01Introduction and scope
1.1 About Ombris
OMBRIS Cyber Security LLC (“OMBRIS,” “we,” “us,” or “our”) is a cybersecurity company incorporated in the United Arab Emirates, with its registered office in Dubai. Ombris provides an enterprise cybersecurity platform that helps organizations assess their Microsoft 365 security posture, conduct phishing awareness simulations, evaluate organizational risk, and measure compliance against industry frameworks.
1.2 Purpose of this policy
This Privacy Policy explains how Ombris collects, uses, stores, shares, and protects personal data in connection with the Ombris Platform and related services. This policy applies to:
- Customer account holders: representatives of organizations that subscribe to the Ombris Platform (administrators, account owners).
- End users: employees, contractors, and other personnel of Customer organizations whose data is processed through the Platform.
- Website visitors: individuals who visit the Ombris website.
1.3 Data controller vs. data processor
Ombris operates in two distinct data processing roles:
- As data controller: Ombris is the data controller for Customer Account Holder data (account registration, billing, direct communications) and Website Visitor data.
- As data processor: Ombris is the data processor for End User data processed through the Platform on behalf of the Customer. The Customer is the data controller for its employees’ personal data. Ombris processes this data solely in accordance with the Customer’s instructions and the Data Processing Policy.
1.4 Applicable laws
This Privacy Policy is designed to comply with:
- UAE Federal Data Protection Law (Federal Decree-Law No. 45 of 2021)
- DIFC Data Protection Law (Law No. 5 of 2020, as amended)
- General Data Protection Regulation (EU 2016/679) for data subjects located in the European Economic Area
- Turkish Personal Data Protection Law (Law No. 6698, “KVKK”) for data subjects located in Turkey
Where these frameworks impose different requirements, Ombris applies the most protective standard available to the relevant data subject.
02Data we collect
2.1 Customer account data (Ombris as controller)
When an organization subscribes to the Ombris Platform, we collect:
| Data category | Examples | Purpose |
|---|---|---|
| Organization information | Company name, industry, size, country | Account setup, service customization |
| Administrator contact details | Name, email address, phone number, job title | Account management, communications |
| Billing information | Billing address, payment method details, invoice history | Payment processing |
| Authentication data | Login credentials (hashed), session tokens, MFA preferences | Account security |
| Communication records | Support tickets, emails, feedback | Service delivery, improvement |
2.2 Microsoft Entra ID data (Ombris as processor)
When a Customer grants Ombris access to its Microsoft Entra ID tenant via OAuth 2.0 consent, the Platform accesses the following data on behalf of the Customer:
| Data category | Specific elements | Purpose |
|---|---|---|
| User identity | Display names, email addresses, user principal names | User identification for security assessment |
| Organizational attributes | Department, job title, manager, office location | Departmental risk analysis |
| Account status | Account enabled/disabled, creation date, last sign-in | Security posture assessment |
| Authentication configuration | MFA registration status, authentication methods configured | MFA compliance evaluation |
| Sign-in activity | Sign-in logs, risk events, location data (as licensed) | Risk-based assessment |
| Application registrations | App names, permissions, secret/certificate expiry | Application security audit |
| Conditional access policies | Policy names, conditions, grant controls, state | Policy compliance evaluation |
| Role assignments | Directory role memberships, PIM configurations | Privileged access assessment |
| Guest accounts | Guest user details, invitation status, access reviews | External access evaluation |
| Group memberships | Security group and distribution list memberships | Identity governance assessment |
2.3 Phishing simulation data (Ombris as processor)
During phishing simulation campaigns conducted through the Human Awareness module:
| Data category | Specific elements | Purpose |
|---|---|---|
| Recipient information | Email address, name, department (sourced from Entra ID) | Campaign targeting |
| Email interaction events | Whether email was opened, timestamp of open event | Campaign effectiveness measurement |
| Link interaction events | Whether simulation link was clicked, timestamp of click | Susceptibility assessment |
| Technical metadata | IP address at click, user agent, device type | Interaction verification, fraud prevention |
| Campaign context | Template used, difficulty level, campaign dates | Reporting and trend analysis |
Simulation data is collected solely for security awareness measurement. Individual-level data is accessible only to the Customer’s authorized administrators.
2.4 Risk and compliance data (Ombris as processor)
| Data category | Specific elements | Purpose |
|---|---|---|
| Individual risk scores | Per-user score combining technical and human factors | Risk-based prioritization |
| Department risk profiles | Aggregated departmental risk levels and trends | Organizational risk visualization |
| Compliance scores | Framework-specific compliance percentages and control statuses | Compliance readiness assessment |
| Historical trends | Score snapshots over time, improvement tracking | Progress measurement |
2.5 Technical and usage data (Ombris as controller)
When users interact with the Ombris Platform, we automatically collect access logs (IP address, timestamp, pages visited, actions performed), browser information (type and version, OS, screen resolution), session data (JWT identifiers, duration, authentication events), and performance data (page load times, error logs, API response times) for security monitoring, troubleshooting, and Platform optimization.
