All legal documents governing your use of AIRM and Sabiki Security's services.
Last reviewed April 2026
Questions about our legal documents? Contact us at support@sabikisecurity.com. For data protection enquiries, contact our Data Protection Officer at support@sabikisecurity.com. Sabiki Security Pte Ltd is incorporated in Singapore (UEN: [Registration Number]).
Please read these Terms of Service carefully before using AIRM. By accessing or using the AIRM platform, you agree to be bound by these Terms. If you do not agree to these Terms, do not use the Service.
These Terms of Service ("Terms") constitute a legally binding agreement between you ("Customer", "you", or "your") and Sabiki Security Pte Ltd, a company incorporated in Singapore ("Sabiki Security", "we", "us", or "our"), governing your access to and use of the AIRM (Autonomous Identity and Risk Management) platform and related services (collectively, the "Service").
By creating an account, clicking "I agree", or accessing or using the Service, you represent that: (a) you have read, understood, and agree to be bound by these Terms; (b) you are of legal age to form a binding contract; and (c) if you are accepting on behalf of an organisation, you have the authority to bind that organisation to these Terms.
We may update these Terms from time to time. We will provide at least 30 days' notice of material changes via email or in-platform notification. Your continued use of the Service after the effective date of the revised Terms constitutes acceptance of those Terms.
AIRM is a cloud-based security platform that monitors AI agents and non-human identities within Microsoft 365 tenant environments. The Service provides continuous risk scoring, anomaly detection, blast radius analysis, compliance framework mapping, alerting, and reporting capabilities.
The Service is provided on a software-as-a-service (SaaS) basis. We reserve the right to modify, update, or discontinue any feature or component of the Service at any time, subject to the notice requirements in these Terms. We will make reasonable efforts to notify you of material changes that reduce functionality you are actively using.
AIRM is a monitoring and detection platform. All response actions within the platform are human-initiated. AIRM does not take autonomous actions on your Microsoft 365 environment without explicit instruction from an authorised user.
To use the Service, you must create an account and provide accurate, current, and complete information. You are responsible for maintaining the accuracy of your account information and for all activities that occur under your account.
You are responsible for maintaining the confidentiality of your account credentials, including your password and any multi-factor authentication codes. You must notify us immediately at support@sabikisecurity.com if you suspect any unauthorised access to your account.
We strongly recommend enabling multi-factor authentication (MFA) on your AIRM account. We will not be liable for any loss or damage arising from your failure to maintain the security of your account credentials.
Each account may only be used for the business purposes of the registered entity. You may not share account credentials across multiple organisations, resell account access, or permit use by any party other than your authorised users.
The Service is offered on a subscription basis. Available plans, pricing, and features are described on our pricing page at sabikisecurity.com/pricing. Prices are in United States Dollars (USD) unless otherwise stated.
Subscriptions are available on monthly or annual billing cycles. Annual subscriptions are billed in advance for the full year and receive a 20% discount compared to monthly billing.
MSP customers are billed on a per-tenant-per-month basis. Your subscription tier determines the per-tenant rate and the minimum and maximum number of tenants included. Volume pricing tiers are applied automatically based on active tenant count at the time of billing.
By providing payment information, you authorise us to charge your payment method for the applicable subscription fees on a recurring basis (monthly or annually). All fees are charged in advance of the subscription period they cover.
We will provide advance notice of any price changes. Price changes for existing subscriptions take effect at the start of the next billing cycle following the required notice period (minimum 30 days).
All fees are exclusive of applicable taxes. You are responsible for any taxes, duties, or levies applicable to your subscription in your jurisdiction, including GST, VAT, or similar consumption taxes. Where we are required by law to collect taxes, they will be added to your invoice.
If payment is not received within 7 days of the due date, we may suspend your access to the Service until payment is made. We will provide reasonable notice before suspension. Continued failure to pay may result in termination of your subscription in accordance with Section 16.
Merchant of Record: Our order process is conducted by our online reseller Paddle.com. Paddle.com is the Merchant of Record for all our orders. Paddle provides all customer service enquiries related to billing and handles returns. By completing a purchase through AIRM, you agree to Paddle's Buyer Terms of Service, available at paddle.com/legal/checkout-buyer-terms, and Paddle's Privacy Policy at paddle.com/legal/privacy.
