← Trust CenterData Residency

Data Residency

IOF processes tenant data in the region you choose at provisioning time. Default residency is selected to satisfy the regulatory regimes in your jurisdiction. No cross-border replication occurs without an explicit DPA addendum.

Regions

eu-west-1
EU West (Ireland)
Cloud · AWS eu-west-1
Edge · EU-resident edge (Frankfurt, Dublin, Amsterdam)
Jurisdictions: EU · EEA · UK
Data law highlights:
  • GDPR + UK GDPR
  • PSD2 / PSD3 (designed-for) + DORA
  • Schrems II adequacy: EU↔EU only by default
Default for: EU customers · UK customers (post-Brexit adequacy)
eu-central-1
EU Central (Frankfurt)
Cloud · AWS eu-central-1
Edge · EU-resident edge
Jurisdictions: EU · EEA
Data law highlights:
  • GDPR + BDSG (German Federal Data Protection Act)
  • DORA + NIS2
  • Bundesbank reporting paths
Default for: DACH customers · EU-only data residency requirements
me-south-1
Middle East South (Bahrain)
Cloud · AWS me-south-1, Cloudflare GCC edges
Edge · GCC-resident edge (Manama, Riyadh, Dubai)
Jurisdictions: BH · AE · SA · QA · KW · OM
Data law highlights:
  • CBB / SAMA / CBUAE data localisation
  • AAOIFI Shariah primary audit jurisdiction
  • PDPL (KSA, Bahrain, UAE)
Default for: GCC customers · Shariah primary audit jurisdiction
ap-southeast-1
APAC South-East (Singapore)
Cloud · AWS ap-southeast-1
Edge · APAC edge (Singapore, Kuala Lumpur, Jakarta)
Jurisdictions: SG · MY · ID · BN
Data law highlights:
  • MAS Notice 644 + Cyber Hygiene Notice
  • BNM PDPA + Bank Negara Malaysia Shariah Governance
  • OJK regulations (Indonesia)
Default for: South-East Asia tenants · MAS / BNM regulated banks
us-east-1
US East (N. Virginia)
Cloud · AWS us-east-1
Edge · Americas edge
Jurisdictions: US
Data law highlights:
  • SOC 2 Type II
  • Inter-region transfer requires DPA addendum + SCCs (Schrems II)
Default for: US-domiciled customers (where applicable)

Cross-Border Data Flows

PurposeSource → DestinationTriggerRetentionSafeguards
Tenant data plane (EU customers)eu-west-1eu-west-1Customer API callTenant-controlled; default 7 years (financial records)
  • TLS 1.3 in transit
  • AES-256 at rest
  • EU-resident edge only
  • No cross-border replication
Shariah audit replication (GCC primary)eu-west-1me-south-1Annual Shariah audit cycle (opt-in per tenant)Audit lifetime + 7 years
  • AES-256 at rest
  • Customer-managed KMS key
  • Tenant must sign DPA addendum + cross-border SCC
  • Pseudonymisation of customer-identifying fields
Incident telemetry to security opsanyeu-west-1P0 / P1 incident5 years (audit retention)
  • TLS 1.3 in transit
  • PII redaction before egress
  • Sentry self-hosted (no third-party SaaS for incidents)

Need a different region?

Contact compliance@islamicopenfinance.com with your jurisdiction and data-residency requirements. We will assess whether an existing region satisfies your obligations or whether a new tenant region needs to be provisioned (typically 6–8 weeks to bring up).