03How we use data
3.1 Service delivery
We use data to provide the Ombris Platform services, including:
- Conducting security configuration assessments of the Customer’s Microsoft Entra ID tenant.
- Executing phishing simulation campaigns as directed by the Customer.
- Calculating unified risk scores by aggregating technical and human risk factors.
- Performing compliance framework evaluations and generating compliance reports.
- Generating findings, recommendations, and remediation guidance.
- Providing dashboards, reports, and data exports to the Customer’s authorized administrators.
3.2 Account management
We use Customer Account Data to create and manage Customer accounts and Authorized User access, process payments and manage billing, communicate service updates, maintenance notifications and security alerts, and provide technical support and respond to inquiries.
3.3 Platform improvement
We use Technical and Usage Data, and anonymized or aggregated data derived from service delivery, to monitor and improve Platform performance, reliability, and security; identify and fix bugs, errors, and vulnerabilities; develop new features; and generate anonymized industry benchmarks and statistical reports.
3.4 Legal and compliance
We use data as necessary to comply with applicable legal obligations, enforce our Terms and Conditions, protect our legal rights, and detect, prevent, and respond to fraud, abuse, and security incidents.
04Legal basis for processing
4.1 Under UAE Federal Data Protection Law
| Legal basis | Application |
|---|---|
| Performance of a contract | Processing necessary to provide the Platform services |
| Legitimate interests | Platform improvement, security monitoring, fraud prevention |
| Legal obligation | Compliance with UAE laws and regulations |
| Consent | Customer’s explicit consent via OAuth 2.0 for Entra ID access |
4.2 Under GDPR (for EEA data subjects)
| Legal basis (Article 6) | Application |
|---|---|
| Article 6(1)(b) contract | Processing necessary for the performance of the service agreement |
| Article 6(1)(f) legitimate interests | Platform security, fraud prevention, service improvement |
| Article 6(1)(c) legal obligation | Compliance with EU or member state law |
| Article 6(1)(a) consent | Where specific consent is required (e.g. marketing communications) |
For processing by Ombris as a Data Processor, the legal basis is determined by the Customer (Data Controller) under Article 28 GDPR.
4.3 Under KVKK (for Turkish data subjects)
| Legal basis (Article 5) | Application |
|---|---|
| Performance of a contract (Art. 5(2)(c)) | Processing necessary for the service agreement |
| Legitimate interests (Art. 5(2)(f)) | Provided it does not override data subject rights |
| Legal obligation (Art. 5(2)(ç)) | Compliance with Turkish law |
| Explicit consent (Art. 5(1)) | Where no other legal basis applies |
06International data transfers
6.1 Primary data location
Customer Data is stored and processed on AWS infrastructure located in the European Union (primarily Frankfurt, Germany and Ireland). Ombris does not routinely transfer Customer Data outside the EU.
6.2 UAE to EU data transfers
Where data transfers between the UAE and the EU are necessary for the provision of the Services, Ombris relies on Standard Contractual Clauses (SCCs) approved by the European Commission (Commission Implementing Decision (EU) 2021/914); supplementary technical measures including encryption in transit (TLS 1.2+) and at rest (AES-256); and organizational measures including access controls and personnel training.
6.3 UAE to Turkey data transfers
For Customers with operations in Turkey, data transfers are conducted in compliance with KVKK and the decisions of the Turkish Personal Data Protection Board, utilizing explicit written undertakings (taahhütname) approved by the Board where applicable, contractual data protection clauses, and adequate technical and organizational security measures.
6.4 Transfer impact assessment
Ombris conducts and maintains transfer impact assessments (TIAs) for all international data transfers to evaluate the legal framework of the destination country and verify that adequate safeguards are in place to protect personal data.
07Data retention
7.1 Retention periods
| Data category | Retention period | Rationale |
|---|---|---|
| Customer account data | Subscription + 12 months | Account management, contractual obligations |
| Microsoft Entra ID scan results | Subscription + 6 months | Historical comparison, audit trail |
| Phishing simulation data | Subscription + 6 months | Trend analysis, awareness measurement |
| Risk scores and snapshots | Subscription + 6 months | Historical trend analysis |
| Compliance assessment data | Subscription + 6 months | Compliance tracking over time |
| Audit logs (platform admin actions) | Minimum 24 months | Legal compliance, security investigation |
| Technical and usage logs | 12 months | Security monitoring, troubleshooting |
| Billing and financial records | Subscription + 7 years | Tax and financial regulatory requirements |
7.2 Post-termination data handling
Upon termination or expiration of the Customer’s subscription, the Customer may export its data for thirty (30) days following termination in standard machine-readable formats (CSV, JSON). After the export period, Ombris shall irreversibly delete all Customer Data, including all copies and backups, within an additional thirty (30) days, and shall provide written confirmation of deletion upon the Customer’s request. Data subject to legal retention requirements (such as billing records) shall be retained only for the minimum period required by law and shall be isolated from active systems.
