Data Processing Addendum
This document is a draft. It has not yet been reviewed by a Singapore-qualified lawyer, and it may change. We publish it in draft rather than leave you with nothing to read, because you should be able to see the terms before you commit to them, not after. If a term matters to your decision, email legal@sabikisecurity.com and we will answer it plainly. The version and date at the top of this page will change when it is finalised.
This Data Processing Addendum forms part of your Subscription Agreement automatically. You do not need to sign it for it to apply. If your procurement process requires a countersigned copy, email legal@sabikisecurity.com and we will send one back the same week.
1. Roles
When AIRM processes personal data from your Microsoft 365 tenant, you are the controller (GDPR) and the organisation (PDPA). We are the processor (GDPR) and the data intermediary (PDPA). We process that data only on your documented instructions.
If you are an MSP and you connect a client's tenant, the client is the controller, you are typically a processor to them, and we are a sub-processor. Your agreement with your client needs to permit that. We will support you in evidencing it.
2. What we process, and why
| Subject matter | Discovery, scoring and governance of non-human identities in your Microsoft 365 tenant. |
| Duration | The term of your subscription, plus the retention period in section 8. |
| Nature and purpose | Reading identity metadata through the Microsoft Graph API; scoring it; presenting it; producing reports and compliance evidence. |
| Categories of data subject | Your personnel who own, created, or consented to an application or service principal. Incidentally, your personnel named as owners of a non-human identity. |
| Categories of personal data | Name, work email address, user principal name, and the association between that person and a non-human identity. |
| Special category data | None. AIRM does not process special category data, and it does not read your emails, files or content. |
3. Our obligations
- We process personal data only on your documented instructions, including as to international transfers, unless the law requires otherwise, in which case we will tell you first unless the law forbids it.
- Everyone we allow to process your personal data is under a duty of confidentiality.
- We implement appropriate technical and organisational measures (section 6).
- We do not engage a sub-processor without the authorisation in section 4.
- We assist you, so far as we reasonably can, in responding to data subject requests, and in your obligations under Articles 32 to 36 GDPR.
- On termination we delete or return personal data as you elect (section 8).
- We make available the information you need to demonstrate compliance, and we allow audits (section 9).
4. Sub-processors
You give general authorisation for us to use sub-processors. The current list is published at sabikisecurity.com/airm-subprocessors.
We will notify you before we add or replace a sub-processor that processes your personal data. You may object on reasonable, documented data protection grounds. If we cannot resolve your objection, you may terminate the affected part of your subscription without penalty and we will refund the unused prepaid portion.
Every sub-processor is bound by written terms no less protective than these.
5. International transfers
Where your data actually is. The AIRM product and the customer portal run on Microsoft Azure, in the Southeast Asia region (Singapore). The identity inventory and risk findings are stored in MongoDB Atlas, a managed database service, running on Azure in the same Singapore region. Customer tenant data is stored in Singapore. Both are named, with their certifications, on our sub-processor page.
Where personal data is transferred out of the EEA or the UK, the European Commission's Standard Contractual Clauses (Module Two, controller to processor) and the UK International Data Transfer Addendum are incorporated into this DPA by reference and take effect automatically. Where they conflict with anything else in this DPA, they win.
Where personal data is transferred out of Singapore, we ensure the recipient is bound to a standard of protection comparable to the PDPA, as the Transfer Limitation Obligation requires.
The Standard Contractual Clauses operate through their annexes: Annex I (the parties and a description of the processing), Annex II (our technical and organisational measures) and Annex III (our sub-processors, being Microsoft Azure and MongoDB Atlas). All three are drafted and in legal review. We provide them with a countersigned DPA, and we will send them to you before you sign if you ask. Email dpo@sabikisecurity.com. We would rather you read them than assume them.
6. Security
Our measures are architectural before they are procedural, which is a deliberate choice:
- Read-only. AIRM cannot write to, modify, or delete anything in your tenant. There is no code path that does.
- Agentless. Nothing is installed in your environment.
- Least privilege. Only read scopes are requested. They are listed publicly on our Trust page.
- Data minimisation. We store identity metadata and risk findings. We do not store your content.
- Revocable. You can end our access from the Entra admin centre at any time, without contacting us. Access stops immediately.
- Encryption in transit and at rest.
- Access control. Access to customer data is restricted to personnel who need it, and is logged.
A SOC 2 audit is presently underway. We will publish the report when it is issued. We will not claim a certification before it exists.
7. Personal data breach
We will notify you without undue delay after becoming aware of a personal data breach affecting your personal data, and in any event in time for you to meet your own 72-hour GDPR obligation and your PDPC obligations. Our notification will describe what happened, the categories and approximate numbers affected, the likely consequences, and what we are doing about it. If we cannot give you everything at once, we will give you what we have and follow up.
8. Deletion and return
On termination or expiry, we delete your personal data within 90 days, unless you ask us in writing to return it first, in which case we will export it in a commonly used machine-readable format and then delete it. If the law requires us to keep something, we will keep only that, only for as long as required, and it stays protected by this DPA.
You may ask us to delete sooner, at any time, and we will.
9. Audit
We will make available the information reasonably necessary to demonstrate our compliance with this DPA, and we will contribute to audits conducted by you or an auditor you appoint. In practice this normally means our documentation, our security questionnaire responses, and, when it is issued, our SOC 2 report. If that is not enough for your regulator, we will discuss an on-site audit in good faith, on reasonable notice, at your cost, and no more than once a year unless a breach or a regulator requires otherwise.
10. Liability
The limitations of liability in the Subscription Agreement apply to this DPA, except where the law does not permit them to.
11. Conflict
If this DPA conflicts with the Subscription Agreement, this DPA wins on anything to do with the processing of personal data.
← All legal documents