Paddle acts as an authorised reseller and Merchant of Record on our behalf. This means that when you purchase a subscription to AIRM: (a) you are technically purchasing from Paddle, who then licenses the Service to you on our behalf; (b) invoices and receipts are issued by Paddle as the reseller; (c) Paddle is responsible for collecting and remitting all applicable taxes (including GST, VAT, and sales tax) in your jurisdiction; and (d) the charge on your bank or card statement will appear as Paddle or Paddle.net.
Sabiki Security Pte Ltd remains responsible for the delivery, operation, and support of the AIRM platform. The reseller relationship with Paddle does not affect your contractual rights with respect to the Service under these Terms.
Your payment card details and billing information are transmitted directly to Paddle's secure payment infrastructure and are not stored on Sabiki Security's servers. Sabiki Security does not have access to your full card number or payment method details.
You represent and warrant that: (a) the payment information you provide is accurate and complete; (b) you are authorised to use the payment method you provide; and (c) charges incurred by you will be honoured by your bank or card issuer.
Paddle determines, collects, and remits all applicable taxes on transactions processed through its platform, including VAT, GST, and US sales tax. The applicable tax, if any, will be displayed at checkout before you complete your purchase. You are responsible for providing accurate billing address information to ensure correct tax calculation.
Paddle may decline transactions in accordance with their own risk assessment and compliance policies. Sabiki Security is not responsible for Paddle's decision to decline a transaction. If your payment is declined, you will need to provide an alternative payment method or contact Paddle support directly via the link in your Paddle invoice or receipt.
All transactions are processed in United States Dollars (USD) unless otherwise specified at checkout. Paddle supports multiple payment currencies and methods depending on your location. Currency conversion, if applicable, is handled by Paddle or your card issuer.
As Merchant of Record, Paddle handles all payment disputes and chargebacks on our behalf. Before initiating a dispute with your card issuer or bank, we strongly encourage you to contact us directly at support@sabikisecurity.com or Paddle support, as most billing concerns can be resolved promptly. We will provide Paddle with all relevant transaction and service delivery evidence to support dispute resolution. Unjustified chargebacks may result in suspension of your account.
For billing enquiries that cannot be resolved through Sabiki Security, you may contact Paddle directly at paddle.com/help. Paddle's support team can assist with payment receipts, invoice queries, refund requests, and billing disputes.
You may cancel your subscription at any time through the AIRM platform settings or by contacting us at support@sabikisecurity.com. Cancellation takes effect at the end of the current billing period. You will retain access to the Service until the end of the period for which you have already paid.
For annual subscriptions cancelled before the end of the annual term, no refund is provided for the unused portion of the annual term unless required by applicable law.
Monthly subscriptions are non-refundable except as required by applicable consumer protection laws in your jurisdiction.
Annual subscriptions may be eligible for a pro-rata refund within 14 days of the initial purchase or annual renewal date, minus the value of any months of service already consumed. After 14 days, annual subscriptions are non-refundable.
We may issue discretionary refunds in cases of: (a) a verified technical failure by Sabiki Security that resulted in material service unavailability; (b) accidental duplicate charges; or (c) other circumstances at our reasonable discretion.
To request a refund, contact support@sabikisecurity.com with your account details and reason for the request. We will respond within 5 business days.
In lieu of refunds, we may offer service credits for future subscription periods. Service credits are non-transferable and have no cash value.
Before initiating a chargeback or payment dispute with your card issuer, we strongly encourage you to contact us directly at support@sabikisecurity.com. We are typically able to resolve billing concerns quickly and without the delays associated with the chargeback process. Unjustified chargebacks may result in immediate suspension of your account.
We offer a 14-day free trial of the Service. During the trial period, you will have access to the full platform with the exception of certain premium features as described on the pricing page (including full report suite, PSA integrations, and report branding).
No credit card is required to start a free trial. At the end of the trial period, the trial account will revert to a limited read-only state unless you elect to subscribe to a paid plan.
We reserve the right to modify or discontinue the free trial offering at any time. We may also extend or shorten the trial period for specific customers at our discretion.
Each individual and organisation is entitled to one free trial. Creating multiple accounts to circumvent this limitation is a violation of these Terms and may result in account termination.
You agree to use the Service only for lawful purposes and in accordance with these Terms. You must not use the Service:
MSP customers may provide access to the Service to their end clients as part of a managed security service, subject to the MSP terms applicable to their subscription tier. MSP customers remain responsible for ensuring their clients' compliance with these Terms.
