Sabiki privacy policy

  • Description teLast Updated 1st June 2022

    Sabiki Pte Ltd (“Sabiki,” “we,” or “us”) is committed to protecting your online privacy. We have designed our website (Sabiki.ai, the “Website”), as well as our cloud-based cybersecurity platform and application (the “Service”), to minimize the amount of personal data that you, the individual user of the Website or Service (“you” or “User”) must submit in order to use the Website and/or Service.

    By accessing or using the Website and/or Service you agree to the collection, use, and transfer of personal data according to the terms of this Privacy Policy (this “Policy”). This Policy describes how we collect, process, store, and use information, as well as the scope and purpose of doing so. If you do not agree to these terms, please do not access or use the Website or Service.

    Information We Collect and for What Purpose

    Information you provide to us. When you contact us by email or through a contact form on the Website, we collect the information you provide, including email address, name, and telephone number, if applicable, and store such information in order to answer your questions or respond to your request or to contact you regarding our products and services.

    Information collected via cookies and other technology. In the case of merely informative use of the Website, for instance if you do not register or otherwise submit information to us, we only collect the data that your browser transmits to our server, including:

    – Date and time of the request

    – Time zone difference to Greenwich Mean Time (GMT)

    – Access status / HTTP status code

    – each transmitted amount of data

    – Website from which the request comes

    – Browser type

    – Operating system and its interface

    – Language and version of the browser software; and

    – city-level geolocation information (in anonymous form, i.e., the geolocation is resolved from the IP address associated with the request, but the IP address is not persisted or retained by our server).

    In addition to the data listed above, cookies are stored on your computer when you browse the Website. We use cookies primarily to determine how visitors engage with the Website (e.g., the pages you view, the links you click, how frequently you access the Website, the number of visits over time, etc.). Cookies are small text files that are stored on your hard drive or assigned to your web browser that enable us to enhance your experience of the Website. Cookies cannot run programs or transmit viruses to your computer. They serve to make the Website more user-friendly and effective overall.

    We may also use clear gifs in HTML-based emails sent to our Users or other contacts in order to track which emails are opened and which links are clicked by recipients. This information allows for more accurate reporting and improvement of the Website, the Service and our marketing efforts. We may also collect analytics data, or use third-party analytics tools, to help us measure traffic and usage trends of the Website. These tools collect information sent by your browser or mobile device, including the Website pages you visit, your use of third party applications, and other information that assists us in analyzing and improving the Website. Although we do our best to honor the privacy preferences of our Users, we are not able to respond to Do Not Track signals from your browser at this time, as we believe that there is no consistent industry standard for how to respond to Do Not Track browser settings.

    You can personalize which cookies you would like to allow on our Website by using our cookie management tool, which is accessible within the bottom left corner of your browser when you are accessing our Website.

    Additionally, most browsers let you remove or reject cookies, or set rules to manage cookies on a site by site basis. 

    To do this, follow the instructions in your browser settings. For more information about cookies, including how to see what cookies have been set on your computer or mobile device and how to manage and delete them.

    To learn more about cookies, clear gifs/web beacons and related technologies and how you may opt-out of some of this tracking, you may wish to visit one or more of the following sites:

    http://www.allaboutcookies.org

    http://www.networkadvertising.org

    http://www.aboutads.info/choices/

    Information collected by third-party advertising networks. We may permit third party ad networks, social media companies, and other third-party services to collect information about browsing behavior from visitors to our Website through cookies, social plug-ins, or other tracking technology. We may permit third party online advertising networks to collect information about your use of our Website over time so that they may display ads that may be relevant to your interest in our Service on other websites or services. Typically, the information is collected through cookies or similar tracking technologies.

    Information collected when you use the Service. In order to use the Service, a User typically authenticates by means of a single-sign on (SSO) provider so we do not collect or process any personally identifiable login credentials, however we do collect the IP address from which the User logs into the Service each time. In addition, as part of its normal functioning, the Service collects email metadata (e.g. headers and origin IP address), email contents (e.g. email address, email body, and any attachments thereto), and email platform metadata (e.g. tokenized identifiers). 

