Privacy Policy
This policy explains what personal data we collect, why we collect it, who we share it with, and what you can do about it. It applies to sabikisecurity.com, to the AIRM portal, and to the AIRM product.
1. Who we are
SABIKI PTE. LTD. ("Sabiki", "we", "us") is a company incorporated in Singapore on 11 October 2021, UEN 202135394K. We trade as Sabiki Security. Our registered office is 36 Robinson Road, #20-01 City House, Singapore 068877. We build AIRM, the independent Non-Human Identity Control Plane for Microsoft 365.
We are the organisation responsible for personal data under Singapore's Personal Data Protection Act 2012 (PDPA), and the data controller under the EU and UK GDPR where those apply. When AIRM processes data inside your Microsoft 365 tenant, we act as a data intermediary (PDPA) and a processor (GDPR) on your instructions.
2. Our Data Protection Officer
As section 11(3) of the PDPA requires, we have appointed a Data Protection Officer. Ours is Stuart, a director of the company. You can reach him at dpo@sabikisecurity.com, or by post at the address above.
We are a small company and we do not pretend otherwise. The person responsible for your data is a director, he reads the mail himself, and he answers it.
3. What we collect, and why
3.1 When you visit our website
We do not set cookies. We do not use analytics. We do not track you across the web, and we do not carry advertising pixels. We think that is how it should be, and you can verify it in your browser's developer tools in about ten seconds.
Our hosting provider, Netlify, records standard server logs when your browser requests a page: your IP address, your browser type, the page requested, and the time. This is necessary to serve the site and to protect it from abuse.
Our site loads typefaces from Google Fonts, which means your IP address is transmitted to Google when the fonts load. We use Google Fonts for typography only, and we receive nothing about you from Google in return.
Legal basis (GDPR): our legitimate interest in operating and securing our website.
3.2 Chat
We do not operate a chat widget. If we introduce one, this policy will say so before it goes live, and it will tell you exactly where your messages go.
3.3 When you subscribe to the blog
There is exactly one place on our site where we ask for an email address: the blog. If you subscribe, we email you when we publish. Nothing else, no more than twice a month, and there is a one-click unsubscribe in every message.
The submission is received by Netlify, our website host, and passed to us. We do not add you to any other list, we do not sell your address, and we do not pass it to anyone else.
Legal basis (GDPR): your consent, which you may withdraw at any time by replying to any message, or by writing to us.
3.4 The MSP ROI calculator collects nothing at all
The MSP ROI calculator runs entirely in your browser. Your tenant count, your margin, your service fees and every number it produces are never sent to us, never stored, and never leave your device. There is no form on that page, no email field, and no network request. Close the tab and it is gone.
We do not ask for your email in exchange for the numbers, because we do not need it, and because gating a calculator behind a form is how you turn a useful tool into a lead magnet. The tool is for you.
3.5 When you book a demonstration
Demonstration booking is handled by Cal.com, which collects your name, email address and whatever you type into the booking form, under its own privacy policy. We receive the booking.
3.6 When you create an AIRM account
We collect the information needed to create and operate your account: your name, your work email address, your organisation, and the Microsoft 365 tenant you connect. We use it to run the assessment you asked for, to support you, and to bill you.
Legal basis (GDPR): performance of a contract with you.
3.7 When you use AIRM
This is the part that matters most, so we will be precise.
AIRM connects to your Microsoft 365 tenant using read-only Microsoft Graph permissions. It discovers and scores non-human identities: service accounts, app registrations, OAuth-connected applications, service principals, connectors, Copilots and AI agents.
What AIRM stores: the identity inventory and the risk findings needed to produce your report and your Sabiki NHI Risk Score™.
What AIRM does not store: your emails, your files, your documents, or any of your business content. AIRM does not read them.
Incidental personal data. Some identity records contain personal data, most obviously the name or email address of the person who owns, created or consented to an application. AIRM records this because "who is accountable for this identity" is the entire point of the product. We process it on your instructions under the Data Processing Addendum.
Revocation. You can revoke AIRM's access from the Microsoft Entra admin centre at any time. Access ends immediately.
3.8 When you pay us
Payments are handled by Paddle, our merchant of record. Paddle collects your billing name, billing address, email address and payment details directly, under its own terms and privacy policy. We never see or store your card number. Because Paddle is the seller of record, it is a controller in its own right for that billing data, not merely our processor. It is listed on our sub-processor page.
AIRM produces a risk score automatically. No decision in AIRM is automated. AIRM ranks and recommends; a person reviews and acts. We explain what the score is, what it is not, and how to challenge it, in our Automated Risk Scoring Disclosure.