We reserve the right to suspend or terminate accounts that violate this Acceptable Use policy, without refund.
The Service requires you to grant AIRM read-only access to your Microsoft 365 tenant(s) via Microsoft's OAuth 2.0 consent flow. By connecting a Microsoft 365 tenant, you represent and warrant that: (a) you are a Global Administrator of that tenant or have been authorised by a Global Administrator to grant the required permissions; and (b) you have the authority to consent to third-party application access on behalf of your organisation.
AIRM requests only the permissions necessary to provide the Service. These permissions are read-only β AIRM does not modify, create, or delete any resources in your Microsoft 365 environment unless you have explicitly enabled Response Actions and authorised a specific action through the platform.
You may revoke AIRM's access to any Microsoft 365 tenant at any time by removing the AIRM enterprise application from your Microsoft Entra ID admin centre. Revoking access will result in AIRM being unable to scan or monitor the affected tenant.
Your use of Microsoft 365 and the Microsoft Graph API is subject to Microsoft's terms of service and privacy policy, which are independent of these Terms. Sabiki Security is not responsible for changes to Microsoft's API, permissions model, or service availability.
Our IP: The Service, including all software, algorithms, interfaces, documentation, branding, and content, is owned by Sabiki Security Pte Ltd and protected by intellectual property laws. These Terms do not grant you any ownership interest in the Service.
Limited Licence: We grant you a limited, non-exclusive, non-transferable, revocable licence to access and use the Service during the subscription term, solely for your internal business purposes and in accordance with these Terms.
Your Data: You retain ownership of all data you provide to the Service ("Customer Data"), including Microsoft 365 tenant data, configuration settings, and reports you generate. You grant us a limited licence to process your Customer Data for the sole purpose of providing the Service to you.
Feedback: If you provide suggestions, ideas, or feedback about the Service ("Feedback"), you grant us a perpetual, irrevocable, royalty-free licence to use, incorporate, and commercialise that Feedback without restriction or compensation to you.
Aggregated Data: We may use anonymised, aggregated data derived from usage of the Service (with no personally identifiable information or tenant-specific data) for product improvement, research, and benchmarking purposes.
Our collection and use of personal data is governed by our Privacy Policy, which is incorporated by reference into these Terms. By using the Service, you consent to the data practices described in our Privacy Policy.
For customers subject to the GDPR or other data protection regulations that require a Data Processing Agreement (DPA), we offer a standard DPA that can be executed upon request. Contact support@sabikisecurity.com to request a DPA.
We implement appropriate technical and organisational security measures to protect your data, including encryption in transit and at rest, access controls, and regular security assessments. Our infrastructure is hosted on Microsoft Azure, which maintains SOC 2 Type II, ISO 27001, and other industry certifications.
We will process your Customer Data only as necessary to provide the Service, comply with applicable law, and as directed by you. We will not sell your Customer Data to third parties.
Each party ("Receiving Party") may have access to information of the other party ("Disclosing Party") that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure ("Confidential Information").
The Receiving Party agrees to: (a) hold Confidential Information in strict confidence; (b) use Confidential Information only for the purposes of performing obligations or exercising rights under these Terms; and (c) not disclose Confidential Information to any third party without the Disclosing Party's prior written consent, except to employees or contractors who have a need to know and are bound by equivalent confidentiality obligations.
Confidential Information does not include information that: (a) is or becomes publicly available through no breach of these Terms; (b) was rightfully known to the Receiving Party before disclosure; (c) is rightfully received from a third party without restriction; or (d) is required to be disclosed by law or court order, provided the Receiving Party gives prompt notice to the Disclosing Party where legally permitted.
Your security findings, risk scores, and tenant data are your Confidential Information. We will not use, disclose, or otherwise process your Confidential Information except as necessary to provide the Service.
Our Warranties: We warrant that: (a) we have the right to provide the Service; (b) the Service will perform materially in accordance with its documentation; and (c) we will implement commercially reasonable security measures to protect Customer Data.
Disclaimer: THE SERVICE IS PROVIDED "AS IS" AND "AS AVAILABLE". TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, WE DISCLAIM ALL WARRANTIES NOT EXPRESSLY STATED IN THESE TERMS, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT.
