Data Processing Addendum

1. Definitions

"Applicable Data Protection Law"means all data-protection and privacy laws applicable to the processing of Customer Personal Data under this DPA, including the EU General Data Protection Regulation 2016/679 ("EU GDPR"), the UK General Data Protection Regulation as incorporated into UK law ("UK GDPR"), the Swiss Federal Act on Data Protection ("FADP"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA"), and other U.S. state comprehensive privacy laws.

"Customer Personal Data"means Personal Data that Customer or its authorized users submit to or generate through the Service, and that Pace Technologies processes on Customer's behalf in its role as processor.

"Personal Data", "controller", "processor", "data subject", "processing", "sub-processor", and "supervisory authority" have the meanings given to them in the EU GDPR (or the equivalent terms under other Applicable Data Protection Law).

"SCCs" means the Standard Contractual Clauses for the transfer of personal data to third countries adopted by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021, available at eur-lex.europa.eu/eli/dec_impl/2021/914.

"UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under section 119A of the UK Data Protection Act 2018, version B1.0 in force 21 March 2022.

2. Roles and scope

Roles. For Customer Personal Data processed under this DPA, Customer is the controller (or the processor acting on behalf of a third-party controller) and Pace Technologies is the processor (or the sub-processor, as applicable). Under the CCPA, Customer is the business and Pace Technologies is the service provider or contractor.

Subject matter, duration, nature, purpose, and categories. The subject matter, duration, nature, purpose of the processing, the categories of data subjects, and the categories of Customer Personal Data are set out in Annex I to this DPA.

Customer instructions. Pace Technologies will process Customer Personal Data only on documented instructions from Customer, including with regard to transfers of Customer Personal Data to a third country or an international organization, unless required to do so by law to which Pace Technologies is subject. The Agreement, this DPA, the configuration choices Customer makes inside the Service (including which features it enables, who it invites, and what data it submits), and any documented written instructions Customer issues from time to time, together constitute Customer's complete and final instructions. Pace Technologies will inform Customer if, in its opinion, an instruction infringes Applicable Data Protection Law, and may refuse instructions that violate the Agreement or Applicable Data Protection Law.

Customer responsibilities. Customer is responsible for the accuracy, quality, and legality of Customer Personal Data and for the means by which Customer acquired it. Customer represents that it has provided all notices and obtained all consents and lawful bases required for Pace Technologies to process Customer Personal Data as contemplated by the Agreement and this DPA. Customer will not submit special categories of personal data within the meaning of Article 9 of the EU GDPR, protected health information governed by HIPAA, payment card data subject to PCI DSS, or technical data subject to ITAR or EAR export controls to the Service, except with Pace Technologies' prior written consent and on terms designed for that data.

No sale; no targeted advertising. Pace Technologies will not (a) sell or share Customer Personal Data, as those terms are defined under the CCPA, (b) retain, use, or disclose Customer Personal Data for any purpose other than the specific business purpose of providing the Service set out in the Agreement, including for a commercial purpose other than providing the Service, (c) retain, use, or disclose Customer Personal Data outside the direct business relationship between the parties, or (d) combine Customer Personal Data with personal information that Pace Technologies receives from any other source, except as permitted by the CCPA for service providers and contractors. Pace Technologies certifies that it understands these restrictions and will comply with them.

3. Personnel and confidentiality

Pace Technologies will ensure that personnel authorized to process Customer Personal Data are bound by appropriate obligations of confidentiality, whether by contract or statute, and that access is limited to those personnel who need it to perform the Agreement. Pace Technologies will train relevant personnel on data-protection and information-security obligations applicable to their role.

4. Security

Pace Technologies will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data. The measures in force as of the effective date are described in Annex II. Pace Technologies may update these measures from time to time provided that the level of protection is not materially reduced.

5. Sub-processors

General authorization. Customer grants Pace Technologies general authorization to engage sub-processors to process Customer Personal Data, subject to the conditions in this Section 5. Pace Technologies' current sub-processors are listed at the Materials Prep Trust page. By accepting this DPA, Customer authorizes the sub-processors listed on that page as of the effective date.