    Collectively, this information is referred to as “Service Information” in this Policy. We use the Service Information exclusively for the purpose of providing the Service to our Users.


    Sharing of Your Information

    We may share information about you in the instances described below. For further information on your choices regarding your information, see the “Choices About Your Information” section below.

    We may share your personal information with:

    – Third-party vendors and other service providers that perform services on our behalf, as needed to carry out their work for us, which may include identifying and serving targeted advertisements, billing, payment processing, or analytics services (however Service Information is never used for these purposes);

    – Our business partners who offer a service to you jointly with us, or who partner with us to provide the Service to you;

    – Other affiliates for purposes consistent with this Policy;

    – Other parties in connection with a strategic transaction, such as a merger, sale of company assets or shares, reorganization, financing, change of control or acquisition of all or a portion of our business by another company, or in the event of a bankruptcy or related or similar proceedings; and

    – Third parties as required by law or subpoena or if we reasonably believe that such action is necessary to (a) comply with the law and the reasonable requests of law enforcement, (b) enforce our Terms of Use or to protect the security or integrity of the Website or Service, and/or (c) exercise our rights or legitimate business interests or those of our business partners, customers, or users.


    Choices About Your Information

    You can stop receiving promotional email communications from us by clicking on the “unsubscribe” link provided in such communications or emailing privacy@sabiki.ai. We make every effort to promptly process all unsubscribe requests. You may not opt out of Service-related communications (e.g., account verification, information about your orders, changes/updates to our products or features of the Service, technical and security notices), unless you cease using the Service.

    If you are a User of the Service, you may modify or delete your information by logging into your account. If you otherwise have any questions about reviewing, modifying or deleting your information, you can contact us directly at privacy@sabiki.ai.


    How We Store and Protect Your Information

    Location of Your Information. Your information collected through the Website or Service may be stored and processed in the Singapore or in any other country in which Sabiki or its subsidiaries, affiliates or service providers maintain facilities. If you are located in the European Union (EU) or other regions with laws governing data collection and use that may differ from Singapore law, please note that we may transfer information, including personal information, to a country and jurisdiction that does not have the same data protection laws as your jurisdiction, and you consent to the transfer of information to Singapore or any other country in which Sabiki or its parent, subsidiaries, affiliates or service providers maintain facilities and to the use and disclosure of information about you as described in this Privacy Policy.

    Security of Your Information. Sabiki takes the security of your information very seriously and uses physical, administrative, and technological safeguards to preserve the integrity and security of all information collected through the Website and Service. However, no security system is impenetrable, and we cannot guarantee the security of our systems. If any information under our control is compromised as a result of a breach of security, Sabiki will take reasonable steps to investigate the situation and where appropriate, notify those individuals whose information may have been compromised and take other steps, in accordance with any applicable laws and regulations.


    Children’s Privacy

    Sabiki does not knowingly collect or solicit any information from anyone under the age of 18 or knowingly allow such persons to register as Users. If we learn that we have collected personal information from a child under age 18, we will delete that information as quickly as possible. If you believe that we might have any information from a child under 18, please contact us at privacy@sabiki.ai

    Links to Third-Party Sites and Service

    The Website and Service may integrate with or contain links to other third-party sites and services. We are not responsible for the practices employed by third party websites or services embedded in, linked to, or linked from the Website or Service, and your interactions with any third-party website or service are subject to that third party’s own rules and policies.

    Changes to this Policy

    We may modify or update this Policy from time to time to reflect the changes in our business and practices, so you should review this page periodically. When we change the Policy in a material manner we will update the ‘last updated’ date at the top of this page. Such changes will be effective as of the earlier of (i) 10 days from such date, and (ii) the first date of your continued use of the Website or Service after such date.

    How to Contact Us

    If you have any other questions about this Policy, or if you would like to exercise your statutory rights, you may contact us at privacy@sabiki.ai. You can also contact us at our mailing address below:

    11 Irving Place #09-01

    Singapore 369551

    Att: General Manager

    xt goes here

  • How Sabiki Manages Data

    You Own Your Data, Always.

    Customer emails are only used to provide agreed upon services and if you leave the service, we take the necessary steps to ensure the continued ownership of your data.