4. Who we share it with
We do not sell personal data. We never have, and we will not.
We use the service providers listed in our sub-processor list, each of which processes data only on our instructions and under a written agreement. That list is kept current, and we will tell customers before we add a new one that processes their data.
We will also disclose personal data where the law requires it, or where it is necessary to establish, exercise or defend a legal claim.
5. Where your data goes
Some of our service providers are located outside Singapore. Where we transfer personal data out of Singapore we take steps to ensure the recipient provides a standard of protection comparable to the PDPA, as the Transfer Limitation Obligation requires. For transfers out of the EEA or the UK we rely on the European Commission's Standard Contractual Clauses and the UK International Data Transfer Addendum.
Hosting and data residency. The AIRM product and the customer portal run on Microsoft Azure, in the Southeast Asia region (Singapore). The identity inventory and risk findings are stored in MongoDB Atlas, a managed database service, running on Azure in that same Singapore region. Customer tenant data stays in Singapore. Azure and MongoDB Atlas are both listed on our sub-processor page, with their certifications.
If you are in the EEA or the UK, personal data reaching Singapore is a transfer out, and it is covered by the Standard Contractual Clauses and the UK International Data Transfer Addendum set out in our Data Processing Addendum. We will send you the annexes before you sign if you ask.
6. How long we keep it
| Data | Retention |
|---|---|
| Server logs | As retained by our hosting provider in the ordinary course, typically 30 days. |
| Enquiries and demo bookings | 24 months from our last contact with you. |
| Blog subscribers | Until you unsubscribe. Your address is held for that one purpose and deleted when you ask us to stop. |
| Account and scan data | For the life of your subscription, and 90 days after it ends, after which it is deleted. You may ask us to delete it sooner. |
| Billing records | As long as Singapore tax and accounting law requires, currently five years. |
We do not keep personal data for longer than we need it. When the purpose is exhausted and no law requires us to keep it, we delete it.
7. How we protect it
We would rather show you the architecture than assert that we are secure.
- Read-only. AIRM cannot change anything in your tenant.
- Agentless. Nothing is installed in your environment.
- Least privilege. We request only the Microsoft Graph scopes we need, and every one of them is a read scope. They are listed on our Trust page.
- Revocable. You can end our access from the Entra admin centre at any time.
- Findings, not content. Your emails, files and documents are never read or stored.
Sabiki AIRM is a Microsoft Verified Publisher. That means Microsoft has confirmed our identity as the publisher of the application. It is a statement about who we are, not a certification of the product, and we will not present it as one.
A SOC 2 audit is presently underway. We will update this page when the report is issued. We will not claim a certification before it exists.
8. Your rights
Under the PDPA you may:
- Access the personal data we hold about you, and ask how we have used it in the past year.
- Correct personal data that is inaccurate or incomplete.
- Withdraw consent to our use of your personal data at any time, on reasonable notice. We will tell you the likely consequences before you do.
If you are in the EU or the UK, you additionally have the right to erasure, restriction of processing, data portability, and to object to processing we base on legitimate interests. You may also complain to your local supervisory authority.
To exercise any of these, write to dpo@sabikisecurity.com. We will respond as quickly as we reasonably can, and within the time the law allows.
If your IT provider uses AIRM to manage your tenant, your relationship is with them, and they are the organisation responsible for your data. Please contact them first. We will support them in answering you.
9. Data breaches
If a data breach occurs that is likely to result in significant harm to affected individuals, or is of a significant scale, we will notify the Personal Data Protection Commission as soon as practicable and in any event no later than three calendar days after we complete our assessment, and we will notify affected individuals as soon as practicable, as Part 6A of the PDPA requires.
Where the GDPR applies, we will notify the relevant supervisory authority within 72 hours of becoming aware of a breach where we are required to.
Where we act as a processor for a customer, we will notify that customer without undue delay so that they can meet their own obligations.
10. Children
We sell to businesses. Our services are not directed at children and we do not knowingly collect personal data from anyone under 18.
11. Changes to this policy
If we change this policy we will update the version and date at the top. If a change is material, we will tell affected customers directly rather than relying on you to notice.
12. Contact
Data Protection Officer: dpo@sabikisecurity.com
General: contact@sabikisecurity.com
Post: Sabiki Pte. Ltd., 36 Robinson Road, #20-01 City House, Singapore 068877
If you are not satisfied with our response you may contact the Personal Data Protection Commission of Singapore at pdpc.gov.sg.
← All legal documents