Data Processing Agreement

Data Processing Agreement

Effective Date: January 1, 2025

Last Updated: January 30, 2025

This Data Processing Agreement (“DPA”) forms part of the agreement between Islamic Open Finance™ (“Processor”) and the Customer (“Controller”) for the provision of Services.

1. Definitions

• “Personal Data” means any information relating to an identified or identifiable natural person
• “Processing” means any operation performed on Personal Data
• “Data Subject” means the individual to whom Personal Data relates
• “Sub-processor” means any third party engaged by the Processor to process Personal Data
• “Supervisory Authority” means an independent public authority responsible for data protection

2. Scope and Purpose

2.1 Scope

This DPA applies to the Processing of Personal Data by the Processor on behalf of the Controller in connection with the Services.

2.2 Purpose

The Processor shall Process Personal Data only:

• To provide the Services as specified in the main agreement
• In accordance with the Controller’s documented instructions
• To comply with applicable laws and regulations

3. Processor Obligations

The Processor shall:

3.1 Processing Instructions

• Process Personal Data only on documented instructions from the Controller
• Inform the Controller if an instruction infringes applicable data protection law

3.2 Confidentiality

• Ensure personnel authorized to process Personal Data are bound by confidentiality obligations
• Limit access to Personal Data to personnel who need it for the Services

3.3 Security Measures

Implement appropriate technical and organizational measures including:

• Encryption of Personal Data in transit and at rest
• Ongoing confidentiality, integrity, availability of systems
• Ability to restore availability and access following an incident
• Regular testing and evaluation of security measures

3.4 Sub-processors

• Not engage Sub-processors without prior authorization from the Controller
• Ensure Sub-processors are bound by equivalent data protection obligations
• Remain liable for Sub-processor compliance

3.5 Data Subject Rights

Assist the Controller in responding to Data Subject requests including:

• Access requests
• Rectification requests
• Erasure requests
• Data portability requests

3.6 Security Incidents

• Notify the Controller without undue delay upon becoming aware of a Personal Data breach
• Provide information necessary for the Controller to fulfill breach notification obligations
• Assist in breach investigation and mitigation

3.7 Data Protection Impact Assessments

Assist the Controller with:

• Data Protection Impact Assessments
• Prior consultations with Supervisory Authorities

4. Controller Obligations

The Controller shall:

• Provide lawful Processing instructions
• Ensure lawful basis for Processing
• Inform Data Subjects about the Processing
• Respond to Data Subject requests
• Conduct necessary risk assessments

5. International Data Transfers

5.1 Transfer Mechanisms

Personal Data may only be transferred outside the EEA where:

• The destination country has an adequacy decision
• Standard Contractual Clauses are in place
• Binding Corporate Rules apply
• Other lawful transfer mechanisms exist

5.2 Standard Contractual Clauses

The parties hereby incorporate the EU Standard Contractual Clauses for Controller-to-Processor transfers.

6. Audit Rights

6.1 Audit Information

The Processor shall make available to the Controller:

• Information necessary to demonstrate compliance
• Audit and inspection rights

6.2 Audit Procedures

• Audits shall be conducted with reasonable notice
• The Controller may appoint a third-party auditor
• Costs of audits shall be borne by the Controller

7. Data Deletion and Return

Upon termination of Services:

• The Processor shall delete or return all Personal Data
• Deletion shall be certified upon request
• Retention may continue only where required by law

8. Approved Sub-processors

The following Sub-processors are approved as of the Effective Date:

Sub-processor	Purpose	Location
Amazon Web Services	Cloud Infrastructure	US/EU
Cloudflare	CDN and Security	Global
Stripe	Payment Processing	US/EU

The Controller may subscribe to Sub-processor updates at subprocessors@islamicopenfinance.com.

9. Liability

9.1 Processor Liability

The Processor shall be liable for damages caused by Processing that violates this DPA or the Controller’s lawful instructions.

9.2 Limitation

Liability shall be subject to the limitations set forth in the main agreement.

10. Term and Termination

10.1 Term

This DPA shall remain in effect for the duration of the main agreement.

10.2 Survival

Obligations relating to confidentiality and data deletion shall survive termination.

11. Governing Law

This DPA shall be governed by the laws specified in the main agreement.

12. Amendments

This DPA may only be amended in writing signed by both parties.

13. Contact Information

For DPA-related inquiries:

Islamic Open Finance™

• Email: dpa@islamicopenfinance.com
• Data Protection Officer: dpo@islamicopenfinance.com

---

© 2025 Islamic Open Finance™. All rights reserved.