01Purpose and scope
1.1 Purpose
This Data Processing Policy (“Policy”) describes how OMBRIS Cyber Security LLC (“OMBRIS,” “Processor”) processes personal data on behalf of its customers (“Customer,” “Controller”) when providing the Ombris cybersecurity platform and related services. This Policy serves as the foundational document for data processing arrangements between Ombris and its Customers. Individual Data Processing Agreements (DPAs) may be executed with Customers to supplement this Policy with Customer-specific terms.
1.2 Roles
Customer (Data Controller). The Customer determines the purposes and means of processing personal data of its employees, contractors, and personnel through the Ombris Platform. The Customer instructs Ombris on the scope and nature of data processing through service configuration, feature activation, and campaign initiation.
Ombris (Data Processor). Ombris processes personal data solely on behalf of and in accordance with the documented instructions of the Customer. Ombris does not determine the purposes of processing End User personal data and does not use End User personal data for its own independent purposes (other than creating anonymized, aggregated statistical data as permitted by the Terms and Conditions).
1.3 Scope
This Policy applies to all personal data processed by Ombris on behalf of Customers through the Ombris Platform, including data obtained from Microsoft Entra ID tenants, phishing simulation campaigns, risk assessments, and compliance evaluations.
1.4 Regulatory framework
This Policy is designed to comply with the data processing requirements of:
- UAE Federal Data Protection Law (Federal Decree-Law No. 45 of 2021), Articles 28–31
- General Data Protection Regulation (EU 2016/679), Article 28
- Turkish Personal Data Protection Law (Law No. 6698), Articles 12–13
- DIFC Data Protection Law (Law No. 5 of 2020), as applicable
02Definitions
For the purposes of this Policy, the following definitions apply. Where a term is not defined below, it shall have the meaning ascribed to it in the Ombris Terms and Conditions.
- “Controller Instructions” means the documented instructions provided by the Customer to Ombris regarding the processing of personal data, including instructions embodied in the service configuration, campaign settings, and the Terms and Conditions.
- “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed by Ombris on behalf of the Customer.
- “Data Subject” means an identified or identifiable natural person whose personal data is processed through the Ombris Platform.
- “Personal Data” means any information relating to an identified or identifiable natural person, as defined under the applicable data protection law.
- “Processing” means any operation or set of operations performed on personal data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, restriction, erasure, or destruction.
- “Sub-processor” means a third-party entity engaged by Ombris to process personal data on behalf of the Customer.
- “Supervisory Authority” means a public authority established under GDPR, the UAE Data Office, the DIFC Commissioner of Data Protection, or the Turkish Personal Data Protection Authority (KVKK Kurumu), as applicable.
- “Technical and Organizational Measures” (“TOMs”) means the security measures implemented by Ombris to protect personal data against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
03Data processing details
3.1 Purposes of processing
Ombris processes personal data on behalf of the Customer for the following purposes:
| Purpose | Description | Platform module |
|---|---|---|
| Security configuration assessment | Evaluating the security posture of the Customer’s Microsoft Entra ID tenant | EntraScan |
| Phishing simulation | Security awareness testing campaigns targeting the Customer’s employees | Human Awareness |
| Risk assessment | Computing unified risk scores combining technical and human factors | Risk Management |
| Compliance evaluation | Assessing posture against CIS, NIST, ISO 27001, GDPR, HIPAA | Compliance |
| Audit trail maintenance | Recording administrative actions and system events for accountability | Cross-platform |
| Reporting and analytics | Generating security reports, dashboards, and trend analyses | Cross-platform |
3.2 Categories of personal data
| Category | Elements | Source |
|---|---|---|
| Identity data | Display name, email address, user principal name | Microsoft Entra ID |
| Organizational data | Department, job title, manager, office location | Microsoft Entra ID |
| Account data | Account status, creation date, user type | Microsoft Entra ID |
| Authentication data | MFA registration, authentication methods, last sign-in | Microsoft Entra ID |
| Access data | Role assignments, group memberships, conditional access applicability | Microsoft Entra ID |
| Application data | Application registrations, permissions, service principals | Microsoft Entra ID |
| Behavioral data (simulation) | Email open events, link click events, timestamps | Phishing simulation |
| Technical metadata (simulation) | IP address at click time, user agent, device information | Phishing simulation |
| Risk scores | Individual risk score, risk level, contributing factors | Risk calculation |
| Compliance data | Per-user compliance-relevant findings | Compliance assessment |
3.3 Categories of data subjects
| Category | Description |
|---|---|
| Customer organization employees | Full-time and part-time employees of the Customer |
| Customer contractors and consultants | Third-party individuals working within the Customer’s organization |
| Customer administrators | Individuals designated to manage the Customer’s Ombris Platform account |
| Guest users | External users with guest access to the Customer’s Microsoft Entra ID tenant |
3.4 Duration of processing
Ombris shall process personal data for the duration of the Customer’s active subscription to the Ombris Platform. Upon termination or expiration of the subscription, personal data shall be handled in accordance with Section 11 (Data Deletion and Return) of this Policy.