7.3 Deletion methods
Data deletion is performed using industry-standard methods that render data unrecoverable, including cryptographic erasure for encrypted data stores and secure deletion for unencrypted data.
08Data subject rights
8.1 Rights overview
Depending on the applicable data protection law, data subjects have the following rights:
| Right | Description |
|---|---|
| Right of access | Obtain confirmation of whether personal data is being processed and a copy of such data |
| Right to rectification | Request correction of inaccurate or incomplete personal data |
| Right to erasure | Request deletion of personal data (“right to be forgotten”) |
| Right to restrict processing | Request restriction of processing in certain circumstances |
| Right to data portability | Receive personal data in a structured, machine-readable format |
| Right to object | Object to processing based on legitimate interests |
| Automated decision-making | Not be subject to decisions based solely on automated processing with legal effects |
| Right to withdraw consent | Withdraw consent at any time where processing is based on consent |
8.2 How to exercise rights
Customer account holders (Ombris as controller). Data subjects may exercise their rights by emailing dpo@ombris.com with the subject line “Data Subject Rights Request.” Ombris shall respond to valid requests within thirty (30) days. If the request is complex or Ombris receives a large number of requests, Ombris may extend the response period by an additional sixty (60) days, provided Ombris notifies the data subject within the initial thirty (30) day period.
End users (Ombris as processor). End users whose data is processed through the Platform on behalf of a Customer should direct their rights requests to their employer (the Customer / Data Controller). If an end user contacts Ombris directly, Ombris will redirect the request to the relevant Customer and assist in fulfilling the request in accordance with the Data Processing Policy.
8.3 Verification and limitations
Ombris may verify the identity of a data subject before fulfilling a rights request to prevent unauthorized access. Data subject rights may be limited where applicable law provides exceptions or restrictions, where fulfilling the request would adversely affect the rights and freedoms of others, or where the request is manifestly unfounded or excessive.
10Security measures
10.1 Encryption
All data transmitted between users and the Ombris Platform is encrypted using TLS 1.2 or higher. Service-to-service communications within the Platform infrastructure use encrypted channels. Customer Data stored in databases is encrypted using AES-256. Microsoft Graph API access tokens and refresh tokens are encrypted using AES-256-CBC with a dedicated encryption key managed through AWS Key Management Service (KMS). Database backups are encrypted.
10.2 Access control
All access to Customer Data within the Platform is governed by role-based permissions. Access to production systems by Ombris personnel is restricted to authorized individuals on a need-to-know basis, subject to multi-factor authentication, and logged in audit trails. All system accounts and API integrations are configured with the minimum permissions necessary.
10.3 Infrastructure security
The Platform is deployed within an AWS Virtual Private Cloud (VPC) with private subnets, security groups, and network ACLs restricting inbound and outbound traffic. A Web Application Firewall protects against OWASP Top 10 vulnerabilities, and AWS Shield provides protection against distributed denial-of-service attacks. Ombris conducts regular security vulnerability assessments and remediation.
10.4 Incident response and breach notification
Ombris maintains a documented security incident response plan covering detection and classification, containment, eradication and recovery, breach notification, and post-incident review. In the event of a confirmed personal data breach, Ombris shall notify the affected Customer within forty-eight (48) hours of becoming aware of the breach and, where required, assist the Customer in notifying the relevant supervisory authority within seventy-two (72) hours. A detailed incident report is provided within thirty (30) days.
11Children’s privacy
The Ombris Platform is designed for enterprise use and is not directed at individuals under the age of eighteen (18). Ombris does not knowingly collect personal data from children. If Ombris becomes aware that it has inadvertently collected personal data from a child, it shall promptly delete the data and notify the relevant Customer.
12Changes to this privacy policy
Ombris may update this Privacy Policy from time to time to reflect changes in data practices, legal requirements, or business operations. We shall provide notice of material changes by email to the Customer’s registered administrator email address at least thirty (30) days before the changes take effect, by displaying a prominent notice within the Platform, and by updating the “Last updated” date at the top of this policy. Continued use of the Platform after the effective date of the updated Privacy Policy constitutes acceptance. Prior versions are available on request by contacting dpo@ombris.com.
13Contact information
13.1 Data Protection Officer
Ombris has designated a Data Protection Officer responsible for overseeing compliance with data protection laws and this Privacy Policy.
13.2 General inquiries
13.3 Supervisory authorities
Data subjects have the right to lodge a complaint with a supervisory authority if they believe their personal data is being processed in violation of applicable law. Ombris encourages data subjects to contact us first to resolve any concerns before escalating to a supervisory authority.