OpenBanq

Data Processing Agreement (DPA)

Last updated: 2026-04-14 · Version 1.0 · © 2025 Open Finance Infrastructure Ltd.

This DPA is incorporated into the agreement ("Principal Agreement") between the customer ("Controller") and Open Finance Infrastructure Ltd. ("Processor") for use of the OpenBanq Services, and reflects the parties' agreement with respect to the processing of Personal Data in accordance with the GDPR, UK GDPR, and equivalent regional data-protection laws.

1. Definitions

Capitalised terms have the meanings given in the GDPR unless otherwise defined in the Principal Agreement.

2. Subject matter and duration

The Processor processes Personal Data on behalf of the Controller for the duration of the Principal Agreement. The nature and purpose of processing is provision of open-banking infrastructure services.

3. Categories of data subjects and personal data

Data subjects may include: the Controller's end customers, staff, and authorised representatives. Categories of data: contact details, account identifiers, transaction metadata, consent records, authentication credentials (hashed), audit event metadata.

4. Processor obligations

  • Process Personal Data only on documented instructions from the Controller, unless required by applicable law, in which case the Processor will inform the Controller unless the law prohibits this.
  • Ensure persons authorised to process are bound by confidentiality.
  • Implement appropriate technical and organisational measures per Annex II (summarised: TLS 1.3, AES-256, SOC 2 Type II, ISO 27001, least-privilege access, structured audit trail, incident response plan).
  • Assist the Controller with data-subject requests and data-protection impact assessments.
  • Notify the Controller of a Personal Data Breach without undue delay and in any event within 72 hours of awareness.
  • Delete or return all Personal Data at the end of the Principal Agreement (Controller's choice), unless retention is required by law.
  • Make available information necessary to demonstrate compliance and allow for audits (once per year, or more frequently in the case of a Breach).

5. Sub-processors

The Controller authorises the Processor to engage sub-processors for the provision of the Services. The current list is published at openbanqing.com/legal/subprocessors. The Processor gives 30 days' notice of any intended addition or replacement; the Controller may object on reasonable grounds.

6. International transfers

Where Personal Data is transferred outside the EEA/UK, the parties rely on the Standard Contractual Clauses (EU Commission Decision 2021/914, modules 2 or 3 as applicable) and the UK International Data Transfer Addendum, incorporated by reference.

7. Security (Annex II — Technical and Organisational Measures)

  • Encryption in transit: TLS 1.3 with perfect forward secrecy, HSTS, certificate pinning for mobile clients.
  • Encryption at rest: AES-256-GCM for all persistent stores; customer-managed keys optional on Enterprise tier.
  • Access control: role-based with attribute-based authorization; multi-factor authentication required for all staff; hardware security keys for production access.
  • Network security: private VPC, egress allow-list, WAF, DDoS protection.
  • Monitoring: SIEM with 90-day hot retention and 7-year cold retention; runtime threat detection; anomaly detection.
  • Incident response: documented runbooks, tabletop exercises twice yearly, post-incident reports.
  • Business continuity: multi-region active-active, RPO < 5 minutes, RTO < 1 hour on Enterprise tier.
  • Personnel: background checks, security awareness training quarterly, NDAs.
  • Vendor management: sub-processor reviews, annual re-assessment.
  • Certifications: ISO 27001, SOC 2 Type II, PCI DSS (where applicable).

8. Audits

On written request, the Processor makes available SOC 2 Type II report, ISO 27001 certificate, pentest summaries, and compliance evidence packs. The Controller may request a bespoke audit once per year at the Controller's cost, with 30 days' notice, during business hours, not exceeding 2 business days.

9. Liability

Liability under this DPA is capped and otherwise governed by the limitation of liability clause in the Principal Agreement, except to the extent required otherwise by applicable law.

10. Execution

This DPA is executed electronically via the Customer's order form acceptance. A signed PDF is available on request to [email protected].