3.5 Location of processing
All personal data is processed and stored on Amazon Web Services (AWS) infrastructure located in the European Union:
- Primary region: EU-Central-1 (Frankfurt, Germany)
- Secondary region: EU-West-1 (Ireland)
Personal data is not transferred to or stored in locations outside the EU unless required for specific sub-processor services and subject to appropriate safeguards.
04Controller instructions
4.1 Instruction-based processing
Ombris shall process personal data only on the basis of documented instructions from the Customer, including the instructions contained in the Terms and Conditions and this Data Processing Policy, the Customer’s service configuration and settings within the Platform, campaign configurations and target selections made by Customer administrators, scan initiations and scheduling configured by Customer administrators, and any additional written instructions provided by the Customer’s authorized representative.
4.2 Notification of conflicting instructions
If Ombris believes that a Customer instruction infringes applicable data protection law, Ombris shall promptly notify the Customer in writing and shall be entitled to suspend processing in accordance with the disputed instruction until the Customer confirms or modifies its instructions. Ombris shall not be liable for any delay in processing resulting from such suspension.
4.3 Processing beyond instructions
Ombris shall not process personal data beyond the scope of the Customer’s instructions, except where required by applicable law. In such cases, Ombris shall inform the Customer of the legal requirement before processing, unless prohibited by law from doing so.
4.4 Customer responsibility
The Customer is responsible for ensuring that:
- Its instructions to Ombris comply with applicable data protection laws.
- It has obtained all necessary consents and authorizations from data subjects or has established an alternative lawful basis for processing.
- The personal data provided to Ombris is accurate and up to date.
- It has conducted any required data protection impact assessments (DPIAs) in connection with its use of the Platform.
05Confidentiality
5.1 Personnel obligations
Ombris ensures that all personnel authorized to process personal data on behalf of Customers have entered into written confidentiality agreements or are bound by a statutory obligation of confidentiality; have received appropriate training on data protection requirements; and understand their obligations under applicable data protection laws and this Policy.
5.2 Access restrictions
Access to personal data within Ombris is restricted to personnel who require access to perform their job functions in connection with the provision of the Platform and Services. Access is granted on a need-to-know basis and is regularly reviewed.
5.3 Background checks
Ombris conducts appropriate background checks on personnel with access to production systems and Customer Data, to the extent permitted by applicable law.
06Technical and organizational measures
As a cybersecurity company, Ombris holds itself to the highest standards of data protection and implements and maintains the technical and organizational measures described below.
6.1 Access control
| Measure | Implementation |
|---|---|
| Role-based access control (RBAC) | All Platform access is governed by role-based permissions. Customers control Authorized User access within their tenant. |
| Multi-factor authentication (MFA) | Mandatory for all Ombris administrative and production system access. Available and recommended for Customer administrator accounts. |
| Least privilege principle | All system accounts, API keys, and service principals are configured with the minimum permissions necessary. Reviewed quarterly. |
| Session management | JWT-based session management with configurable expiration, invalidation on logout, and refresh token rotation. |
| Authentication standards | Customer authentication through Microsoft MSAL. Strong password requirements enforced. Account lockout after failed attempts. |
6.2 Encryption
| Measure | Implementation |
|---|---|
| Encryption in transit | All external communications use TLS 1.2 or higher. Internal service-to-service communication uses encrypted channels. |
| Encryption at rest — database | Customer Data stored in PostgreSQL databases is encrypted using AES-256 via AWS RDS encryption. |
| Encryption at rest — tokens | Microsoft Graph API access and refresh tokens are encrypted using AES-256-CBC with dedicated encryption keys. |
| Key management | Encryption keys are managed through AWS Key Management Service (KMS) with regular rotation. |
| Secure deletion | Data deletion utilizes cryptographic erasure where applicable, ensuring deleted data is unrecoverable. |
6.3 Infrastructure security
| Measure | Implementation |
|---|---|
| Network isolation | AWS VPC with private subnets for application and database tiers. No direct internet access to database servers. |
| Security groups | Inbound and outbound traffic rules restrict communication to authorized ports and services only. |