Security Disclaimer: While AIRM provides security monitoring and risk detection capabilities, we do not warrant that: (a) the Service will detect every security threat or vulnerability in your environment; (b) the Service will prevent any security breach or incident; or (c) the information provided by the Service is complete, accurate, or error-free. The Service is a tool to assist your security posture β it does not replace a comprehensive security programme.
Uptime: We target 99.5% monthly uptime for the Service (excluding scheduled maintenance). We will use commercially reasonable efforts to achieve this target but do not provide a binding uptime guarantee unless specified in a separate Service Level Agreement (SLA).
Compliance Disclaimer: AIRM's compliance framework mappings are provided for informational and guidance purposes only and do not constitute legal or compliance advice. The mappings represent our good-faith assessment of relevant controls. You should engage qualified legal and compliance professionals to determine and meet your specific regulatory obligations.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT WILL EITHER PARTY BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES, INCLUDING LOSS OF PROFITS, LOSS OF DATA, LOSS OF GOODWILL, BUSINESS INTERRUPTION, OR COST OF SUBSTITUTE SERVICES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, SABIKI SECURITY'S TOTAL AGGREGATE LIABILITY ARISING OUT OF OR IN CONNECTION WITH THESE TERMS OR THE SERVICE, REGARDLESS OF THE LEGAL THEORY, SHALL NOT EXCEED THE GREATER OF: (a) THE TOTAL FEES PAID BY YOU TO SABIKI SECURITY IN THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO LIABILITY; OR (b) ONE HUNDRED UNITED STATES DOLLARS (USD$100).
Some jurisdictions do not allow the exclusion or limitation of certain types of liability. In such jurisdictions, the above limitations apply to the maximum extent permitted by law.
Nothing in these Terms limits liability for: (a) death or personal injury caused by negligence; (b) fraud or fraudulent misrepresentation; (c) wilful misconduct or gross negligence; or (d) any liability that cannot be excluded or limited by applicable law.
You agree to indemnify, defend, and hold harmless Sabiki Security and its officers, directors, employees, and agents from and against any claims, liabilities, damages, losses, and expenses (including reasonable legal fees) arising out of or in any way connected with: (a) your access to or use of the Service in violation of these Terms; (b) your violation of any applicable law or the rights of any third party; (c) your Customer Data, including any claim that your Customer Data infringes the intellectual property or privacy rights of a third party; or (d) your breach of these Terms.
We agree to indemnify, defend, and hold harmless you from and against any claims by third parties alleging that the Service, as provided by us, infringes that third party's intellectual property rights, provided that: (a) you promptly notify us of the claim; (b) you grant us control of the defence and settlement; and (c) you provide reasonable assistance at our request and expense. This indemnity does not apply to claims arising from your modifications to the Service or your use of the Service in combination with products not provided by us.
Term: These Terms are effective from the date you first access the Service and continue until your subscription expires or is terminated.
Termination by You: You may terminate your subscription at any time as described in Section 6. Termination does not entitle you to a refund except as described in Section 6.
Termination by Us: We may suspend or terminate your access to the Service immediately upon written notice if: (a) you breach these Terms and fail to cure the breach within 10 business days after notice; (b) you become insolvent, make an assignment for the benefit of creditors, or become subject to insolvency proceedings; (c) we are required to do so by law or regulatory order; or (d) you engage in fraudulent or abusive conduct in connection with the Service.
Effect of Termination: Upon termination: (a) all licences granted to you under these Terms immediately cease; (b) you must immediately stop using the Service; (c) we will provide you with 30 days to export your data, after which we may delete your Customer Data from our systems.
Survival: Sections 10 (Intellectual Property), 12 (Confidentiality), 13 (Warranties and Disclaimers), 14 (Limitation of Liability), 15 (Indemnification), 17 (Dispute Resolution), 18 (Governing Law), and 19 (General Provisions) survive termination.
Informal Resolution: Before initiating any formal dispute proceedings, both parties agree to attempt to resolve any dispute informally by contacting the other party with a written description of the dispute and proposed resolution. The parties will negotiate in good faith for at least 30 days.
Mediation: If informal resolution fails, either party may request mediation administered by the Singapore Mediation Centre (SMC). Both parties agree to participate in mediation in good faith before proceeding to arbitration or litigation.
