Data ProcessingAgreement
Our commitment to protecting personal data in compliance with GDPR and international data protection standards.
Effective Date: February 2026
This Data Processing Agreement ("DPA") supplements our Terms of Service and Privacy Policy, and applies to all processing of personal data on behalf of our customers.
1. Introduction
This Data Processing Agreement (“DPA”) forms part of the Agreement between Islamic Open Finance™ (“Processor”) and Customer (“Controller”) for the provision of Platform services.
2. Definitions
“Personal Data” means any information relating to an identified or identifiable natural person. “Processing” means any operation performed on Personal Data, whether automated or not, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, or erasure.
3. Scope of Processing
Processor shall process Personal Data only on documented instructions from Controller, including transfers to third countries, unless required by applicable law. The subject matter, duration, nature, and purpose of processing are defined in the main Agreement.
4. Processor Obligations
Processor shall ensure authorized personnel are bound by confidentiality obligations, implement appropriate technical and organisational security measures, assist Controller in responding to data subject requests, and delete or return all Personal Data upon termination of services.
5. Security Measures
Processor maintains comprehensive security measures including AES-256 encryption at rest and TLS 1.3 in transit, role-based access controls, regular security assessments and penetration testing, incident response procedures, and SOC 2 Type II and ISO 27001 certification.
6. Data Breach Notification
Processor shall notify Controller without undue delay (within 72 hours) upon becoming aware of a Personal Data breach, providing details of the breach, affected data subjects, likely consequences, and measures taken to mitigate the breach.
7. International Transfers
Where Personal Data is transferred outside the EEA, Processor shall ensure appropriate safeguards including Standard Contractual Clauses (SCCs), adequacy decisions, or Binding Corporate Rules as required by GDPR Chapter V.
8. Governing Law
This DPA is governed by the same law as the main Agreement. For GDPR purposes, the competent supervisory authority is determined by the Controller's establishment.
Data Protection Officer
For questions about this DPA or our data processing practices, contact our Data Protection Officer: