Islamic Open Finance™ is built for regulated financial institutions. Every rail, every API, every byte of data is engineered to bank-grade standards — AAOIFI, IFSB, SOC 2, ISO 27001, GDPR, PSD2, ISO 20022, Basel III, EU AI Act, FATF, MiCA, and DORA — from day one, not bolted on afterward.
Twelve regulatory regimes, one platform. Every standard below is either independently certified, aligned-by-design, actively in progress, or has a committed delivery date — no made-up compliance, no misleading badges.
AAOIFI Shariah Standards (SS-8 through SS-39)
Every Islamic contract schema (Murabaha, Ijarah, Musharakah, Mudarabah, Salam, Istisna, Wakalah, Sukuk, Takaful, Waqf) is modelled to AAOIFI Shariah Standards. Annual external Shariah audit planned for 2026 Q4.
IFSB Prudential Standards
Capital adequacy, risk management, and corporate governance modelled to IFSB guidance for Islamic financial services.
SOC 2 Type II (AICPA TSC)
Security, availability, confidentiality, and privacy controls engineered to SOC 2 TSC. Type I readiness assessment scheduled 2026 Q3; Type II audit window opens 2027 Q1.
ISO/IEC 27001:2022 ISMS
Information Security Management System established. Stage 1 gap analysis scheduled 2026 Q4.
EU General Data Protection Regulation
Data minimisation, consent management, right to erasure, data portability, and lawful-basis-for-processing implemented at every data boundary. EU hosting available (AWS eu-west-1 + Cloudflare EU-resident edge).
EU Revised Payment Services Directive
Strong Customer Authentication (SCA), secure communication (mTLS + signed requests), and third-party provider (TPP) authorization modelled in the payments rail.
ISO 20022 Financial Messaging
All financial messages (payment initiation, settlement, reconciliation) use ISO 20022 XML/JSON schemas with standardized identifiers (ISIN, LEI, BIC).
Basel III Capital & Liquidity Standards
Liquidity coverage ratio (LCR) and net stable funding ratio (NSFR) modelled in the liquidity rail. Capital adequacy assessment hooks exposed to regulators.
EU AI Act — High-Risk Financial AI
Article 73 serious-incident reporting pipeline implemented. Risk classification, transparency, and human-oversight controls for high-risk credit decisioning engines in active build. See euai.islamicopenfinance.com.
Financial Action Task Force Recommendations
Travel Rule, beneficial-ownership, and AML/CFT controls implemented in the KYC and AML rails.
EU Markets in Crypto-Assets Regulation
Where tokenised sukuk and stablecoin-settled trades are in scope, issuer disclosures and orderly-market conduct modelled to MiCA.
EU Digital Operational Resilience Act
ICT risk register, third-party monitoring, and incident-classification thresholds being formalised. Target: 2026 Q4.
Engineering principles enforced at every layer of the platform.
TLS 1.3 in transit. AES-256 at rest. HSM-backed key custody for production secrets. No plaintext secrets in code, logs, or artefacts.
Cerbos ABAC on every resource endpoint. Principle of least privilege. Break-glass for production requires human approval + audit trail.
Every API call logs who, what, when, why as structured JSON. Immutable audit log with 7-year retention for regulated jurisdictions.
Multi-region capable (AWS eu-west-1 + Cloudflare global edge). Zero single-point-of-failure architecture. Health checks on every service.
Tenant data stays in the tenant's chosen region. EU tenants: AWS eu-west-1 + Cloudflare EU-resident edge. No cross-region replication without explicit consent.
Fingerprinted failure pipeline (docs/incidents/). Structured JSON failure context. Automated triage. Customer notification SLA: 24 hours for material incidents.
Every third party that may process tenant data, what they do, where they do it, and what it covers. Material changes are communicated in advance per our DPA.
| Sub-processor | Purpose | Region | Data types |
|---|---|---|---|
| Amazon Web Services (AWS) | Compute (ECS Fargate), storage (S3), secrets (SSM + Secrets Manager), email (SES), observability (CloudWatch), DNS (Route53) | eu-west-1 (Ireland); us-east-1 available for US tenants | Encrypted application data, audit logs, tenant config. Customer PII encrypted at rest (AES-256) and in transit (TLS 1.3). |
| Cloudflare | Edge routing (Workers), static hosting (Pages), DDoS protection (Magic Transit), DNS, WAF | Global edge (300+ cities); EU-resident edge for EU tenants | Routing metadata, request headers, cache TTLs. No customer PII stored at edge. |
| Clerk | Authentication (OAuth, SSO, passkeys, MFA) | US + EU-resident deployments available | User identifiers (email, name), authentication metadata, session tokens. No financial data. |
| Stripe | Billing, subscriptions, usage metering, invoicing | Global, routed by tenant domicile | Billing identifiers, invoice history. PCI DSS Level 1 scope handled entirely by Stripe — IOF never touches PAN data. |
| GitHub (Microsoft) | Source code hosting, CI/CD (Actions), container registry (GHCR) | US (multi-region resilience) | Source code, build artifacts, audit logs. No customer PII. |
| Anthropic | AI-assisted code review and agent tooling (Claude) — engineering systems only, never customer data | US | Source code context and agent telemetry. Customer data never sent to LLM providers. |
Every production-affecting incident is fingerprinted, root-caused, and documented. Real-time service availability is on the status page.
No production-affecting incidents have been disclosed prior to general availability. Pre-GA incident reports live at docs/incidents/ in the platform repository.
Legal documents governing the use of Islamic Open Finance™.
Dedicated channels for security, compliance, and privacy.