Arbitration: Any dispute, controversy, or claim arising out of or relating to these Terms, or the breach, termination, or invalidity thereof, that cannot be resolved through mediation, shall be finally settled by arbitration administered by the Singapore International Arbitration Centre (SIAC) in accordance with the Arbitration Rules of the SIAC. The seat of arbitration shall be Singapore. The language of the arbitration shall be English. The arbitration shall be conducted by a sole arbitrator.
Exceptions: Nothing in this Section prevents either party from seeking injunctive or other equitable relief from a court of competent jurisdiction to protect confidential information or intellectual property rights. Disputes relating to unpaid subscription fees may be pursued directly in a court of competent jurisdiction without first undergoing mediation or arbitration.
No Class Actions: You agree to resolve disputes with us on an individual basis only. You waive any right to bring claims as a plaintiff or class member in any class, collective, or representative proceeding.
These Terms are governed by and construed in accordance with the laws of Singapore, without regard to its conflict of law provisions. For customers located in the European Economic Area, the mandatory consumer protection laws of your country of residence may apply in addition to Singapore law.
Subject to the dispute resolution provisions in Section 17, you submit to the exclusive jurisdiction of the courts of Singapore for any disputes arising out of or in connection with these Terms.
These Terms, together with the Privacy Policy, Cookie Policy, and any order forms or separately executed agreements, constitute the entire agreement between you and Sabiki Security regarding the Service and supersede all prior agreements, representations, and understandings.
If any provision of these Terms is found to be unenforceable or invalid, that provision will be limited or eliminated to the minimum extent necessary so that these Terms otherwise remain in full force and effect.
Our failure to enforce any right or provision of these Terms will not be considered a waiver of that right or provision. A waiver of any provision will be effective only if in writing and signed by an authorised representative of Sabiki Security.
You may not assign or transfer your rights or obligations under these Terms without our prior written consent. We may assign these Terms or any rights or obligations hereunder to: (a) a successor in a merger, acquisition, or sale of assets; or (b) an affiliate. Any purported assignment in violation of this provision is null and void.
Neither party will be liable for delays or failures in performance resulting from causes beyond that party's reasonable control, including acts of God, natural disasters, pandemic, war, terrorism, labour disputes, or governmental action. The affected party must promptly notify the other party and resume performance as soon as reasonably practicable.
These Terms do not create any agency, partnership, joint venture, employment, or franchise relationship between you and Sabiki Security.
Notices under these Terms may be provided by email to the email address associated with your AIRM account, or by email to support@sabikisecurity.com. Notices are effective upon confirmed delivery.
| Purpose | Contact |
|---|---|
| General legal enquiries | support@sabikisecurity.com |
| Billing and subscription | support@sabikisecurity.com |
| Data protection / DPO | support@sabikisecurity.com |
| Security incidents | support@sabikisecurity.com |
| General support | support@sabikisecurity.com |
Registered Office: Sabiki Security Pte Ltd, Singapore [Full address to be inserted upon company registration].
This Privacy Policy explains how Sabiki Security Pte Ltd ("Sabiki Security", "we", "us", or "our") collects, uses, stores, and protects personal data in connection with the AIRM platform. We are committed to your privacy and handle all data in accordance with applicable data protection laws including the Singapore Personal Data Protection Act (PDPA), the EU General Data Protection Regulation (GDPR), the UK GDPR, and Australia's Privacy Act.
Sabiki Security Pte Ltd is a cybersecurity software company incorporated in Singapore. We build and operate AIRM (Autonomous Identity and Risk Management), a SaaS platform for monitoring AI agents and non-human identities in Microsoft 365 environments.
For the purposes of data protection law, Sabiki Security is the data controller with respect to personal data of account holders and users of the AIRM platform. Where we process personal data on behalf of customers (for example, Microsoft 365 audit log data that contains personal identifiers), we act as a data processor on behalf of the customer as data controller.
Our Data Protection Officer can be contacted at support@sabikisecurity.com.
When you connect a Microsoft 365 tenant, AIRM reads and processes the following data from Microsoft Graph API:
AIRM does not read or store the content of emails, documents, calendar events, Teams messages, or other user-generated content from your Microsoft 365 environment. We process metadata about application activity, not the underlying content.