New sub-processors.Pace Technologies will give Customer at least thirty (30) days' advance notice of the addition or replacement of a sub-processor by updating the Trust page or by email to the administrative contact on Customer's account. Customer may object on reasonable data-protection grounds within that period by writing to legal@metallographic.com. Pace Technologies will, in good faith, use commercially reasonable efforts to make available a configuration or feature change that avoids the new sub-processor for Customer's data; if Pace Technologies cannot do so within a reasonable time, Customer may, as its sole and exclusive remedy, terminate the affected portion of the Service for convenience by notice to Pace Technologies, with a pro-rated refund of any prepaid fees for the unused portion of the terminated subscription term.

Sub-processor obligations. Pace Technologies will impose on each sub-processor, by written contract, data-protection obligations no less protective in substance than those in this DPA, and will remain liable to Customer for the performance of each sub-processor's obligations.

6. Data subject rights and requests

Pace Technologies will, taking into account the nature of the processing, provide Customer with reasonable assistance by appropriate technical and organizational measures, insofar as this is possible, to fulfill Customer's obligation to respond to data-subject requests under Applicable Data Protection Law. The Service provides self-serve export and deletion controls (lab and organization export, organization deletion, individual account-deletion requests) sufficient for most data-subject requests; where those controls are not sufficient, Pace Technologies will provide further commercially reasonable assistance on Customer's documented written request.

If Pace Technologies receives a data-subject request directed to Customer, Pace Technologies will, without undue delay, inform the data subject that the request must be directed to Customer (without otherwise responding to the substance of the request), and notify Customer of the request unless prohibited by law.

7. Personal-data breach notification

Pace Technologies will notify Customer without undue delay, and in any event within seventy-two (72) hours of becoming aware, of any confirmed personal-data breach affecting Customer Personal Data. The notification will, at a minimum and to the extent then known to Pace Technologies, describe the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed to address the breach and mitigate its effects. Pace Technologies will provide reasonable cooperation with Customer's investigation and notification obligations. Pace Technologies will not notify regulators or affected data subjects on Customer's behalf without Customer's prior written request, except where required by law.

Pace Technologies' notice of, or response to, a personal-data breach is not an acknowledgment by Pace Technologies of any fault or liability with respect to the breach.

8. International transfers

Pace Technologies is operated from the United States and may process Customer Personal Data in the United States and other jurisdictions where its sub-processors operate. To the extent Customer Personal Data originating in the European Economic Area, the United Kingdom, or Switzerland is transferred to a country that has not received an adequacy decision from the competent authority, the parties incorporate the SCCs and the UK Addendum into this DPA as set out below.

EU SCCs. The SCCs are hereby incorporated into this DPA by reference and apply to transfers of Customer Personal Data subject to the EU GDPR from Customer to Pace Technologies. Module Two (controller-to-processor) applies where Customer is a controller; Module Three (processor-to-processor) applies where Customer is itself a processor acting on behalf of a third-party controller. The parties agree as follows:

• In Clause 7 (docking clause), the optional docking clause is included.
• In Clause 9 (use of sub-processors), Option 2 (general written authorization) is selected. The notice period for changes to the list of sub-processors is thirty (30) days as set out in Section 5 above.
• In Clause 11 (redress), the optional independent dispute- resolution language is not included.
• In Clause 17 (governing law), the SCCs are governed by the law of the Republic of Ireland.
• In Clause 18 (choice of forum and jurisdiction), the parties agree that disputes arising from the SCCs will be resolved by the courts of the Republic of Ireland.
• Annex I.A (List of Parties), Annex I.B (Description of Transfer), and Annex I.C (Competent Supervisory Authority) are completed by Annex I to this DPA. Annex II of the SCCs (Technical and Organizational Measures) is completed by Annex II to this DPA. Annex III of the SCCs (List of Sub-processors) is completed by reference to the sub-processor list at /trust.

UK Addendum.The UK Addendum is hereby incorporated into this DPA by reference and applies to transfers of Customer Personal Data subject to the UK GDPR. Table 1 of the UK Addendum is completed by Annex I to this DPA; Table 2 selects the SCCs as the approved EU SCCs incorporated above, with the modules and optional clauses as identified; Table 3 is completed by Annexes I and II to this DPA; Table 4 (the parties that may end the UK Addendum if the ICO issues a revised approved addendum) is set to "neither party."

