Data Processing Agreement

Last updated: April 2026

This Data Processing Agreement (“DPA”) forms part of the agreement between Areebi Pte. Ltd. (“Areebi”, “Processor”, “we”, “us”) and the entity agreeing to these terms (“Customer”, “Controller”, “you”) for the provision of the Areebi enterprise AI governance platform (the “Services”), as described in the Terms of Service.

1. Definitions

For the purposes of this DPA, the following terms shall have the meanings set out below. Capitalised terms not defined herein shall have the meanings given to them in the principal agreement or the applicable Data Protection Laws.

“Controller” means the entity that determines the purposes and means of the processing of Personal Data, being the Customer.
“Processor” means the entity that processes Personal Data on behalf of the Controller, being Areebi.
“Data Subject” means an identified or identifiable natural person whose Personal Data is processed under this DPA.
“Personal Data” means any information relating to a Data Subject that is processed by Areebi in the course of providing the Services.
“Sub-processor” means any third party engaged by Areebi to process Personal Data on behalf of the Controller.
“Data Protection Laws” means all applicable data protection and privacy legislation, including the EU General Data Protection Regulation (GDPR), the UK General Data Protection Regulation (UK GDPR), the Australian Privacy Act 1988, and any other applicable legislation in the jurisdiction of the Controller.
“Standard Contractual Clauses” means the contractual clauses adopted by the European Commission for the transfer of personal data to processors established in third countries, as amended or replaced from time to time.

2. Scope and Purpose of Processing

Areebi processes Personal Data solely for the purpose of providing the Services as described in the principal agreement and in accordance with the Controller's documented instructions. The nature of processing includes the collection, storage, analysis, and deletion of data as required to operate the AI governance platform, including:

Processing AI interaction logs and metadata for audit, compliance, and governance purposes.
Applying data loss prevention (DLP) rules to detect and redact Personal Data in AI prompts and responses.
Enforcing access control policies and generating compliance reports.
Maintaining immutable audit trails of platform activity for regulatory and security purposes.

The categories of Data Subjects may include Customer employees, contractors, and end users of the Services. The types of Personal Data processed depend on the Customer's configuration and use of the platform, but may include names, email addresses, job titles, IP addresses, and content within AI interactions.

3. Obligations of the Processor

Areebi shall:

Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law, in which case Areebi shall inform the Controller of that legal requirement before processing (unless prohibited by law).
Ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Annex A of this DPA.
Assist the Controller, by appropriate technical and organisational measures, in fulfilling its obligation to respond to Data Subject requests.
Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and applicable Data Protection Laws.
Notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach.
At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of Services, and delete existing copies unless applicable law requires storage.

4. Data Subject Rights

Areebi shall assist the Controller in responding to requests from Data Subjects exercising their rights under applicable Data Protection Laws, including rights of access, rectification, erasure, restriction of processing, data portability, and objection.

Where a Data Subject makes a request directly to Areebi, we shall promptly redirect the request to the Controller and shall not respond to the Data Subject directly unless instructed to do so by the Controller. The platform provides built-in tools for data export and deletion to assist Controllers in fulfilling these requests efficiently. For details on how Areebi handles personal data, refer to our Privacy Policy.

5. Sub-processor Management

The Controller provides general authorisation for Areebi to engage Sub-processors, subject to the following conditions:

Areebi shall maintain a current list of Sub-processors and make it available to the Controller upon request.
Areebi shall provide the Controller with at least 30 days' prior written notice of any intended changes to its Sub-processors, including the addition or replacement of Sub-processors.
The Controller may object to any new Sub-processor on reasonable grounds within 14 days of receiving notice. If the Controller objects and the parties cannot resolve the objection, the Controller may terminate the affected Services without penalty.
Areebi shall impose data protection obligations on Sub-processors that are no less protective than those set out in this DPA, by way of a written contract.
Areebi shall remain fully liable to the Controller for the performance of each Sub-processor's obligations.

