CE
ComplyEngine
Open Platform

Data Processing Agreement

Last updated: 1 April 2026

1. Scope and Purpose

This Data Processing Agreement (“DPA”) supplements the Terms of Service and governs the processing of personal data by Islamic Open Finance™ (“Processor”) on behalf of the Customer (“Controller”) in connection with the ComplyEngine service.

2. Processing Details

  • Subject matter: EU AI Act compliance management
  • Duration: For the term of the service agreement
  • Nature and purpose: Storage, analysis, and reporting of AI system compliance data
  • Types of personal data: AI system operator data, assessment records, incident reports, oversight logs
  • Categories of data subjects: AI system operators, deployers, affected persons referenced in incident reports

3. Processor Obligations

The Processor shall:

  • Process personal data only on documented instructions from the Controller (Art. 28(3)(a) GDPR)
  • Ensure persons authorised to process data are bound by confidentiality obligations (Art. 28(3)(b) GDPR)
  • Implement appropriate technical and organisational security measures (Art. 28(3)(c) / Art. 32 GDPR)
  • Assist the Controller with data subject rights requests (Art. 28(3)(e) GDPR)
  • Delete or return all personal data at the end of the service (Art. 28(3)(g) GDPR)
  • Make available all information necessary to demonstrate compliance and allow audits (Art. 28(3)(h) GDPR)

4. Sub-Processors

The Processor may engage sub-processors with prior written authorisation from the Controller. Current sub-processors include cloud infrastructure providers within the EEA. The Processor shall notify the Controller of any intended changes to sub-processors and ensure equivalent data protection obligations are imposed.

5. International Transfers

The Processor shall not transfer personal data outside the EEA without appropriate safeguards. Where transfers are necessary, Standard Contractual Clauses (Commission Decision 2021/914) shall apply.

6. Security Measures

The Processor implements the following measures: TLS 1.3 encryption in transit, AES-256 encryption at rest, role-based access control, audit logging, regular penetration testing, incident response procedures, and business continuity planning.

7. Data Breach Notification

The Processor shall notify the Controller without undue delay (and in any event within 48 hours) of becoming aware of a personal data breach, providing all information required under Article 33(3) GDPR.

8. Governing Law

This DPA is governed by the laws of the European Union and the Member State in which the Controller is established. For questions, contact dpo@islamicopenfinance.com.