Data Processing Agreement
Last updated: 19 March 2026
1. Parties
This Data Processing Agreement (“DPA”) forms part of the PostureIQ Terms of Service between ArimaiTech (“Processor”) and the customer organisation (“Controller”).
2. Scope of Processing
The Processor processes personal data on behalf of the Controller solely for the purpose of providing the PostureIQ M365 compliance auditing service, including:
- Receiving and storing M365 tenant configuration data uploaded by the Controller
- Analysing configuration data against compliance frameworks
- Generating compliance reports and remediation guidance
- Providing AI-assisted settings evaluation via sub-processor (Anthropic)
3. Categories of Data
| Data Category | Data Subjects | Retention |
|---|---|---|
| Account data (email, name) | Controller's employees | Until account deletion |
| M365 configuration policies | N/A (organisational config, not personal data) | Subscription + 90 days |
| Compliance assessment results | N/A (derived scores and findings) | Subscription + 90 days |
4. Processor Obligations
- Process personal data only on documented instructions from the Controller
- Ensure persons authorised to process data are bound by confidentiality
- Implement appropriate technical and organisational security measures
- Not engage sub-processors without prior written consent (see Section 8)
- Assist the Controller with data subject rights requests
- Delete or return all personal data upon termination
- Make available all information necessary to demonstrate compliance
5. Controller Obligations
- Ensure lawful basis for processing under GDPR
- Provide instructions that comply with applicable data protection law
- Ensure data subjects are informed of processing
6. Security Measures
- Encryption in transit (TLS 1.2+) and at rest
- Role-based access control with authentication
- Audit logging of data access and modifications
- Evidence integrity verification (SHA-256 hashing)
- Regular security assessments of infrastructure
- Incident response procedures with 72-hour breach notification
7. Data Breach Notification
The Processor shall notify the Controller without undue delay, and no later than 72 hours, after becoming aware of a personal data breach. Notification shall include the nature of the breach, categories of data affected, likely consequences, and measures taken.
8. Sub-processors
The Controller provides general authorisation for the Processor to engage the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database, authentication, storage | EU (Frankfurt) |
| Vercel Inc. | Application hosting | EU edge |
| Stripe Inc. | Payment processing | EU/US (SCCs) |
| Anthropic PBC | AI analysis (no data retention) | US (SCCs) |
| Resend Inc. | Transactional email | US (SCCs) |
Changes to sub-processors will be communicated 30 days in advance. The Controller may object to new sub-processors within 14 days.
9. International Transfers
Where personal data is transferred outside the EEA, appropriate safeguards are in place including Standard Contractual Clauses (SCCs) as approved by the European Commission.
10. Duration and Termination
This DPA remains in effect for the duration of the PostureIQ subscription. Upon termination, the Processor shall delete all personal data within 90 days unless retention is required by law.
11. Contact
For DPA inquiries: privacy@arimaitech.com