Last updated: 2026-04-25 · Version 1.0 · © 2025 Open Finance Infrastructure Ltd.
This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Controller") and Open Finance Infrastructure Ltd. ("Processor") for the OpenBanqing Services. It implements the requirements of GDPR Article 28.
You are the Controller of personal data submitted to the Services. We are the Processor, processing data only on your documented instructions.
Processing covers the personal data you submit via the Services for the purpose of delivering open-banking, payment, KYC/AML, and reporting capabilities. Duration matches the term of your subscription plus any retention period required by law.
Data subjects: your customers, employees, suppliers, and end users. Categories: identity (name, address), financial (account references, balances, transactions), authentication (hashed credentials, MFA), and behavioural (API usage, audit events). No special categories of data unless explicitly agreed.
We maintain a current list of sub-processors at /legal/sub-processors. We will notify you of any intended changes with at least 30 days' notice; you may object on reasonable grounds.
TLS 1.3 in transit, AES-256 at rest, ISO 27001-aligned ISMS, SOC 2 Type II controls, Cerbos ABAC authorization on every endpoint, audit trails with immutable storage, vulnerability management with monthly patching cycles, annual penetration testing, segregation of customer data.
We will notify you of any personal-data breach affecting your data without undue delay and within 72 hours of becoming aware. Notifications include the nature of the breach, categories and approximate number of subjects affected, likely consequences, and measures taken or proposed.
You may audit our compliance with this DPA up to once per year on 30 days' written notice, conducted by you or an independent third-party auditor (subject to confidentiality). Our SOC 2 Type II report and ISO 27001 certificate may, at our discretion, satisfy this audit obligation.
Where personal data is transferred outside the EEA/UK, we rely on Standard Contractual Clauses (Decision 2021/914), the UK IDTA, or other valid transfer mechanisms, with supplementary measures as required.
Upon termination, we will, at your choice, return or delete all personal data processed under this DPA within 30 days, except where retention is required by law.
Liability under this DPA is governed by the limitations in the Terms of Service.