. RAID technology); (c) uninterruptible power supply (UPS); (d) remote storage; (e) antivirus/firewall systems; and (f) disaster recovery plan.
Technical and organizational measures to ensure that Personal Data collected for different purposes can be Processed separately include: (a) row-level access control; (b) segregation of functions (production/testing); and (c) procedures for storage, amendment, deletion, transmission of data for different purposes.
Last updated: May 31, 2025