Swiss FADP. Where the Swiss FADP applies, the SCCs incorporated above apply with the following modifications: (i) references to the EU GDPR are deemed to include the FADP; (ii) the Swiss Federal Data Protection and Information Commissioner is the competent supervisory authority; and (iii) data subjects in Switzerland may enforce their rights in Switzerland.

Alternative transfer mechanisms. If a competent authority later approves an alternative valid transfer mechanism (for example, a successor adequacy decision or a certified transfer framework), the parties may, by mutual written agreement, rely on that mechanism instead of, or in addition to, the SCCs and UK Addendum.

9. Audits

Pace Technologies will make available to Customer all information reasonably necessary to demonstrate compliance with the obligations laid down in Article 28 of the EU GDPR and this DPA, and will allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer, on the terms in this Section 9.

Customer's audit right is satisfied if Pace Technologies provides, on written request and subject to reasonable confidentiality obligations, copies of recent third-party attestations, certifications, and audit reports it holds (for example, SOC 2 reports of its sub-processors), together with written responses to a reasonable list of due-diligence questions. An on-site audit is permitted only (a) where Applicable Data Protection Law or a competent supervisory authority requires it, or (b) where there has been a confirmed personal-data breach affecting Customer Personal Data. On-site audits must be (i) requested with at least thirty (30) days' written notice, (ii) conducted during normal business hours, (iii) limited to once per twelve-month period, (iv) scoped narrowly to the relevant systems and records, (v) conducted by an independent auditor bound by appropriate confidentiality obligations, and (vi) at Customer's expense, except where the audit reveals material non-compliance.

10. Return and deletion

On expiration or termination of the Agreement, Pace Technologies will, at Customer's choice, delete or return all Customer Personal Data to Customer, and delete existing copies, unless Applicable Law requires storage of the Customer Personal Data. Customer may, at any time during the Service term, export Customer Personal Data using the self-serve export controls described in the Agreement. Following termination, deletion will occur within a reasonable period not to exceed sixty (60) days, subject to short-term retention in encrypted backups that age out under Pace Technologies' standard backup retention schedule and that remain governed by this DPA until deleted.

11. Liability and indemnity

Each party's and its affiliates' aggregate liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the "Limitation of liability" section of the Agreement. For the avoidance of doubt, any liability arising under this DPA counts toward, and does not increase, the cap in the Agreement, except to the extent applicable data-protection law prohibits such limitation in respect of claims directly brought by data subjects under the SCCs.

12. Order of precedence

If there is a conflict between this DPA and the Agreement, this DPA prevails. If there is a conflict between the SCCs or UK Addendum (as incorporated by Section 8) and any other provision of this DPA or the Agreement, the SCCs or UK Addendum prevail to the extent necessary to comply with Applicable Data Protection Law.

13. Changes to this DPA

Pace Technologies may update this DPA from time to time. If an update materially reduces the protections afforded to Customer Personal Data, or materially changes Customer's obligations, Pace Technologies will notify Customer at least thirty (30) days in advance through the Service or by email to the administrative contact on Customer's account. Updates to reflect changes in Applicable Data Protection Law, in the SCCs, in the UK Addendum, or in Pace Technologies' sub-processor list may take effect on shorter notice as required by the applicable framework.

14. Contact

Pace Technologies Corporation
Privacy and data-protection inquiries: legal@metallographic.com

Annex I — Description of processing

A. List of parties

Data exporter:Customer, acting in the capacity identified in Section 2 above. The exporter's legal name and contact details are those of the entity that has accepted the Agreement, as recorded in the Service's billing or organization records, or as Customer otherwise notifies in writing.

Data importer: Pace Technologies Corporation, an Arizona corporation, operator of the Materials Prep service. Contact for data-protection matters: legal@metallographic.com. Activities relevant to the data transferred: provision of the Materials Prep service to Customer.

B. Description of transfer

Categories of data subjects:(i) Customer's employees, contractors, students, and other personnel that Customer authorizes to use the Service; (ii) individuals whose names, contact information, or other personal data Customer chooses to record in journal entries, sample notes, study notes, or similar free-text fields; (iii) recipients of invitations to join Customer's organization or labs.