| Network ACLs | Subnet-level access control lists provide an additional layer of network security. |
| Web Application Firewall (WAF) | Protects against SQL injection, XSS, and other OWASP Top 10 vulnerabilities. |
| DDoS protection | AWS Shield Standard provides automated protection against volumetric DDoS attacks. |
| Container security | Services run in AWS ECS Fargate with isolated compute environments. Container images are scanned for vulnerabilities before deployment. |
6.4 Monitoring and logging
| Measure | Implementation |
|---|---|
| Audit logging | All administrative actions within the Platform are recorded in immutable, append-only audit logs. |
| Access logging | Access to Customer Data by Ombris personnel is logged, including accessor identity, timestamp, and scope. |
| Infrastructure monitoring | AWS CloudWatch monitors system health, performance metrics, and resource utilization. |
| Anomaly detection | Automated alerts for unusual patterns, including failed authentication attempts and abnormal data access. |
| Log retention | Security and audit logs are retained for a minimum of twenty-four (24) months. |
6.5 Business continuity
| Measure | Implementation |
|---|---|
| Database backups | Automated daily backups with point-in-time recovery. Backups are encrypted and stored in a separate availability zone. |
| Disaster recovery | Documented disaster recovery plan with defined procedures for restoring services. |
| Recovery Time Objective (RTO) | Target: 4 hours for critical services. |
| Recovery Point Objective (RPO) | Target: 1 hour (data loss limited to the last hour’s transactions). |
| Redundancy | Multi-availability zone deployment for critical services and databases. |
6.6 Software security
| Measure | Implementation |
|---|---|
| Secure Development Lifecycle (SDLC) | Security considerations integrated into all phases of the software development process. |
| Vulnerability scanning | Regular automated vulnerability assessments of application code and dependencies. |
| Dependency management | Automated scanning of third-party dependencies with timely patching. |
| Penetration testing | Annual third-party penetration testing conducted by qualified security firms. |
| Code review | All code changes are subject to peer review before deployment to production. |
| Secure configuration | Production systems hardened following CIS Benchmarks and AWS security best practices. |
6.7 Organizational measures
| Measure | Implementation |
|---|---|
| Data protection training | All personnel receive data protection training upon hire and annually thereafter. |
| Confidentiality agreements | All personnel and contractors sign confidentiality and non-disclosure agreements. |
| Incident response team | Designated incident response team with documented procedures. |
| Vendor management | Sub-processors are assessed for security and data protection compliance before engagement and reviewed periodically. |
| Policy review | This Policy and associated security measures are reviewed at least annually. |
07Sub-processors
7.1 Current sub-processors
Ombris engages the following sub-processors to provide the Platform and Services:
| Sub-processor | Service | Data processed | Location |
|---|---|---|---|
| Amazon Web Services, Inc. | Cloud infrastructure hosting | All Customer Data (encrypted at rest and in transit) | EU-Central-1 (Frankfurt), EU-West-1 (Ireland) |
| Microsoft Corporation | Microsoft Graph API (access to Customer’s Entra ID tenant data) | Entra ID data as consented by Customer | Microsoft global infrastructure |
| SMTP service provider | Email delivery for phishing simulation campaigns | Recipient email addresses, simulation email content | Disclosed upon request |
7.2 Sub-processor notification
Ombris shall notify the Customer at least thirty (30) days before engaging a new sub-processor or replacing an existing sub-processor, via email to the Customer’s registered administrator email address and a notification within the Ombris Platform dashboard. The notification shall include the sub-processor’s identity, the services to be provided, and the data that will be processed.
7.3 Customer objection rights
The Customer may object to a new or replacement sub-processor by providing written notice to Ombris within fifteen (15) days of receiving the notification. If the Customer objects, Ombris shall use reasonable efforts to make available a change in the Services or recommend a commercially reasonable alternative. If Ombris is unable to make such a change available within thirty (30) days, either party may terminate the affected Services by providing written notice.
7.4 Sub-processor obligations
Ombris shall:
- Enter into a written data processing agreement with each sub-processor that imposes data protection obligations no less protective than those in this Policy.
- Remain fully liable to the Customer for the acts and omissions of its sub-processors.
- Conduct appropriate due diligence on sub-processors before engagement, including assessment of security practices.
- Monitor sub-processor compliance on an ongoing basis.
