Privacy Policy

A9 Advisory FZ-LLC (“A9 Advisory”, “we”, “us”, or “our”) operates the ArborGRC platform (“Platform”) accessible at arborgrc.com. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or use our Platform.

We are committed to protecting your privacy in compliance with the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data, the DIFC Data Protection Law (DIFC Law No. 5 of 2020), the ADGM Data Protection Regulations 2021, and applicable international data protection standards.

2.1 Information You Provide

• Account information: name, email address, organization name, job title, and phone number when you register for an account.
• Billing information: payment details processed securely through our third-party payment provider. We do not store credit card numbers.
• Platform data: compliance frameworks, risk assessments, audit evidence, control documentation, and other GRC data you input into the Platform.
• Communications: correspondence when you contact our support team or provide feedback.

2.2 Information Collected Automatically

• Usage data: pages visited, features used, session duration, and interaction patterns.
• Device information: browser type, operating system, device type, and screen resolution.
• Log data: IP address, access times, and referring URLs.
• Cookies: see our Cookie Policy for details.

We use the information we collect to:

• Provide, maintain, and improve the ArborGRC Platform.
• Process transactions and manage your account.
• Send administrative communications (service updates, security alerts, support messages).
• Analyze usage patterns to improve user experience and Platform performance.
• Comply with legal obligations and enforce our terms.
• Detect, prevent, and address fraud, abuse, or security issues.

We do not sell your personal data to third parties. We do not use your GRC data for advertising, profiling, or any purpose other than providing the Platform service.

Your data is stored on secure cloud infrastructure with encryption at rest (AES-256) and in transit (TLS 1.2+). We implement industry-standard security measures including:

• Role-based access control (RBAC) with row-level security.
• Regular security assessments and penetration testing.
• Automated backup and disaster recovery procedures.
• SOC 2 Type II aligned controls (certification in progress).

Data residency: your Platform data is hosted in the Asia-Pacific region. We are working toward UAE Sovereign Cloud hosting for customers who require in-country data residency.

We may share your information with:

• Service providers: trusted third parties who assist in operating the Platform (cloud hosting, payment processing, analytics), bound by confidentiality agreements.
• Legal requirements: when required by law, regulation, legal process, or governmental request.
• Business transfers: in connection with a merger, acquisition, or sale of assets, with prior notice.

We will never share your GRC compliance data, risk assessments, or audit evidence with any third party without your explicit written consent.

Under applicable data protection laws, you have the right to:

• Access: request a copy of your personal data.
• Rectification: correct inaccurate or incomplete data.
• Erasure: request deletion of your personal data (subject to legal retention requirements).
• Portability: receive your data in a structured, machine-readable format.
• Restriction: limit how we process your data.
• Objection: object to processing based on legitimate interests.

To exercise any of these rights, contact us at privacy@a9advisory.com. We will respond within 30 days.

We retain your personal data for as long as your account is active or as needed to provide services. Upon account deletion, we will remove your personal data within 90 days, except where retention is required by law or for legitimate business purposes (e.g., audit trail requirements).

Platform data (GRC frameworks, controls, risks, evidence) is retained for the duration of your subscription. Upon termination, you may export your data for 30 days before permanent deletion.

If your data is transferred outside the UAE, we ensure adequate protection through standard contractual clauses, data processing agreements, and compliance with applicable cross-border transfer requirements under UAE data protection laws.

ArborGRC is a business-to-business platform not intended for individuals under the age of 18. We do not knowingly collect personal data from minors.

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the “Last updated” date. Continued use of the Platform after changes constitutes acceptance.