GDPR
EU General Data Protection Regulation
Overview
The EU General Data Protection Regulation (GDPR) requires lawful, transparent, and secure processing of personal data. IOF implements all GDPR obligations from day one: a Data Protection Officer (DPO) is designated, a Data Processing Agreement (DPA) is available, and EU tenants are hosted exclusively on AWS eu-west-1 with Cloudflare EU-resident edge nodes.
Scope
Applies to all processing of EU personal data across the entire IOF platform. Tenant data is region-isolated. The DPO contact is dpo@islamicopenfinance.com.
Key Controls
- Data minimisation: only data necessary for the stated purpose is collected
- Consent management: explicit consent captured and audited per user
- Right to erasure: erasure requests fulfilled within 30 days
- Data portability: tenant data exportable in standard formats
- Lawful basis: documented for every processing activity
- Data Protection Officer (DPO) designated: dpo@islamicopenfinance.com
- EU hosting: AWS eu-west-1 + Cloudflare EU-resident edge
- Sub-processor register maintained and DPA available on request
Certification & Audit
Self-attested; DPA available at /legal/data-processing-agreement/
Annual review; DPA updated on material changes with 30-day advance notice
Evidence Bundle
Evidence bundle available on request
Contact compliance@islamicopenfinance.com to request the evidence pack for this framework. We typically respond to audit requests within two business days.