Legal › Data Processing Addendum

Data Processing Addendum

Version 1.0 (draft)Effective 13 July 2026Sabiki Pte. Ltd. · UEN 202135394K · Singapore
Draft, in legal review

This document is a draft. It has not yet been reviewed by a Singapore-qualified lawyer, and it may change. We publish it in draft rather than leave you with nothing to read, because you should be able to see the terms before you commit to them, not after. If a term matters to your decision, email legal@sabikisecurity.com and we will answer it plainly. The version and date at the top of this page will change when it is finalised.

This Data Processing Addendum forms part of your Subscription Agreement automatically. You do not need to sign it for it to apply. If your procurement process requires a countersigned copy, email legal@sabikisecurity.com and we will send one back the same week.

1. Roles

When AIRM processes personal data from your Microsoft 365 tenant, you are the controller (GDPR) and the organisation (PDPA). We are the processor (GDPR) and the data intermediary (PDPA). We process that data only on your documented instructions.

If you are an MSP and you connect a client's tenant, the client is the controller, you are typically a processor to them, and we are a sub-processor. Your agreement with your client needs to permit that. We will support you in evidencing it.

2. What we process, and why

Subject matterDiscovery, scoring and governance of non-human identities in your Microsoft 365 tenant.
DurationThe term of your subscription, plus the retention period in section 8.
Nature and purposeReading identity metadata through the Microsoft Graph API; scoring it; presenting it; producing reports and compliance evidence.
Categories of data subjectYour personnel who own, created, or consented to an application or service principal. Incidentally, your personnel named as owners of a non-human identity.
Categories of personal dataName, work email address, user principal name, and the association between that person and a non-human identity.
Special category dataNone. AIRM does not process special category data, and it does not read your emails, files or content.

3. Our obligations

4. Sub-processors

You give general authorisation for us to use sub-processors. The current list is published at sabikisecurity.com/airm-subprocessors.

We will notify you before we add or replace a sub-processor that processes your personal data. You may object on reasonable, documented data protection grounds. If we cannot resolve your objection, you may terminate the affected part of your subscription without penalty and we will refund the unused prepaid portion.

Every sub-processor is bound by written terms no less protective than these.

5. International transfers

Where your data actually is. The AIRM product and the customer portal run on Microsoft Azure, in the Southeast Asia region (Singapore). The identity inventory and risk findings are stored in MongoDB Atlas, a managed database service, running on Azure in the same Singapore region. Customer tenant data is stored in Singapore. Both are named, with their certifications, on our sub-processor page.

Where personal data is transferred out of the EEA or the UK, the European Commission's Standard Contractual Clauses (Module Two, controller to processor) and the UK International Data Transfer Addendum are incorporated into this DPA by reference and take effect automatically. Where they conflict with anything else in this DPA, they win.

Where personal data is transferred out of Singapore, we ensure the recipient is bound to a standard of protection comparable to the PDPA, as the Transfer Limitation Obligation requires.

The SCC annexes

The Standard Contractual Clauses operate through their annexes: Annex I (the parties and a description of the processing), Annex II (our technical and organisational measures) and Annex III (our sub-processors, being Microsoft Azure and MongoDB Atlas). All three are drafted and in legal review. We provide them with a countersigned DPA, and we will send them to you before you sign if you ask. Email dpo@sabikisecurity.com. We would rather you read them than assume them.

6. Security

Our measures are architectural before they are procedural, which is a deliberate choice:

A SOC 2 audit is presently underway. We will publish the report when it is issued. We will not claim a certification before it exists.

7. Personal data breach

We will notify you without undue delay after becoming aware of a personal data breach affecting your personal data, and in any event in time for you to meet your own 72-hour GDPR obligation and your PDPC obligations. Our notification will describe what happened, the categories and approximate numbers affected, the likely consequences, and what we are doing about it. If we cannot give you everything at once, we will give you what we have and follow up.

8. Deletion and return

On termination or expiry, we delete your personal data within 90 days, unless you ask us in writing to return it first, in which case we will export it in a commonly used machine-readable format and then delete it. If the law requires us to keep something, we will keep only that, only for as long as required, and it stays protected by this DPA.

You may ask us to delete sooner, at any time, and we will.

9. Audit

We will make available the information reasonably necessary to demonstrate our compliance with this DPA, and we will contribute to audits conducted by you or an auditor you appoint. In practice this normally means our documentation, our security questionnaire responses, and, when it is issued, our SOC 2 report. If that is not enough for your regulator, we will discuss an on-site audit in good faith, on reasonable notice, at your cost, and no more than once a year unless a breach or a regulator requires otherwise.

10. Liability

The limitations of liability in the Subscription Agreement apply to this DPA, except where the law does not permit them to.

11. Conflict

If this DPA conflicts with the Subscription Agreement, this DPA wins on anything to do with the processing of personal data.

← All legal documents