Categories of personal data: account-identification data (name, email address, hashed password, role); profile data (display name, organization, lab membership); authentication and session data (IP address, user-agent, sign-in timestamps, multi-factor identifiers); usage and audit data (actions taken in the Service, audit-log entries); content data submitted by Customer to the Service (sample journal entries, recipes, etchant records, study notes, atlas entries, micrograph and journal images, free-text fields that Customer chooses to populate); communications data (transactional email recipients and content, optional Metallogic AI conversation history when the add-on is enabled); billing data processed by the payments sub-processor (last-four card digits and billing address; full card numbers are not received or stored by Pace Technologies).

Sensitive data: none is requested or required by the Service. Customer agrees not to submit special categories of personal data, protected health information governed by HIPAA, payment card data subject to PCI DSS, or technical data subject to ITAR or EAR export controls except as expressly permitted under Section 2.

Frequency of the transfer: continuous, for the duration of the Agreement.

Nature of the processing: hosting, storage, transmission, retrieval, analysis, indexing, generation of model output (where the Metallogic AI add-on is enabled), backup, and deletion, in each case for the purpose of providing the Service.

Purpose of the data transfer and further processing:provision, operation, support, and improvement of the Service in accordance with the Agreement; performance of Pace Technologies' obligations under the Agreement.

Period for which the personal data will be retained: for the duration of the Agreement, plus the post-termination retention period described in Section 10. Encrypted operational backups are retained for the standard backup retention period of the managed-database sub-processor and age out automatically.

Transfers to (sub-) processors: the categories described above are transferred to the sub-processors listed at /trust, each for the subject matter, nature, and duration described there.

C. Competent supervisory authority

For transfers subject to the EU GDPR where Customer is established in an EU Member State, the supervisory authority of that Member State. For transfers subject to the EU GDPR where Customer is not established in the EU but has appointed an Article 27 representative, the supervisory authority of the Member State in which the representative is established. In all other cases of transfers subject to the EU GDPR, the Irish Data Protection Commission. For transfers subject to the UK GDPR, the UK Information Commissioner's Office. For transfers subject to the Swiss FADP, the Swiss Federal Data Protection and Information Commissioner.

Annex II — Technical and organizational measures

Pace Technologies has implemented and maintains technical and organizational measures designed to ensure a level of security appropriate to the risk of the processing, including the measures below. These measures may be updated from time to time provided that the level of protection is not materially reduced. A more detailed description of Pace Technologies' security posture is published at /trust.

• Encryption. TLS 1.2 or higher in transit; AES-256 (or equivalent) at rest for database storage, file storage, and backups, as provided by the underlying managed-infrastructure sub-processors.
• Access control. Role- based access control inside the Service; row-level security enforced in the database for tenant isolation; least-privilege access for personnel; multi-factor authentication for administrative access to production systems; signed URLs for time-limited access to stored images.
• Tenant isolation. Logical isolation by organization and lab identifiers enforced at the database row level so that Customer's data is not accessible to other customers of the Service.
• Application security. Input validation; protection against common web-application vulnerabilities; rate limiting on authentication and other sensitive endpoints; CAPTCHA on signup; security-relevant HTTP response headers including a Content Security Policy.
• Logging and monitoring. Append-only audit logging of security-relevant events; application-error and performance monitoring through Sentry, configured to receive error stack traces, request paths, and a lab identifier tag, with default PII collection (IP address, user-agent, request bodies, signed-in user identity) and session replay explicitly disabled.
• Backup and recovery. Automated daily backups of the managed Postgres instance by the database sub-processor, with at-rest encryption applied to backup storage. Backups are intended for operational recovery and are not a substitute for Customer's own exports.
• Vendor management. Sub-processors are engaged under written contract with data-protection obligations no less protective in substance than those in this DPA.
• Personnel. Personnel with access to Customer Personal Data are subject to confidentiality obligations and receive periodic training appropriate to their role.
• Incident response. Documented procedures for the detection, investigation, containment, and notification of personal-data breaches, consistent with Section 7 of this DPA.
• Secure development. Source-control with code review for production changes; static analysis and type-checking in continuous integration; dependency-vulnerability scanning.

Annex III — Sub-processors

The list of authorized sub-processors is published and kept current at /trust. That list is incorporated into this DPA by reference and serves as the list required by the SCCs and the UK Addendum.