DATA PROCESSING ADDENDUM 

DigitalCNC Ltd 

Version 2.0 | Effective November 2025 

This Data Processing Addendum (“DPA”) forms part of the End User License Agreement between DigitalCNC Ltd  (“DigitalCNC”, “Processor”) and the Customer (“Customer”, “Controller”) and governs the processing of Personal  Data by DigitalCNC on behalf of Customer in connection with the provision of Software, Support Services, and  Professional Services (collectively, “Services”). This DPA applies only to the extent that DigitalCNC processes  Personal Data on behalf of Customer as a Processor in accordance with Customer’s instructions. 

  1. DEFINITIONS AND INTERPRETATION 

1.1 Definitions. In this DPA, the following terms shall have the meanings set out below: 

  • “Data Protection Laws” means all applicable laws and regulations relating to the processing of Personal  Data, including (a) the UK General Data Protection Regulation (UK GDPR) as defined in the Data Protection  Act 2018 (DPA 2018); (b) the DPA 2018; (c) the Privacy and Electronic Communications Regulations 2003  (SI 2003/2426); and (d) any successor or replacement legislation, in each case as amended, replaced, or  superseded from time to time. 
  • “Personal Data” means any personal data (as defined in Data Protection Laws) that is processed by  DigitalCNC on behalf of Customer in connection with the Services. 
  • “Processing” has the meaning given in Data Protection Laws and “Process”, “Processes” and “Processed”  shall be construed accordingly. 
  • “Controller”, “Processor”, “Data Subject”, “Supervisory Authority”, and “Personal Data Breach” have  the meanings given in Data Protection Laws. 
  • “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of  personal data to processors established in third countries approved by the European Commission or UK  authorities, as applicable. 
  • “Sub-processor” means any third party appointed by DigitalCNC to Process Personal Data on behalf of  Customer in connection with the Services. 

1.2 Interpretation. References to “Agreement” mean the End User License Agreement between the parties.  Terms not defined in this DPA have the meanings given in the Agreement or Data Protection Laws. In the event  of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of  Personal Data. 

  1. ROLES AND SCOPE OF PROCESSING 

2.1 Roles of the Parties. The parties acknowledge and agree that: 

  • Customer is the Controller of Personal Data and determines the purposes and means of Processing Personal  Data. 
  • DigitalCNC is the Processor of Personal Data and Processes Personal Data only on behalf of Customer and  in accordance with Customer’s documented instructions. 
  • Each party shall comply with its respective obligations under Data Protection Laws. DigitalCNC shall not Process Personal Data other than on the documented instructions of Customer, except  where required by applicable law, in which case DigitalCNC shall inform Customer of such legal requirement  before Processing (unless prohibited by law from doing so).

2.2 Nature and Purpose of Processing. DigitalCNC Processes Personal Data solely for the purpose of providing  the Services to Customer as set out in the Agreement. The Software operates on-premise on Customer’s  systems, and Personal Data is processed and stored locally on Customer’s infrastructure. DigitalCNC may access  Personal Data only when provided by Customer for support, troubleshooting, or professional services purposes. 

2.3 Details of Processing. The subject matter, duration, nature, purpose, type of Personal Data, and categories of  Data Subjects are set out in Annex 1 (Details of Processing) to this DPA. 

2.4 Customer Instructions. Customer instructs DigitalCNC to Process Personal Data as necessary to: 

  • Provide the Services in accordance with the Agreement; 
  • Provide Support Services, including remote troubleshooting when requested by Customer; Provide Professional Services as agreed in statements of work; 
  • Comply with other reasonable instructions provided by Customer that are consistent with the terms of the  Agreement. 

DigitalCNC shall promptly inform Customer if, in DigitalCNC’s opinion, an instruction from Customer infringes  Data Protection Laws or is otherwise unlawful. 

  1. SECURITY OF PROCESSING 

3.1 Security Measures. Taking into account the state of the art, the costs of implementation, and the nature,  scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and  freedoms of natural persons, DigitalCNC shall implement appropriate technical and organizational measures to  ensure a level of security appropriate to the risk. Such measures are set out in Annex 2 (Technical and  Organizational Security Measures) to this DPA. 

3.2 Confidentiality. DigitalCNC shall ensure that all personnel authorized to Process Personal Data: (a) are  subject to appropriate obligations of confidentiality; (b) receive appropriate training on Data Protection Laws; (c)  Process Personal Data only as necessary; and (d) do not Process Personal Data for any other purpose. 

3.3 Security Updates. DigitalCNC shall review and update its security measures regularly and notify Customer of  any material changes that may affect the security of Personal Data. 

  1. SUB-PROCESSORS 

4.1 General Authorization. Customer provides general authorization for DigitalCNC to engage Sub-processors  to Process Personal Data, provided that DigitalCNC complies with the requirements set out in this Section 4. 

4.2 Current Sub-processors. A list of DigitalCNC’s current Sub-processors is set out in Annex 3 (List of Sub processors) to this DPA. 