    No customer production data is used for any other purpose (e.g., QA testing, development testing, User Acceptance Test areas (UAT), training, demonstration, etc.).

    The production environment is a separate environment from any other non-production environment (e.g., development, UAT, etc.).

    No customer data is sold or given to any third party for any purpose whatsoever. Microsoft as the platform host apply their own privacy policy in relation to customer data which is held within their respective Microsoft 365 tenancy.

    1 Where Your Data Is Located

    Customer data is accessed in place via Sabiki engines directly within the Microsoft tenant, the location of application subscription is dependant on the location selected by the user during the subscription process. As a certified Microsoft solution, Sabiki has made a conscious decision to remain strictly within this Azure ecosystem to benefit from the strict compliance requirements imposed by Microsoft as a measure of assurance to our customers.

    1.1 Who Has Access To Data

    We take strong measures to help protect Customer Data from inappropriate access or use by unauthorized persons, either external or internal, and to prevent customers from gaining access to one another’s data. Sabiki are unable to directly access and do not extract data from customer tenants for any purpose and any dynamic training that is performed by the Sabiki engine is contained on a per customer basis. Part of the value proposition of the Sabiki platform is that each customer has their own individual engine that is dynamically trained on the specific mailflow of the organization. Any data sharing or crowdsourced intelligence from customer email defeats the purpose of this personalized approach.

    1.2 How Does Sabiki Handle Access Requests From Third Parties (In Particular Governmental Authorities Such As Enforcement or Intelligence Agencies)?

    Any third-party requests for data access are subjected to a legal assessment by qualified personnel. Sabiki will inform customers whose data is affected by such requests without undue delay. Access to or disclosure of a customer’s data will only be granted if Sabiki’s legal assessment has determined that there is an applicable and legally valid basis and that the request must be granted on that basis. Any access or disclosure will be limited to the mandatory minimum.

    1.3 Data Retention and Migration

    Upon cancellation, termination or expiration of a Subscription or termination of this agreement, the custom engine trained off customer emails in the SaaS Solutions will be preserved for fifteen (15) days (the "Retention Period") and, upon request, made available to Customer within a commercially reasonable timeframe. After the Retention Period, such it will be permanently deleted and unrecoverable by Customer.

    After the Retention Period, Sabiki makes no representations or warranties as to the preservation or integrity of Customer Engine. Sabiki shall have no obligation to retain the Engine after the Retention Period, unless otherwise prohibited by law. If Customer renews its Subscription to the SaaS Solutions prior to the end of the Retention Period, the custom Engine shall remain available to Customer.

    2. Privacy and Information Security

    2.1 Information Security/Privacy

    Sabiki will perform and provide the Services to our customers in such a manner so as to minimize the threat of unauthorized access to confidential information. Sabiki has implemented and maintains a comprehensive information Security/Privacy program that contains administrative, technical, and procedural measures and physical safeguards designed to protect the Security/Privacy and confidentiality of confidential information, and to protect against any anticipated threats or hazards to the Security/Privacy and integrity of such information.

    2.2 Security/Privacy Logging and Monitoring

    If applicable, tenant level audit logs will be available to the customer. The tenant level audit logs will contain, as applicable, the following:

    User account information;

    Time stamps; and

    Operation actions performed by users

    Decisions made by the Email engine per message scanned

    2.3 Secure Coding

    Sabiki follows a set of secure coding guidelines such as the OWASP secure coding guidelines.

    2.4 Incident and Breach Response Program

    Sabiki has in place an incident response program to mitigate, detect and respond to Security/Privacy incidents which includes the tools to find, eliminate or isolate the cause of any such Security/Privacy incident.

    2.5 Multi-Factor Authentication

    Sabiki employs a multi-factor authentication (as supported) for administrative access to any internal systems supporting customer applications or systems.

    2.6 Third Party Vendors

    Sabiki’s third party vendor risk assessment program requires vendors to participate in an information Security/Privacy and privacy, GDPR, and due diligence and compliance risk assessment questionnaire, which includes reviews of Security/Privacy certifications such as SOC II, type 2 or equivalent certifications.