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Providing and operating the AIRM platform | Account data, tenant data | Contract |
| Processing payments and managing subscriptions | Account data, payment data | Contract |
| Generating security risk scores and reports | Tenant data | Contract |
| Sending service alerts and notifications | Account data | Contract |
| Providing customer support | Account data, usage data | Contract / Legitimate interests |
| Platform security and fraud prevention | Account data, usage data | Legitimate interests |
| Product improvement and analytics | Anonymised usage data | Legitimate interests |
| Compliance with legal obligations | All categories as required | Legal obligation |
| Marketing communications (optional) | Account data | Consent |
We do not sell your personal data to third parties. We do not use your data for advertising targeting.
Where the GDPR or UK GDPR applies, we rely on the following legal bases:
Infrastructure: AIRM is hosted on Microsoft Azure, which provides enterprise-grade cloud infrastructure with SOC 2 Type II attestation, ISO 27001 certification, ISO 27018 certification (protection of personal data in the cloud), and compliance with a broad range of global regulatory standards. Azure's compliance portfolio is available at Microsoft Azure Compliance.
All data at rest is encrypted using AES-256 encryption. All data in transit is encrypted using TLS 1.2 or higher. Database access is restricted by role-based access controls and network-level access policies. Backup and recovery processes are in place to protect against data loss.
By leveraging Azure's infrastructure, your data benefits from Microsoft's comprehensive security controls, which include physical security of data centres, network security, identity and access management, and continuous security monitoring.
Our application database (MongoDB Atlas) is deployed within Azure infrastructure and inherits Azure's physical and network security guarantees. MongoDB Atlas provides its own additional encryption, access controls, and backup capabilities.
We understand that data sovereignty β the requirement for data to be stored and processed within a specific geographic jurisdiction β is an important requirement for many of our customers, particularly those in regulated industries or operating under government frameworks.
Microsoft Azure operates data centres across 60+ regions globally, including:
| Region | Azure Locations |
|---|---|
| Asia Pacific | Singapore, Australia (East, Southeast), Japan, South Korea, India |
| Europe | Ireland, Netherlands, Germany, France, Sweden, Switzerland, Norway, Spain |
| Middle East & Africa | UAE, Qatar, South Africa |
| Americas | USA (multiple regions), Canada, Brazil |
| United Kingdom | UK South, UK West |
Enterprise and MSP Scale customers may request that their AIRM tenant data be stored in a specific Azure region to satisfy data sovereignty requirements. This can be configured during onboarding or by contacting support@sabikisecurity.com.
By default, production data is stored in the Singapore Azure region. Customers with specific jurisdiction requirements (for example, Australian Government customers requiring data to remain in Australia, or EU customers requiring data to remain within the EEA) should contact us to arrange appropriate regional configuration.
For customers requiring formal data residency commitments as part of regulatory compliance, we can provide written confirmation of the Azure region(s) used to store your data. Contact support@sabikisecurity.com.
We share your data with third parties only as described below:
| Third Party | Purpose | Data Shared |
|---|---|---|
| Paddle.com (Paddle HQ Limited) | Payment processing and Merchant of Record services | Billing data, subscription status, transaction records |
| Microsoft Azure | Cloud infrastructure and hosting | All data stored on the platform |
| MongoDB Atlas (Microsoft Azure) | Database hosting | Application database content |
| Resend | Transactional email delivery | Email address, email content |
| Microsoft (Graph API) | Accessing Microsoft 365 tenant data | OAuth tokens, API requests |
We do not share your data with advertising networks, data brokers, or analytics companies that use data for third-party advertising purposes.
We may disclose your data to law enforcement or regulatory authorities if required by applicable law, court order, or where we have a good-faith belief that disclosure is necessary to prevent imminent harm or illegal activity.
In the event of a merger, acquisition, or sale of all or substantially all of our assets, your data may be transferred to the acquiring entity, subject to the same privacy protections described in this Policy.
| Data Category | Retention Period |
|---|---|
| Account data (active accounts) | Duration of account plus 90 days after closure |
| Microsoft 365 audit events | 90 days |
| Behavioural snapshots and risk history | 12 months |
| Alert and scan records | 12 months |
| Payment and billing records | 7 years (as required by accounting law) |
| Support communications | 3 years |
| Security and access logs | 12 months |
When retention periods expire, data is automatically deleted or anonymised. You may request earlier deletion of your personal data, subject to our obligations to retain data for legal, contractual, or regulatory compliance purposes.
Upon termination of your account, you have 30 days to export your data. After this period, we will delete your Customer Data from our production systems. Anonymised, aggregated data derived from your usage may be retained indefinitely as it cannot be used to identify you.