4.3 Sub-processor Obligations. DigitalCNC shall: (a) conduct appropriate due diligence on each Sub-processor  before engagement; (b) impose data protection obligations on each Sub-processor that are materially equivalent  to those in this DPA; (c) ensure that Sub-processors are bound by written agreements; and (d) remain fully liable  to Customer for the performance of any Sub-processor’s obligations. 

4.4 New Sub-processors. DigitalCNC shall provide Customer with at least 30 days’ prior written notice of the  addition or replacement of any Sub-processor. Customer may object on reasonable grounds by notifying  DigitalCNC within 14 days. If unresolved, Customer may terminate the affected Services.

  1. DATA SUBJECT RIGHTS 

5.1 Assistance. DigitalCNC shall provide reasonable assistance to Customer to respond to Data Subject  requests. Given on-premises operations, Customer retains primary responsibility. 

5.2 Requests to DigitalCNC. If DigitalCNC receives a Data Subject request, it shall promptly inform Customer  and not respond except as instructed or required by law. 

  1. PERSONAL DATA BREACHES 

6.1 Notification. DigitalCNC shall notify Customer without undue delay and within 48 hours of becoming aware of  any Personal Data Breach. 

6.2 Contents. Notification shall include nature of breach, data subjects affected, likely consequences, and  measures taken. 

  1. AUDITS AND COMPLIANCE 

7.1 Audit Rights. Customer may audit DigitalCNC’s compliance once per year with 30 days’ notice, subject to  reasonable conditions. 

7.2 Certifications. DigitalCNC may provide third-party audit reports (ISO 27001, SOC 2, or equivalent) in lieu of  audit. 

  1. INTERNATIONAL TRANSFERS OF PERSONAL DATA 

8.1 Restricted Transfers. Given on-premises operations, DigitalCNC does not routinely transfer Personal Data  outside UK/EEA. 

8.2 Support Transfers. Where Personal Data is accessed by DigitalCNC personnel outside UK/EEA for support  purposes, appropriate safeguards including Standard Contractual Clauses shall apply per Annex 4. 

  1. DELETION OR RETURN OF PERSONAL DATA 

9.1 On-Premises Data. Customer is responsible for deleting Personal Data from its own systems upon  termination. 

9.2 Data Held by DigitalCNC. DigitalCNC shall return or delete any Personal Data held on its systems within 30  days of termination. 

  1. LIABILITY AND INDEMNIFICATION 

10.1 Limitation. Liability under this DPA is subject to the limitations in the Agreement. 

10.2 Indemnification. The indemnification provisions in Agreement Section 9.5 apply to DPA breaches. 

  1. GENERAL PROVISIONS 

11.1 Amendments. DigitalCNC may amend this DPA with 30 days’ notice. 

11.2 Governing Law. This DPA is governed by the laws of England and Wales.

ANNEX 1: DETAILS OF PROCESSING 

Subject Matter: Processing of Personal Data to provide DigitalCNC CNC control software and services. Duration: For the duration of the Agreement. 

Nature and Purpose: Software provision, technical support, professional services, license validation. Type of Personal Data: Contact information, account credentials, technical data, usage data. Categories of Data Subjects: Customer employees, contractors, authorized users. 

ANNEX 2: TECHNICAL AND ORGANISATIONAL SECURITY MEASURES 

DigitalCNC implements appropriate security measures including: 

  • Access Control: Physical and system access controls, role-based access, multi-factor authentication Encryption: TLS 1.2+ for data in transit, AES-256 for data at rest 
  • Logging and Monitoring: Access logs, security monitoring, incident response procedures Personnel Security: Confidentiality agreements, security training 
  • Security Testing: Regular vulnerability assessments and penetration testing 
  • Certifications: DigitalCNC is currently working towards Cyber Essentials certification Note: Given on-premises operations, Customer is responsible for security of its own infrastructure. 

ANNEX 3: LIST OF SUB-PROCESSORS 

DigitalCNC engages the following Sub-processors to Process Personal Data on behalf of Customer: Current Sub-processors (as of November 2025): 

  1. Sub-processor Name: Hiver 

 Service Provided: Support ticket management and trial request tracking 

 Location: United States (AWS) 

 Processing Activities: Management of customer support communications, bug tracking, and trial request  handling integrated with email systems 

  1. Sub-processor Name: Cryptolens 

 Service Provided: License management and activation 

 Location: Sweden (EU) 

 Processing Activities: Storage of licensed user identification data and device identifiers for license validation 3. Sub-processor Name: Stripe 

 Service Provided: Payment processing 

 Location: United States / EU 

 Processing Activities: Processing of payment information and customer billing details

  1. Sub-processor Name: Microsoft Clarity 

 Service Provided: Web analytics for license server website 

 Location: United States 

 Processing Activities: Collection of website usage analytics and user interaction data 

Notification: Customer will receive 30 days’ prior notice of any changes to this list in accordance with Section 4.4  of the DPA. 

ANNEX 4: STANDARD CONTRACTUAL CLAUSES 

This Annex applies only to the extent that DigitalCNC transfers Personal Data outside the UK or EEA. 

The parties agree to execute applicable Standard Contractual Clauses (EU SCCs Module Two: Controller-to Processor or UK IDTA) as appropriate for international transfers, with details as specified in Annexes 1-3.