    2.7 System Access Review

    At least annually, Sabiki conducts a review and validation of key users for critical systems to ensure the continued need for access and permissions are appropriate.

    2.8 Security/Privacy Policy

    Sabiki has implemented, and maintains, a comprehensive set of Security/Privacy policies that satisfies the requirements set forth below.

    Sabiki reviews its Security/Privacy policies regularly, and particularly following any changes in applicable law, advances in technology or changes to Sabiki’s information systems, in order to verify that the Security/Privacy policies and controls set out there in remain accurate, comprehensive, and up to date.

    2.9 Standards of Protection

    Sabiki strives to secure and protect Customer Data by using at least the same degree of care as Sabiki uses to secure and protect its own confidential and proprietary information, and we work to ensure that in no event is Customer Data treated with anything less than reasonable care.

    2.10 Organizational Security/Privacy

    Responsibility – Sabiki assigns responsibility for information Security/Privacy management to appropriate skilled and/or senior personnel only.

    ‘Need to Know’ Access – Sabiki restricts access to information systems used in connection with the services provided under each applicable Customer agreement and/or to Customer Data to only those personnel who have sufficient technical expertise for the role assigned and know his or her obligations and the consequences of any Security/Privacy breach.

    Confidentiality – Sabiki personnel who have accessed or otherwise been made known of Customer Data maintain the confidentiality of such information.

    2.11 Asset Management

    Data Sensitivity – Sabiki acknowledges that it understands the sensitivity of the Customer Data.

    2.12 Access Control

    Systems used by Sabiki that host the business relationship data that is used to provide services to Customer will uniquely identify each individual requiring access, grant access only to authorized personnel based on the principle of least privileges.

    User Access Inventory – Sabiki maintains an accurate and up to date list of all personnel who have access to these systems and will have a process to promptly disable within twenty-four (24) hours of transfer or termination access by any individual personnel.

    Authentication Credential Management – Sabiki communicates authentication credentials to users in a secure manner, with an appropriate proof of identity check of the intended users. Passwords are not to be stored or transmitted in readable form.

    Logging & Monitoring – Sabiki logs and monitor all access to these information systems for additions, alterations, deletions, and copying. Multi-Factor Authentication for Remote Access – Sabiki uses multi factor authentication and a secure tunnel when accessing systems containing Customer Data remotely.

    Multi-Factor Authentication for Internet Facing Applications –Sabiki requires multi-factor authentication for all users of Internet facing applications which permit financial instructions/transactions or display personally identifiable information.

    Sabiki strives to:

    Promptly notify Customer if Sabiki identifies a gap in the Security/Privacy measures implemented by Customer;

    Promptly provide Customer with information regarding any failure of Customer’s Security/Privacy measures or any Security/Privacy breach related to Customer Data that Sabiki becomes aware of in connection with its performance of the services at Customer’s facilities; and

    Maintain confidentiality towards third parties regarding any such failure of such Security/Privacy measures or any Security/Privacy, subject to legal disclosure obligations.

    Customer resources, including computers, software, proprietary information, and telecommunications equipment will not be used for any activity not related to Customer business.

    Notwithstanding anything to the contrary contained in this Standard or each applicable Customer agreement generally, if at any time Sabiki is required to copy (in print, electronic or other form), transport, transmit, transfer or otherwise move any Customer Data to carry out its obligations under each applicable agreement, we will only do so if such printed or moved Customer Data remains within customers Microsoft tenancy, as applicable, at all times. In no event will any Customer Data be removed from Customer’s premises or its network by Sabiki without prior authorization. Additionally, Sabiki personnel are prohibited from the following activities:

    Initiating or facilitating any unauthorized attempts to access Customer information assets,

    Storing or sending of Customer Data or intellectual property to personal email accounts or any other personal account including but not limited to cloud storage account, any public location, social media sites, help forums or blogs,

    Copying, downloading or storing of Customer Data or intellectual property to removable data devices unless authorized and the device has been encrypted and approved by Customer,

    Sharing of Customer credentials (user IDs and passwords) and/or tokens with anyone or the use of Customer credentials for accounts other than Customer.