6. International Data Transfers

Where Personal Data is transferred from the European Economic Area (EEA), the United Kingdom, or Switzerland to a country that has not received an adequacy decision, Areebi shall ensure that appropriate safeguards are in place, including:

Execution of the European Commission's Standard Contractual Clauses (Module Two: Controller to Processor), as supplemented by any additional safeguards required by applicable law.
For UK transfers, the International Data Transfer Addendum to the EU Standard Contractual Clauses, as issued by the UK Information Commissioner's Office.
Implementation of supplementary technical and organisational measures where necessary, including encryption of data in transit and at rest.

Where the Customer is subject to the Australian Privacy Act 1988, Areebi ensures that any overseas disclosure of personal information complies with Australian Privacy Principle 8 and that reasonable steps are taken to ensure the overseas recipient handles the information in accordance with the Australian Privacy Principles. Areebi offers data residency options to keep data within specified geographic regions.

7. Data Security Measures

Areebi shall implement and maintain technical and organisational security measures appropriate to the nature, scope, context, and purposes of processing, including:

Encryption of Personal Data at rest (AES-256) and in transit (TLS 1.3).
Logical access controls, including role-based access control (RBAC), multi-factor authentication, and enterprise SSO integration.
Regular security assessments, including third-party penetration testing and vulnerability scanning.
Immutable audit logging of all platform activity with tamper-proof storage.
Incident response and business continuity procedures, tested and updated on a regular basis.
Employee security awareness training and background checks.

Full details of our security measures are available in our Security page and Trust Center.

8. Audit Rights

The Controller shall have the right to audit Areebi's compliance with this DPA, subject to the following conditions:

The Controller shall provide at least 30 days' written notice of any audit request.
Audits shall be conducted during normal business hours and shall not unreasonably disrupt Areebi's operations.
Areebi shall make available relevant documentation, certifications (including SOC 2 reports), and records to satisfy audit requirements without requiring physical access where possible.
Where a third-party auditor is engaged, such auditor must execute a confidentiality agreement acceptable to Areebi.
The Controller shall bear the costs of any audit it initiates, unless the audit reveals a material breach of this DPA by Areebi.

9. Term and Termination

This DPA shall remain in effect for the duration of the principal agreement and shall automatically terminate upon the expiration or termination of the principal agreement.

Upon termination, Areebi shall, at the Controller's election, either return or securely delete all Personal Data processed under this DPA within 30 days, unless applicable law requires continued storage. Areebi shall provide written certification of deletion upon the Controller's request.

The obligations of confidentiality and data protection set out in this DPA shall survive the termination or expiration of the principal agreement.

10. Liability

Each party's liability under this DPA shall be subject to the limitations and exclusions of liability set out in the principal agreement. Nothing in this DPA shall limit either party's liability for breaches of applicable Data Protection Laws where such limitation is not permitted.

Annex A: Technical and Organisational Measures

The following measures are implemented by Areebi to protect Personal Data processed in the course of providing the Services:

A.1 Access Control

Role-based access control (RBAC) with least-privilege principles
Enterprise SSO integration (SAML 2.0, OIDC) with mandatory multi-factor authentication
Automated provisioning and de-provisioning via SCIM
Session management with configurable timeout policies

A.2 Encryption

AES-256 encryption at rest for all stored data
TLS 1.3 encryption for all data in transit
Customer-managed encryption keys available on Enterprise plans

A.3 Data Integrity

Immutable audit logs with cryptographic verification
Automated backup procedures with tested restoration processes
Input validation and output sanitisation

A.4 Availability and Resilience

Infrastructure redundancy across multiple availability zones
Documented disaster recovery procedures with defined RPO and RTO
Regular backup testing and business continuity exercises

A.5 Monitoring and Incident Response

24/7 security monitoring and alerting
Documented incident response plan with defined escalation procedures
Regular security assessments and third-party penetration testing
Vulnerability management with severity-based remediation SLAs

Contact

For questions about this Data Processing Agreement, please contact our Data Protection team at privacy@areebi.com. You may also review our Privacy Policy, Terms of Service, and Cookie Policy for additional information. Visit our Platform page to learn more about the Services covered by this DPA.