Data Processing Agreement \u2014 Partner Program

Last updated: February 2026

1. Definitions

“Controller” means the party that determines the purposes and means of processing personal data. “Processor” means the party that processes personal data on behalf of the Controller. “Data Subject” means any identified or identifiable natural person whose personal data is processed. “Personal Data” has the meaning given in the UK GDPR and EU GDPR. “Processing” includes any operation performed on personal data. “Sub-Processor” means any third party engaged by the Processor to carry out processing activities. “Standard Contractual Clauses” or “SCCs” means the clauses approved by the European Commission or UK ICO for international data transfers. “IOF” means Islamic Open Finance™. “Partner” means the enrolled partner entity.

2. Scope and Purpose

This Data Processing Agreement (“DPA”) governs the processing of personal data by and between Islamic Open Finance™ (“IOF”) and the enrolled Partner in connection with the Partner Program. This DPA is incorporated into the Partner Program Terms of Service and applies wherever either party processes personal data on behalf of the other. The parties acknowledge their respective roles (Controller and/or Processor) as appropriate to each processing activity. Both parties agree to comply with all applicable data protection laws, including the UK GDPR, EU GDPR, and any successor legislation.

3. Processing Activities and Instructions

Each party as Processor shall process personal data only: (a) on the documented instructions of the Controller; (b) as necessary to perform its obligations under the Partner Agreement; (c) as required by applicable law. Processing activities covered by this DPA include: KYC and AML due diligence on partner personnel; processing of partner contact and identity data for programme administration; access logging and audit trails within the Partner Portal; transmission of integration and usage data for billing and revenue-sharing purposes. The Processor shall inform the Controller if, in its opinion, an instruction infringes applicable data protection law.

4. Data Categories and Data Subjects

The categories of personal data processed under this DPA include: identity data (name, title, company); contact data (email, telephone, address); financial data (bank details, tax identifiers); KYC data (government ID, beneficial ownership); technical data (API credentials, IP addresses, access logs). The data subjects are: authorised representatives and employees of the Partner; end users of partner-built applications where IOF APIs are used; and individuals identified during KYC and AML screening.

5. Confidentiality of Processing

Each party shall ensure that persons authorised to process personal data are bound by appropriate confidentiality obligations, whether by contract or professional duty. Access to personal data must be restricted to personnel who require it for the purposes set out in this DPA, in accordance with the principle of least privilege. Both parties must maintain and enforce appropriate access control policies and audit logs covering all access to personal data.

6. Security Measures

Each party shall implement appropriate technical and organisational security measures to ensure a level of security appropriate to the risk of the processing, including: (a) encryption of personal data in transit (TLS 1.3 minimum) and at rest (AES-256); (b) ongoing confidentiality, integrity, availability, and resilience of processing systems; (c) the ability to restore access to personal data in a timely manner in the event of a physical or technical incident; (d) a process for regularly testing, assessing, and evaluating the effectiveness of security measures; (e) role-based access controls, multi-factor authentication, and privileged access management; (f) regular penetration testing and vulnerability scanning. Security measures shall be aligned with ISO 27001 and reviewed at least annually.

7. Sub-Processors

IOF maintains a list of authorised Sub-Processors engaged in processing activities covered by this DPA. The current Sub-Processor list is available upon request at partnership@islamicopenfinance.com. IOF will provide the Partner with at least thirty (30) days’ prior notice of any intended changes to its Sub-Processor list. If the Partner reasonably objects to a new Sub-Processor on legitimate data protection grounds, the parties will work in good faith to resolve the objection. IOF imposes the same data protection obligations on all Sub-Processors as set out in this DPA, and remains liable to the Controller for any failure by a Sub-Processor to fulfil its obligations.

8. Data Subject Rights

Where the Partner is acting as Processor on behalf of IOF, the Partner shall provide IOF with reasonable assistance to enable IOF to fulfil its obligations to respond to data subject requests within statutory timeframes. Where IOF is acting as Processor, IOF will forward any data subject requests it receives to the Partner Controller within five (5) business days. Neither party shall respond to data subject requests on behalf of the other Controller without prior written consent, except as required by law.

9. Data Protection Impact Assessments

Each party shall provide the other with reasonable assistance in conducting data protection impact assessments (DPIAs) where required under applicable data protection law, and in prior consultations with supervisory authorities. A DPIA is required before commencing any processing that is likely to result in a high risk to the rights and freedoms of natural persons, including large-scale processing of sensitive data or systematic monitoring.

10. Breach Notification

Each party shall notify the other without undue delay, and in any event within forty-eight (48) hours of becoming aware of a personal data breach that is likely to require notification to a supervisory authority or data subjects. Notification must include, to the extent available: (a) a description of the nature of the breach, including categories and approximate number of data subjects and records affected; (b) the likely consequences of the breach; (c) measures taken or proposed to address the breach and mitigate its possible adverse effects; (d) the name and contact details of the Data Protection Officer or responsible contact. The notifying party shall cooperate fully in any investigation and remediation. Both parties retain regulatory notification obligations to their respective supervisory authorities under applicable law.

11. International Data Transfers

Neither party shall transfer personal data to a third country or international organisation except: (a) to a country with an applicable adequacy decision from the UK ICO or European Commission; (b) subject to appropriate safeguards, including SCCs or binding corporate rules; or (c) as otherwise permitted under applicable data protection law. Where SCCs are used, they are deemed incorporated into this DPA by reference. Each party shall maintain a record of all international transfers and the safeguards applied.

12. Audit and Compliance

Each party shall maintain records of its processing activities as required by applicable data protection law. Upon reasonable notice (at least fifteen (15) business days), each party grants the other the right to audit compliance with this DPA, either by conducting an audit or by commissioning a qualified independent auditor, no more than once per calendar year unless a breach is suspected. Audit costs are borne by the requesting party unless the audit reveals material non-compliance, in which case costs are borne by the non-compliant party.

13. Deletion and Return of Data

Upon termination of the Partner Agreement or upon written request, each party as Processor shall, at the Controller’s election, either securely delete or return all personal data processed on behalf of the Controller, and delete existing copies unless retention is required by law. A written certification of deletion shall be provided within thirty (30) days of the request. Data retained pursuant to a legal obligation must be processed solely for that purpose and must be deleted once the obligation expires.

14. Liability and Indemnification

Each party shall be liable to the other for, and shall indemnify the other against, any costs, damages, penalties, or losses incurred as a result of that party’s breach of this DPA or applicable data protection law, including fines imposed by supervisory authorities attributable to that party’s failure. Liability under this DPA is subject to the limitations set out in the Partner Program Terms of Service, except that neither party limits liability for fines or penalties imposed directly by a supervisory authority.

15. Governing Law

This DPA is governed by the laws of England and Wales. Disputes arising from this DPA are subject to the dispute resolution mechanism set out in the Partner Program Terms of Service. Nothing in this DPA reduces either party’s obligations or rights under applicable data protection law, including the right to file complaints with supervisory authorities.

16. Contact

For questions about this Data Processing Agreement, to request the Sub-Processor list, or to exercise rights under this DPA, please contact: partnership@islamicopenfinance.com. Mark correspondence “FAO: Data Protection — Partner DPA” for expedited handling.

Back to Partner Program

© 2026 Islamic Open Finance™. All rights reserved.