Effective date: January 1, 2025
Last updated: February 1, 2025
This Data Processing Agreement (“DPA”) forms part of the agreement between MORI Inc. (“Processor”) and the customer (“Controller”) using the BIZ MORI API. It governs the processing of personal data on behalf of the Controller, in compliance with the EU General Data Protection Regulation (GDPR) and other applicable data protection laws.
This DPA applies when you, as a Controller, submit personal data (e.g., images containing identifiable persons) to the BIZ MORI API for processing.
1. Definitions
| Term | Meaning |
|---|
| Controller | The customer who determines the purposes and means of processing personal data |
| Processor | MORI Inc., which processes personal data on behalf of the Controller |
| Personal Data | Any information relating to an identified or identifiable natural person |
| Processing | Any operation performed on personal data |
| Sub-processor | Any third party engaged by the Processor to process personal data |
2. Nature and Purpose of Processing
The Processor processes personal data solely to:
- Apply Anti-AI protection to submitted images
- Embed or extract digital watermarks from submitted images
- Deliver processed output to the Controller via presigned download URLs
Processing is performed on documented instructions from the Controller as specified in API requests. The Processor will not process personal data for any other purpose.
3. Duration
This DPA remains in effect for the duration of the Service agreement and terminates automatically upon account closure, subject to the data retention periods in Section 7.
4. Controller Obligations
The Controller warrants that:
- It has a valid legal basis for submitting personal data to the Processor.
- It has provided required notices and obtained necessary consents from data subjects.
- It will comply with applicable data protection laws in its use of the Service.
5. Processor Obligations
The Processor shall:
- Process personal data only on documented instructions from the Controller.
- Ensure that authorized personnel are bound by confidentiality obligations.
- Implement appropriate technical and organizational security measures (see Section 6).
- Assist the Controller in responding to data subject requests.
- Delete or return personal data upon termination (see Section 7).
- Maintain records of processing activities.
- Notify the Controller within 72 hours of becoming aware of a personal data breach.
6. Security Measures
The Processor implements the following technical and organizational measures:
| Category | Measure |
|---|
| Encryption | TLS 1.2+ for data in transit; AES-256 for data at rest |
| Access control | Role-based access; least-privilege principle |
| Infrastructure | Hosted on ISO 27001-certified cloud infrastructure |
| Monitoring | 24/7 security event logging and alerting |
| Incident response | Documented breach response procedure |
7. Data Retention and Deletion
| Data | Retention | Action on Termination |
|---|
| Submitted files (input) | Deleted immediately after processing | N/A |
| Processed output files | 7 days from completion | Deleted automatically |
| API request logs | 90 days | Deleted on schedule |
| Account data | 30 days after account deletion | Deleted on schedule |
8. Sub-processors
The Processor uses the following sub-processors to deliver the Service:
| Sub-processor | Location | Purpose |
|---|
| Amazon Web Services (AWS) | Global | Cloud compute and storage |
9. Data Subject Rights
The Processor will assist the Controller in fulfilling data subject requests (access, erasure, rectification, portability) within commercially reasonable time. Contact mori@mori-corp.io to initiate a request.
10. International Data Transfers
Where personal data is transferred outside the EEA, the Processor ensures appropriate safeguards in accordance with GDPR Chapter V, including Standard Contractual Clauses (SCCs) where applicable.
11. Audit Rights
The Controller may audit the Processor’s compliance with this DPA no more than once per year, upon 30 days’ written notice, at the Controller’s expense. The Processor may satisfy audit requests through provision of third-party certification reports (e.g., ISO 27001) where applicable.
12. Governing Law
This DPA is governed by the laws of the Republic of Korea, consistent with the main Terms of Service.
For DPA-related inquiries:
MORI Inc.
Email: mori@mori-corp.io
Website: https://developers.mori.art 
