Security, compliance,
and accountability.
Islamic Open Finance™ is built for regulated financial institutions. Every rail, every API, every byte of data is engineered to bank-grade standards — AAOIFI, IFSB, SOC 2, ISO 27001, GDPR, PSD2, PSD3 (designed-for), ISO 20022, Basel III, EU AI Act, FATF, MiCA, and DORA — from day one, not bolted on afterward.
Attestations & Standards
Twelve regulatory regimes, one platform. Every standard below is either independently certified, aligned-by-design, actively in progress, or has a committed delivery date — no made-up compliance, no misleading badges.
AAOIFI
AAOIFI Shariah Standards (SS-8 through SS-39)
Every Islamic contract schema (Murabaha, Ijarah, Musharakah, Mudarabah, Salam, Istisna, Wakalah, Sukuk, Takaful, Waqf) is modelled to AAOIFI Shariah Standards. Annual external Shariah audit planned for 2026 Q4.
IFSB
IFSB Prudential Standards
Capital adequacy, risk management, and corporate governance modelled to IFSB guidance for Islamic financial services.
SOC 2 Type II
SOC 2 Type II (AICPA TSC)
Security, availability, confidentiality, and privacy controls engineered to SOC 2 TSC. Type I readiness assessment scheduled 2026 Q3; Type II audit window opens 2027 Q1.
ISO 27001
ISO/IEC 27001:2022 ISMS
Information Security Management System established. Stage 1 gap analysis scheduled 2026 Q4.
GDPR
EU General Data Protection Regulation
Data minimisation, consent management, right to erasure, data portability, and lawful-basis-for-processing implemented at every data boundary. EU hosting available (AWS eu-west-1 + Cloudflare EU-resident edge).
PSD2
EU Revised Payment Services Directive
Strong Customer Authentication (SCA), secure communication (mTLS + signed requests), and third-party provider (TPP) authorization modelled in the payments rail.
PSD3 / PSR
EU Payment Services Directive 3 + Payment Services Regulation
Forward-compatible with PSD3 + PSR (COM(2023) 366/367): enhanced SCA, IBAN-name match (VOP), Open Finance scopes via FIDA, instant-payment fraud framework, and merged EMD2 scope.
ISO 20022
ISO 20022 Financial Messaging
All financial messages (payment initiation, settlement, reconciliation) use ISO 20022 XML/JSON schemas with standardized identifiers (ISIN, LEI, BIC).
Basel III
Basel III Capital & Liquidity Standards
Liquidity coverage ratio (LCR) and net stable funding ratio (NSFR) modelled in the liquidity rail. Capital adequacy assessment hooks exposed to regulators.
EU AI Act
EU AI Act — High-Risk Financial AI
Article 73 serious-incident reporting pipeline implemented. Risk classification, transparency, and human-oversight controls for high-risk credit decisioning engines in active build. See euai.islamicopenfinance.com.
FATF
Financial Action Task Force Recommendations
Travel Rule, beneficial-ownership, and AML/CFT controls implemented in the KYC and AML rails.
MiCA
EU Markets in Crypto-Assets Regulation
Where tokenised sukuk and stablecoin-settled trades are in scope, issuer disclosures and orderly-market conduct modelled to MiCA.
DORA
EU Digital Operational Resilience Act
ICT risk register, third-party monitoring, and incident-classification thresholds being formalised. Target: 2026 Q4.
Security Practices
Engineering principles enforced at every layer of the platform.
Encryption
TLS 1.3 in transit. AES-256 at rest. HSM-backed key custody for production secrets. No plaintext secrets in code, logs, or artefacts.
Access Control
ABAC policy enforcement on every resource endpoint. Principle of least privilege. Break-glass for production requires human approval + audit trail.
Audit Trail
Every API call logs who, what, when, why as structured JSON. Immutable audit log with 7-year retention for regulated jurisdictions.
Infrastructure
Multi-region capable (AWS eu-west-1 + Cloudflare global edge). Zero single-point-of-failure architecture. Health checks on every service.
Data Residency
Tenant data stays in the tenant's chosen region. EU tenants: AWS eu-west-1 + Cloudflare EU-resident edge. No cross-region replication without explicit consent.
Incident Response
Fingerprinted failure pipeline (docs/incidents/). Structured JSON failure context. Automated triage. Customer notification SLA: 24 hours for material incidents.
Sub-processors
Every third party that may process tenant data, what they do, where they do it, and what it covers. Material changes are communicated in advance per our DPA.
| Sub-processor | Purpose | Region | Data types |
|---|---|---|---|
| Amazon Web Services (AWS) | Compute (ECS Fargate), storage (S3), secrets (SSM + Secrets Manager), email (SES), observability (CloudWatch), DNS (Route53) | eu-west-1 (Ireland); us-east-1 available for US tenants | Encrypted application data, audit logs, tenant config. Customer PII encrypted at rest (AES-256) and in transit (TLS 1.3). |
| Cloudflare | Edge routing (Workers), static hosting (Pages), DDoS protection (Magic Transit), DNS, WAF | Global edge (300+ cities); EU-resident edge for EU tenants | Routing metadata, request headers, cache TTLs. No customer PII stored at edge. |
| Clerk | Authentication (OAuth, SSO, passkeys, MFA) | US + EU-resident deployments available | User identifiers (email, name), authentication metadata, session tokens. No financial data. |
| Stripe | Billing, subscriptions, usage metering, invoicing | Global, routed by tenant domicile | Billing identifiers, invoice history. All cardholder-data scope handled entirely by Stripe (Stripe is a Level 1 certified provider for PCI DSS) — IOF never touches PAN data. |
| GitHub (Microsoft) | Source code hosting, CI/CD (Actions), container registry (GHCR) | US (multi-region resilience) | Source code, build artifacts, audit logs. No customer PII. |
| Anthropic | AI-assisted code review and agent tooling (Claude) — engineering systems only, never customer data | US | Source code context and agent telemetry. Customer data never sent to LLM providers. |
Incident History
Every production-affecting incident is fingerprinted, root-caused, and documented. Real-time service availability is on the status page.
No production-affecting incidents have been disclosed prior to general availability. Pre-GA incident reports live at docs/incidents/ in the platform repository.
Policies & Agreements
Legal documents governing the use of Islamic Open Finance™.
Contacts
Dedicated channels for security, compliance, and privacy.
- Security vulnerabilitiessecurity@islamicopenfinance.com
- Compliance & audit requestscompliance@islamicopenfinance.com
- Data Protection Officer (GDPR)dpo@islamicopenfinance.com
- General inquirieshello@islamicopenfinance.com