Skip to content
Islamic Open Finance™

Trust Center

Trust Center

Section titled “Trust Center”

The IOF Trust Center publishes attestations and compliance evidence for every framework the platform supports. It is designed for auditors, procurement teams, and regulators who need to verify IOF’s posture independently.

Live: trust.islamicopenfinance.com.

Attestations

Section titled “Attestations”

An attestation is a signed, timestamped assertion about a specific control, policy, or evidence pack. Every attestation is:

  • Identified by a content-addressed hash
  • Signed by IOF’s Trust key (JWKS published at /.well-known/jwks.json)
  • Timestamped via RFC 3161 / Roughtime
  • Reproducible from the underlying audit events

Attestation lifecycle events:

  • trust.attestation.created
  • trust.attestation.verified
  • trust.attestation.revoked

Schemas live in packages/event-schema-registry/src/schemas/trust-events.ts. The canonical authorisation policy is config/cerbos/policies/trust_attestation.yaml.

Compliance frameworks

Section titled “Compliance frameworks”

The Trust Center publishes independent attestations for:

FrameworkScope
SOC 2 Type IIPlatform controls — security, availability, confidentiality, processing integrity
GDPRData processing, DPIA, controller/processor agreements, DSAR flow
PSD2 / SCAStrong Customer Authentication, dynamic linking, TPP access
ISO 27001ISMS scope, risk treatment, Statement of Applicability
AAOIFIShariah Standards SS-8 through SS-39 — per-rail applicability map
IFSBIFSB-1 through IFSB-27 — prudential + governance standards
EU AI ActRegulation 2024/1689 — risk classification, conformity assessment, Article 73 incident reporting, GPAI obligations

Verifying an attestation

Section titled “Verifying an attestation”
  1. Fetch the attestation envelope from trust.islamicopenfinance.com/attestations/<id>
  2. Resolve the signing key via /.well-known/jwks.json
  3. Verify the JWS signature
  4. Walk the evidence_source event IDs — each one points to an immutable record in the audit log
  5. Optionally replay the evidence bundle from source events to confirm reproducibility

Audit trail

Section titled “Audit trail”

Every attestation is backed by an audit trail of structured events. The audit trail is:

  • Append-only (immutable via content-hash chaining)
  • Tenant-scoped (cross-tenant reads are denied at the service PDP)
  • Replayable (every attestation is reconstructable from source events)
  • Exportable (signed JSON + SARIF formats for regulators)

See also

Section titled “See also”
  • Widgetsevidence-pack-viewer renders Trust Center evidence bundles
  • Agentsevidence-pack agent generates regulator-ready bundles on demand
  • EU AI Act rail reference: /api/rails/eu-ai-act
Edit page