We implement a comprehensive set of technical and organisational security measures to protect your data:
In the event of a personal data breach that is likely to result in risk to your rights and freedoms, we will notify you and relevant supervisory authorities in accordance with applicable data protection law (within 72 hours where required by GDPR).
To report a security vulnerability, contact support@sabikisecurity.com.
Depending on your jurisdiction, you may have the following rights regarding your personal data:
| Right | Description |
|---|---|
| Access | Request a copy of the personal data we hold about you |
| Rectification | Request correction of inaccurate or incomplete data |
| Erasure | Request deletion of your personal data (subject to legal retention requirements) |
| Restriction | Request that we restrict processing of your data in certain circumstances |
| Portability | Receive your data in a structured, machine-readable format |
| Objection | Object to processing based on legitimate interests |
| Withdraw consent | Withdraw consent at any time where processing is based on consent |
| Lodge a complaint | Lodge a complaint with your local data protection authority |
To exercise any of these rights, contact support@sabikisecurity.com. We will respond within 30 days. We may need to verify your identity before fulfilling your request.
By default, your data is stored in Singapore (Azure Southeast Asia region). Some of our third-party service providers (including Paddle.com for payment processing, and Resend for email) may process data in the United States or other jurisdictions.
Where we transfer personal data from the EEA or UK to countries outside those regions (including Singapore), we rely on: (a) the European Commission's adequacy decisions where available; (b) Standard Contractual Clauses (SCCs) as published by the European Commission; or (c) other appropriate safeguards as permitted by applicable data protection law.
A copy of the transfer safeguards we rely on is available upon request from support@sabikisecurity.com.
The AIRM platform is a business-to-business service intended for use by organisations and professionals. It is not directed at children under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us at support@sabikisecurity.com and we will promptly delete the data.
We may update this Privacy Policy from time to time. We will notify you of material changes by email or in-platform notification at least 30 days before the changes take effect. We will also update the "Last updated" date at the top of this Policy.
Your continued use of the Service after the effective date of the revised Policy constitutes your acceptance of those changes. If you do not agree to the revised Policy, you must stop using the Service.
For privacy-related enquiries, contact our Data Protection Officer at support@sabikisecurity.com.
Supervisory Authority Contacts: If you are in the EEA, you may lodge a complaint with your national data protection authority. If you are in the UK, contact the Information Commissioner's Office (ICO) at ico.org.uk. If you are in Singapore, contact the Personal Data Protection Commission (PDPC) at pdpc.gov.sg. If you are in Australia, contact the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
This Cookie Policy explains what cookies and similar tracking technologies we use on the AIRM platform and marketing website, why we use them, and how you can manage your preferences.
Cookies are small text files placed on your device by a website you visit. They are widely used to make websites work, improve user experience, and provide information to website owners. We also use similar technologies such as local storage and session tokens in our platform application.
Cookies can be "session cookies" (deleted when you close your browser) or "persistent cookies" (stored until they expire or you delete them). They can be "first-party" (set by us) or "third-party" (set by third-party services we use).
These are essential for the AIRM platform to function and cannot be disabled. Without them, you would not be able to log in, access your dashboard, or use the service.
| Name / Technology | Purpose | Duration |
|---|---|---|
| airm_token (localStorage) | Stores your authentication JWT token to keep you logged in to the AIRM platform | Session / until logout |
| airm_user (localStorage) | Stores your user profile data (name, email, role) for display in the platform UI | Session / until logout |
| CSRF token (session) | Protects against cross-site request forgery attacks | Session |
| __paddle_vid (Paddle) | Paddle vendor identifier β used to associate purchases with your account during checkout | 1 year |
| __paddle_checkout (Paddle) | Paddle session identifier for payment processing security | Session |
These cookies enable enhanced functionality and personalisation of the AIRM platform. Disabling them may affect your experience.
| Name / Technology | Purpose | Duration |
|---|---|---|
| airm_prefs (localStorage) | Stores your UI preferences, including theme and notification settings | Persistent |
| airm_onboarding (localStorage) | Tracks onboarding progress to show relevant getting-started prompts | Until completed |
We may use privacy-respecting analytics to understand how the platform is used and improve the product. Where used, analytics data is anonymised and aggregated. We do not use Google Analytics or other advertising-linked analytics platforms on the AIRM platform.
| Technology | Purpose | Data Collected |
|---|---|---|
| PostHog (if enabled) | Product analytics β understanding feature usage and user flows to improve the product | Anonymised usage events, session recordings (no personal data in event properties) |
Analytics cookies are optional. You can opt out of analytics tracking in the platform settings under Account β Privacy, or by contacting us at support@sabikisecurity.com.
The AIRM marketing website (sabikisecurity.com) is distinct from the AIRM platform. The marketing website uses:
| Name | Purpose | Duration |
|---|---|---|
| Consent preference cookie | Stores your cookie consent choices so we don't repeatedly ask | 1 year |
| Session cookie | Maintains your browsing session on the marketing site | Session |
We do not use advertising cookies, retargeting pixels, or social media tracking cookies on our marketing website. Claude products, including the AIRM platform, are ad-free.
You can control and delete cookies through your browser settings. Note that disabling strictly necessary cookies will prevent you from using the AIRM platform. Instructions for major browsers:
You can opt out of optional analytics tracking in the AIRM platform at any time under Account β Privacy Settings.
The AIRM platform uses browser local storage (not cookies) for session management. You can clear local storage through your browser's developer tools or by logging out of AIRM, which clears all stored session data.
We may update this Cookie Policy from time to time as we add or change our use of cookies and tracking technologies. We will update the "Last updated" date and, for material changes, provide notice via the platform or email.
For questions about our use of cookies, contact us at support@sabikisecurity.com.
This Data Processing Agreement ("DPA") supplements the Terms of Service and governs how Sabiki Security processes personal data on behalf of customers in its capacity as a data processor. This DPA is intended for customers who are subject to data protection laws requiring a formal DPA (including GDPR, UK GDPR, and equivalent regulations).
In this DPA: "Controller" means the customer who determines the purposes and means of processing; "Processor" means Sabiki Security Pte Ltd, who processes personal data on the Controller's behalf; "Data Subject" means an identified or identifiable natural person; "Personal Data" has the meaning given in applicable data protection law; "Processing" means any operation performed on personal data.
Sabiki Security processes personal data as part of the AIRM service. The nature of processing includes: collection, storage, organisation, structuring, analysis, use, and deletion of data. The subject matter of processing is the monitoring of Microsoft 365 environments for security risk.
Categories of personal data processed include: names and email addresses of service principal owners, user identifiers in audit logs, and other personal identifiers contained in Microsoft 365 audit log entries. Data subjects include: employees, contractors, and system accounts of the Controller's organisation.
Sabiki Security, as Processor, agrees to:
The Controller hereby provides general authorisation to engage the following sub-processors:
| Sub-Processor | Location | Purpose |
|---|---|---|
| Microsoft Azure | Singapore (default); other regions available on request | Cloud infrastructure, hosting, and database services |
| MongoDB Atlas (on Azure) | Same as Azure region | Database hosting |
| Resend | United States | Transactional email delivery |
| Paddle.com (Paddle HQ Limited) | United Kingdom / United States | Payment processing and Merchant of Record services β billing data only, no tenant or Microsoft 365 data |
We will notify Controllers of any intended changes to sub-processors (additions or replacements) with at least 30 days' notice, providing an opportunity to object before the change takes effect.
Where personal data is transferred outside the EEA or UK, such transfers are governed by: (a) Standard Contractual Clauses (SCCs) as adopted by the European Commission; or (b) the International Data Transfer Agreement (IDTA) for UK transfers. Copies of applicable SCCs are available upon request.
Sabiki Security implements the technical and organisational security measures described in Section 9 of the Privacy Policy. These include AES-256 encryption at rest, TLS 1.2+ encryption in transit, role-based access controls, MFA for administrative access, and hosting on Microsoft Azure's SOC 2 Type II attested infrastructure.
In the event of a personal data breach affecting personal data processed under this DPA, Sabiki Security will notify the Controller without undue delay after becoming aware of the breach, and in any event within 72 hours. The notification will include: a description of the nature of the breach; the categories and approximate number of data subjects and records concerned; the likely consequences; and the measures taken or proposed to address the breach.
This DPA is incorporated by reference into the Terms of Service for all customers. If you require a countersigned DPA for your compliance programme, please contact support@sabikisecurity.com to request a signed copy. We will respond within 5 business days.