08Data breach notification
8.1 Detection and classification
Ombris maintains continuous monitoring systems to detect potential data breaches. Upon detection of a security incident, the incident response team classifies the event based on the nature and severity of the incident, the categories and volume of personal data affected, the number of data subjects potentially affected, and the likely consequences for data subjects.
8.2 Customer notification
Upon becoming aware of a confirmed Data Breach affecting Customer personal data, Ombris shall notify the Customer without undue delay and in any event within forty-eight (48) hours of confirmation.
| Information element | Description |
|---|---|
| Nature of the breach | Description of what occurred (unauthorized access, data loss, etc.) |
| Categories of data affected | Types of personal data involved |
| Categories of data subjects | Who is affected (employees, administrators, guests) |
| Approximate number affected | Estimated number of data subjects and records involved |
| Likely consequences | Assessment of potential impact on data subjects |
| Measures taken | Steps already taken to contain and remediate the breach |
| Proposed measures | Additional measures Ombris plans to implement |
| Contact point | Designated Ombris contact for further information |
8.3 Regulatory notification assistance
Ombris shall assist the Customer in:
- Notifying the relevant Supervisory Authority within seventy-two (72) hours of the Customer becoming aware of the breach (GDPR Article 33 requirement).
- Notifying affected data subjects where required by applicable law (GDPR Article 34).
- Preparing and submitting required notifications under the UAE Federal Data Protection Law.
- Preparing notifications required under KVKK for Turkish data subjects.
8.4 Containment and remediation
Upon identifying a Data Breach, Ombris shall immediately take all reasonable steps to contain the breach and prevent further unauthorized access or data loss, preserve evidence for forensic investigation, engage qualified external security experts if warranted, and implement corrective measures to prevent recurrence.
8.5 Post-incident report
Ombris shall provide the Customer with a detailed post-incident report within thirty (30) days of the breach, including root cause analysis, complete timeline of events, full scope of data and data subjects affected, remediation actions taken, preventive measures implemented, and recommendations for the Customer.
09Data subject rights assistance
9.1 Obligation to assist
Ombris shall assist the Customer in fulfilling its obligations to respond to data subject rights requests under applicable data protection laws, taking into account the nature of the processing and the information available to Ombris.
9.2 Request handling
When Ombris receives a data subject rights request directly from a data subject (rather than through the Customer), Ombris shall not respond to the request directly unless authorized by the Customer, shall promptly redirect the data subject to the Customer, and shall notify the Customer of the request within two (2) business days.
9.3 Technical support
Ombris shall provide the Customer with the technical capabilities to:
- Access: Export the data subject’s personal data in a standard machine-readable format.
- Rectification: Correct or update personal data stored within the Platform (noting that data sourced from Microsoft Entra ID should be corrected at source).
- Erasure: Delete the data subject’s personal data from the Platform, subject to legal retention requirements.
- Restriction: Restrict processing of the data subject’s personal data as requested.
- Portability: Provide the data subject’s data in a structured, commonly used, machine-readable format (CSV, JSON).
9.4 Response timeline
Ombris shall provide the Customer with the technical support necessary to fulfill data subject requests within five (5) business days of receiving the Customer’s request for assistance.
10Audit rights
10.1 Customer audit rights
The Customer has the right to audit Ombris’s compliance with this Policy and applicable data protection laws. Audits may be conducted by the Customer or a qualified third-party auditor appointed by the Customer, subject to the conditions in this Section.
10.2 Audit procedures
- The Customer shall provide Ombris with at least thirty (30) days’ prior written notice of an intended audit.
- Audits shall be conducted during regular business hours and shall not unreasonably disrupt Ombris’s operations.
- The Customer shall comply with Ombris’s reasonable security and confidentiality requirements during the audit.
- Audit findings and reports shall be treated as Ombris’s Confidential Information.
10.3 Frequency and scope
The Customer is entitled to one (1) audit per calendar year at no additional cost. Additional audits may be conducted at the Customer’s expense. If Ombris is subject to audit requests from multiple Customers within the same period, Ombris may propose a consolidated audit conducted by an independent third-party auditor.
10.4 Third-party certifications and reports
Ombris shall make available to Customers, upon request and subject to confidentiality obligations, copies of independent third-party audit reports (including SOC 2 Type II, when available), ISO 27001 certification (upon achievement), penetration testing summary reports (redacted as necessary), and data protection impact assessments relevant to the Platform. These certifications and reports may be used by Customers to satisfy their audit requirements in lieu of or in addition to a direct audit.
