Legal › Privacy Policy

Privacy Policy

Version 1.0Effective 13 July 2026Sabiki Pte. Ltd. · UEN 202135394K · Singapore

This policy explains what personal data we collect, why we collect it, who we share it with, and what you can do about it. It applies to sabikisecurity.com, to the AIRM portal, and to the AIRM product.

1. Who we are

SABIKI PTE. LTD. ("Sabiki", "we", "us") is a company incorporated in Singapore on 11 October 2021, UEN 202135394K. We trade as Sabiki Security. Our registered office is 36 Robinson Road, #20-01 City House, Singapore 068877. We build AIRM, the independent Non-Human Identity Control Plane for Microsoft 365.

We are the organisation responsible for personal data under Singapore's Personal Data Protection Act 2012 (PDPA), and the data controller under the EU and UK GDPR where those apply. When AIRM processes data inside your Microsoft 365 tenant, we act as a data intermediary (PDPA) and a processor (GDPR) on your instructions.

2. Our Data Protection Officer

As section 11(3) of the PDPA requires, we have appointed a Data Protection Officer. Ours is Stuart, a director of the company. You can reach him at dpo@sabikisecurity.com, or by post at the address above.

We are a small company and we do not pretend otherwise. The person responsible for your data is a director, he reads the mail himself, and he answers it.

3. What we collect, and why

3.1 When you visit our website

We do not set cookies. We do not use analytics. We do not track you across the web, and we do not carry advertising pixels. We think that is how it should be, and you can verify it in your browser's developer tools in about ten seconds.

Our hosting provider, Netlify, records standard server logs when your browser requests a page: your IP address, your browser type, the page requested, and the time. This is necessary to serve the site and to protect it from abuse.

Our site loads typefaces from Google Fonts, which means your IP address is transmitted to Google when the fonts load. We use Google Fonts for typography only, and we receive nothing about you from Google in return.

Legal basis (GDPR): our legitimate interest in operating and securing our website.

3.2 Chat

We do not operate a chat widget. If we introduce one, this policy will say so before it goes live, and it will tell you exactly where your messages go.

3.3 When you subscribe to the blog

There is exactly one place on our site where we ask for an email address: the blog. If you subscribe, we email you when we publish. Nothing else, no more than twice a month, and there is a one-click unsubscribe in every message.

The submission is received by Netlify, our website host, and passed to us. We do not add you to any other list, we do not sell your address, and we do not pass it to anyone else.

Legal basis (GDPR): your consent, which you may withdraw at any time by replying to any message, or by writing to us.

3.4 The MSP ROI calculator collects nothing at all

Worth stating plainly

The MSP ROI calculator runs entirely in your browser. Your tenant count, your margin, your service fees and every number it produces are never sent to us, never stored, and never leave your device. There is no form on that page, no email field, and no network request. Close the tab and it is gone.

We do not ask for your email in exchange for the numbers, because we do not need it, and because gating a calculator behind a form is how you turn a useful tool into a lead magnet. The tool is for you.

3.5 When you book a demonstration

Demonstration booking is handled by Cal.com, which collects your name, email address and whatever you type into the booking form, under its own privacy policy. We receive the booking.

3.6 When you create an AIRM account

We collect the information needed to create and operate your account: your name, your work email address, your organisation, and the Microsoft 365 tenant you connect. We use it to run the assessment you asked for, to support you, and to bill you.

Legal basis (GDPR): performance of a contract with you.

3.7 When you use AIRM

This is the part that matters most, so we will be precise.

AIRM connects to your Microsoft 365 tenant using read-only Microsoft Graph permissions. It discovers and scores non-human identities: service accounts, app registrations, OAuth-connected applications, service principals, connectors, Copilots and AI agents.

What AIRM stores: the identity inventory and the risk findings needed to produce your report and your Sabiki NHI Risk Score.

What AIRM does not store: your emails, your files, your documents, or any of your business content. AIRM does not read them.

Incidental personal data. Some identity records contain personal data, most obviously the name or email address of the person who owns, created or consented to an application. AIRM records this because "who is accountable for this identity" is the entire point of the product. We process it on your instructions under the Data Processing Addendum.

Revocation. You can revoke AIRM's access from the Microsoft Entra admin centre at any time. Access ends immediately.

3.8 When you pay us

Payments are handled by Paddle, our merchant of record. Paddle collects your billing name, billing address, email address and payment details directly, under its own terms and privacy policy. We never see or store your card number. Because Paddle is the seller of record, it is a controller in its own right for that billing data, not merely our processor. It is listed on our sub-processor page.

Automated scoring

AIRM produces a risk score automatically. No decision in AIRM is automated. AIRM ranks and recommends; a person reviews and acts. We explain what the score is, what it is not, and how to challenge it, in our Automated Risk Scoring Disclosure.

4. Who we share it with

We do not sell personal data. We never have, and we will not.

We use the service providers listed in our sub-processor list, each of which processes data only on our instructions and under a written agreement. That list is kept current, and we will tell customers before we add a new one that processes their data.

We will also disclose personal data where the law requires it, or where it is necessary to establish, exercise or defend a legal claim.

5. Where your data goes

Some of our service providers are located outside Singapore. Where we transfer personal data out of Singapore we take steps to ensure the recipient provides a standard of protection comparable to the PDPA, as the Transfer Limitation Obligation requires. For transfers out of the EEA or the UK we rely on the European Commission's Standard Contractual Clauses and the UK International Data Transfer Addendum.

Hosting and data residency. The AIRM product and the customer portal run on Microsoft Azure, in the Southeast Asia region (Singapore). The identity inventory and risk findings are stored in MongoDB Atlas, a managed database service, running on Azure in that same Singapore region. Customer tenant data stays in Singapore. Azure and MongoDB Atlas are both listed on our sub-processor page, with their certifications.

If you are in the EEA or the UK, personal data reaching Singapore is a transfer out, and it is covered by the Standard Contractual Clauses and the UK International Data Transfer Addendum set out in our Data Processing Addendum. We will send you the annexes before you sign if you ask.

6. How long we keep it

DataRetention
Server logsAs retained by our hosting provider in the ordinary course, typically 30 days.
Enquiries and demo bookings24 months from our last contact with you.
Blog subscribersUntil you unsubscribe. Your address is held for that one purpose and deleted when you ask us to stop.
Account and scan dataFor the life of your subscription, and 90 days after it ends, after which it is deleted. You may ask us to delete it sooner.
Billing recordsAs long as Singapore tax and accounting law requires, currently five years.

We do not keep personal data for longer than we need it. When the purpose is exhausted and no law requires us to keep it, we delete it.

7. How we protect it

We would rather show you the architecture than assert that we are secure.

Sabiki AIRM is a Microsoft Verified Publisher. That means Microsoft has confirmed our identity as the publisher of the application. It is a statement about who we are, not a certification of the product, and we will not present it as one.

A SOC 2 audit is presently underway. We will update this page when the report is issued. We will not claim a certification before it exists.

8. Your rights

Under the PDPA you may:

If you are in the EU or the UK, you additionally have the right to erasure, restriction of processing, data portability, and to object to processing we base on legitimate interests. You may also complain to your local supervisory authority.

To exercise any of these, write to dpo@sabikisecurity.com. We will respond as quickly as we reasonably can, and within the time the law allows.

If you are an end user of an MSP

If your IT provider uses AIRM to manage your tenant, your relationship is with them, and they are the organisation responsible for your data. Please contact them first. We will support them in answering you.

9. Data breaches

If a data breach occurs that is likely to result in significant harm to affected individuals, or is of a significant scale, we will notify the Personal Data Protection Commission as soon as practicable and in any event no later than three calendar days after we complete our assessment, and we will notify affected individuals as soon as practicable, as Part 6A of the PDPA requires.

Where the GDPR applies, we will notify the relevant supervisory authority within 72 hours of becoming aware of a breach where we are required to.

Where we act as a processor for a customer, we will notify that customer without undue delay so that they can meet their own obligations.

10. Children

We sell to businesses. Our services are not directed at children and we do not knowingly collect personal data from anyone under 18.

11. Changes to this policy

If we change this policy we will update the version and date at the top. If a change is material, we will tell affected customers directly rather than relying on you to notice.

12. Contact

Data Protection Officer: dpo@sabikisecurity.com
General: contact@sabikisecurity.com
Post: Sabiki Pte. Ltd., 36 Robinson Road, #20-01 City House, Singapore 068877

If you are not satisfied with our response you may contact the Personal Data Protection Commission of Singapore at pdpc.gov.sg.

← All legal documents