Data Processing Agreement
Last updated: 9 May 2026
1. Parties
This Data Processing Agreement (“DPA”) forms part of the PostureIQ Terms of Servicebetween ArimaiTech (“Processor”) and the customer organisation (“Controller”).
2. Scope of Processing
The Processor processes personal data on behalf of the Controller solely for the purpose of providing the PostureIQ M365 compliance auditing service, including:
- Receiving and storing M365 tenant configuration data uploaded by the Controller
- Analysing configuration data against compliance frameworks
- Generating compliance reports and remediation guidance
- Providing AI-assisted settings evaluation via sub-processor (Anthropic)
3. Categories of Data
| Data Category | Data Subjects | Retention |
|---|---|---|
| Account data (email, name) | Controller's employees | Until account deletion |
| M365 configuration policies | N/A (organisational config, not personal data) | Subscription + 90 days |
| Compliance assessment results | N/A (derived scores and findings) | Subscription + 90 days |
4. Processor Obligations
- Process personal data only on documented instructions from the Controller
- Ensure persons authorised to process data are bound by confidentiality
- Implement appropriate technical and organisational security measures
- Not engage sub-processors without prior written consent (see Section 8)
- Assist the Controller with data subject rights requests
- Delete or return all personal data upon termination
- Make available all information necessary to demonstrate compliance
5. Controller Obligations
- Ensure lawful basis for processing under GDPR
- Provide instructions that comply with applicable data protection law
- Ensure data subjects are informed of processing
6. Security Measures
- Encryption in transit (TLS 1.2+) and at rest
- Role-based access control with authentication
- Audit logging of data access and modifications
- Evidence integrity verification (SHA-256 hashing)
- Regular security assessments of infrastructure
- Incident response procedures with 72-hour breach notification
7. Data Breach Notification
The Processor shall notify the Controller without undue delay, and no later than 72 hours, after becoming aware of a personal data breach. Notification shall include the nature of the breach, categories of data affected, likely consequences, and measures taken.
8. Sub-processors
The Controller provides general authorisation for the Processor to engage the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database, authentication, storage | EU (Frankfurt) |
| Vercel Inc. | Application hosting | EU edge |
| Stripe Inc. | Payment processing | EU/US (SCCs) |
| Anthropic PBC | AI analysis (no data retention) | US (SCCs) |
| Resend Inc. | Transactional email | US (SCCs) |
Changes to sub-processors will be communicated 30 days in advance. The Controller may object to new sub-processors within 14 days.
9. International Transfers
Where personal data is transferred outside the EEA, appropriate safeguards are in place including Standard Contractual Clauses (SCCs) as approved by the European Commission.
10. Data Subject Rights (Articles 15 and 17)
The Controller's account owner can exercise GDPR data subject rights directly from the application without contacting support:
- Article 15 — Right of Access / Article 20 — Portability: Settings → Danger Zone → Export my data returns the user's full data footprint (account, organisation, tenants, recent assessments, findings, reports metadata, library overrides, remediation progress, audit logs) as a downloadable JSON file.
- Article 17 — Right to Erasure: Settings → Danger Zone → Delete my account permanently removes the organisation and all of its tenants, assessments, findings, reports, library overrides, remediation progress, audit logs and the Supabase auth identity. Confirmation requires typing the exact organisation name. Generated PDF reports are removed from Supabase Storage on a best-effort basis.
Retained after deletion (legal obligation): Stripe webhook idempotency records (`processed_stripe_events` — no personal data, event IDs only), back-office admin audit log entries (`admin_audit_logs` — required for cross-org compliance investigations), and any data Stripe retains under their own payment-record obligations. None of these contain Controller-uploaded M365 configuration data.
11. Duration and Termination
This DPA remains in effect for the duration of the PostureIQ subscription. Upon termination, the Processor shall delete all personal data within 90 days unless retention is required by law.
12. Contact
For DPA inquiries: privacy@arimaitech.com