10.5 Remediation
If an audit reveals non-compliance, Ombris shall promptly develop and implement a remediation plan, provide the Customer with a copy of the remediation plan within fifteen (15) business days of the audit, and implement the remediation measures within a reasonable timeframe.
11Data deletion and return
11.1 Upon termination
Upon termination or expiration of the Customer’s subscription to the Ombris Platform:
- Data export period: Ombris shall make Customer Data available for export by the Customer for a period of thirty (30) days following the effective date of termination, in standard machine-readable formats (CSV and JSON).
- Data deletion: After the export period, Ombris shall irreversibly delete all Customer personal data from its production systems, databases, and active backups within an additional thirty (30) days.
- Backup deletion: Copies of Customer Data in disaster recovery backups shall be deleted as the backup rotation cycle expires, and in any event no later than ninety (90) days after the expiration of the data deletion period.
- Token destruction: Microsoft Graph API access and refresh tokens associated with the Customer’s tenant shall be securely destroyed upon termination.
11.2 Deletion confirmation
Upon the Customer’s written request, Ombris shall provide a written certificate confirming the date on which Customer Data was deleted, the scope of data deleted (all copies, including backups), the method of deletion used, and confirmation that no copies have been retained except as required by law.
11.3 Legal retention exceptions
| Data category | Legal basis for retention | Retention period |
|---|---|---|
| Billing and financial records | UAE Commercial Companies Law, tax regulations | 7 years |
| Audit logs (administrative actions) | Regulatory compliance, legal dispute resolution | 24 months |
Retained data shall be isolated from active processing systems, encrypted, and accessible only for the specific legal purpose requiring its retention. Upon expiration of the legal retention period, the data shall be promptly and irreversibly deleted.
12Liability and indemnification
12.1 Ombris liability
Ombris shall be liable for damages caused by processing that does not comply with this Policy or with the Customer’s lawful instructions. Ombris’s liability shall be subject to the limitation of liability provisions set out in the Terms and Conditions.
12.2 Customer liability
The Customer shall be liable for damages arising from processing that is not in compliance with applicable data protection law, including damages resulting from unlawful Controller Instructions, damages arising from the Customer’s failure to obtain required consents from data subjects, and damages caused by the Customer’s unauthorized or unlawful use of the Platform.
12.3 Apportionment
Where both Ombris and the Customer are responsible for damage caused by non-compliant processing, each party shall be liable for its proportionate share of the damage, as determined by the degree of each party’s responsibility for the processing that caused the damage, in accordance with the applicable data protection law (including GDPR Article 82).
12.4 Mutual cooperation
In the event of a claim by a data subject or regulatory authority, both parties shall cooperate in good faith to investigate and respond to the claim, and to mitigate any damage or penalty.
13Governing law
13.1 Primary governing law
This Policy shall be governed by the same governing law as the Ombris Terms and Conditions (UAE Federal Law), as set out in Section 16 of the Terms and Conditions.
13.2 Applicable data protection law
Notwithstanding the above, the processing of personal data shall additionally be governed by:
- GDPR: Where the processing relates to data subjects located in the European Economic Area, the provisions of GDPR shall apply, and the Standard Contractual Clauses (where applicable) shall form part of this Policy.
- KVKK: Where the processing relates to data subjects located in Turkey, the provisions of the Turkish Personal Data Protection Law (Law No. 6698) shall apply.
- UAE Federal Data Protection Law: UAE Federal Decree-Law No. 45 of 2021 shall apply to all processing of personal data by Ombris in its capacity as a processor established in the UAE.
- DIFC Data Protection Law: Where the Customer is established in the DIFC, the DIFC Data Protection Law (Law No. 5 of 2020, as amended) shall apply.
13.3 Hierarchy
In the event of a conflict between this Policy and applicable data protection law, the applicable data protection law shall prevail. In the event of a conflict between this Policy and the Terms and Conditions regarding data processing matters, this Policy shall prevail.
14Review and updates
14.1 Regular review
Ombris shall review this Policy at least annually and update it as necessary to reflect changes in Ombris’s data processing practices, applicable data protection laws and regulatory guidance, industry best practices and standards, and sub-processor arrangements.
14.2 Customer notification
Ombris shall notify Customers of material changes to this Policy at least thirty (30) days before the changes take effect, using the same notification mechanisms described in the Terms and Conditions.
15Contact information
For questions about this Data Processing Policy or Ombris’s data processing practices: