One platform, one language. Zero ambiguity.
A single misused term in a regulatory filing can trigger an audit query. A conflicting definition between a marketing deck and a client agreement can erode trust. This glossary eliminates that risk — one definition per concept, used the same way everywhere.
Who this is for
Marketing, legal, compliance, executive leadership, partners, and regulators — not engineering teams.
How to use it
Treat these definitions as canonical. Use them verbatim in regulatory filings, product materials, and client-facing documents.
| Acronym | Full Form |
|---|---|
| AAOIFI | Accounting and Auditing Organization for Islamic Financial Institutions |
| BCP | Business Continuity Plan |
| BCR | Binding Corporate Rules |
| BIA | Business Impact Analysis |
| BNM | Bank Negara Malaysia |
| CAE | Chief Audit Executive |
| CAP | Corrective Action Plan |
| CCPA / CPRA | California Consumer Privacy Act / California Privacy Rights Act |
| CISO | Chief Information Security Officer |
| COSO | Committee of Sponsoring Organizations of the Treadway Commission |
| CSA | Control Self-Assessment |
| CSRD | Corporate Sustainability Reporting Directive (EU) |
| DLT | Distributed Ledger Technology |
| DORA | Digital Operational Resilience Act (EU) |
| DPA | Data Processing Agreement |
| DPIA | Data Protection Impact Assessment |
| DPO | Data Protection Officer |
| DRP | Disaster Recovery Plan |
| ESG | Environmental, Social, and Governance |
| FedRAMP | Federal Risk and Authorization Management Program (US) |
| GCC | Gulf Cooperation Council |
| GDPR | General Data Protection Regulation (EU) |
| GRC | Governance, Risk, and Compliance |
| GRI | Global Reporting Initiative |
| HIPAA | Health Insurance Portability and Accountability Act (US) |
| IFSB | Islamic Financial Services Board |
| IIA | Institute of Internal Auditors |
| ISMS | Information Security Management System |
| ISO | International Organization for Standardization |
| KPI | Key Performance Indicator |
| KRI | Key Risk Indicator |
| NCSA | National Cyber Security Agency (Qatar) |
| NDPO | National Data Privacy Office (Qatar) |
| NIST | National Institute of Standards and Technology (US) |
| NIST CSF | NIST Cybersecurity Framework |
| OIC | Organisation of Islamic Cooperation |
| OLIR | Online Informative References (NIST crosswalk standard) |
| OSCAL | Open Security Controls Assessment Language (NIST) |
| PCI DSS | Payment Card Industry Data Security Standard |
| PDCA | Plan-Do-Check-Act |
| PDPPL | Personal Data Privacy Protection Law (Qatar, Law No. 13 of 2016) |
| PII | Personally Identifiable Information |
| POA&M | Plan of Action and Milestones |
| PSR | Profit-Sharing Ratio |
| PSIA | Profit Sharing Investment Account |
| QCB | Qatar Central Bank |
| QFC | Qatar Financial Centre |
| QFCRA | Qatar Financial Centre Regulatory Authority |
| RCA | Root Cause Analysis |
| RoPA | Records of Processing Activities |
| RPO | Recovery Point Objective |
| RTO | Recovery Time Objective |
| SAMA | Saudi Arabia Monetary Authority |
| SASB | Sustainability Accounting Standards Board |
| SCC | Standard Contractual Clauses |
| SFI | Sensitive Financial Information |
| SOC 2 | Service Organization Control 2 |
| SoD | Segregation of Duties |
| SOX | Sarbanes-Oxley Act (US) |
| SPI | Sensitive Personal Information |
| SSB | Shariah Supervisory Board |
| TPRM | Third-Party Risk Management |
| VC | Verifiable Credential (W3C standard) |
| VP | Verifiable Presentation (W3C standard) |
| ZKP | Zero-Knowledge Proof |
The set of policies, roles, responsibilities, and decision-making processes that determine how an organization is directed, controlled, and held accountable.
See also: Control Environment, Three Lines of Defense
The possibility that an event or condition will adversely affect an organization’s objectives. In practice, risk is measured by its likelihood and potential impact.
See also: Risk Register, Risk Appetite, Risk Tolerance, KRI (Key Risk Indicator)
Conforming to applicable laws, regulations, industry standards, and internal policies. Compliance is demonstrated through evidence, not assertions.
See also: Continuous Compliance, Shariah Compliance
A specific measure — whether a policy, process, technical safeguard, or organizational structure — put in place to reduce risk and ensure compliance. Controls may be preventive (stopping issues before they occur), detective (identifying issues that have occurred), or corrective (remediating issues after detection).
See also: Control Objective, Control Environment, Control Self-Assessment (CSA)
The specific outcome a control is designed to achieve. For example, “all cost-plus transactions must have profit margins disclosed and certified as Shariah-compliant” is a control objective that sits between a regulatory obligation and the workflows that fulfill it.
The foundational tone, culture, and structures an organization establishes to support effective internal controls. The control environment includes management’s integrity and ethical values, the board’s oversight role, organizational structure, authority assignment, and human resource policies. It is the first of the five COSO internal control components.
Records, documents, logs, or artifacts that demonstrate a control is implemented and operating effectively. Evidence may include audit logs, signed attestations, system screenshots, configuration exports, or compliance reports.
A formal, independent assessment that examines whether an organization’s controls and processes meet specified requirements. Audits may be internal (conducted by the organization) or external (conducted by third-party auditors or regulators).
See also: Shariah Audit, Chief Audit Executive (CAE), Audit Trail
A chronological record of activities, changes, and decisions that provides a verifiable history of actions taken. An immutable audit trail cannot be altered or deleted after the fact.
A formal statement by a responsible party — whether internal management or an external auditor — confirming that specified conditions, controls, or requirements have been met.
Corrective actions taken to address deficiencies, gaps, or noncompliance findings identified through monitoring, audits, or assessments. Remediation typically follows a structured plan with deadlines, owners, and verification steps.
See also: Corrective Action Plan (CAP), Root Cause Analysis (RCA), POA&M (Plan of Action and Milestones)
A structured document tracking remediation items: what deficiency was found, what corrective action is planned, who is responsible, and when it must be completed. Commonly required by US federal frameworks (as defined by NIST SP 800-37).
See also: Corrective Action Plan (CAP)
Ongoing, automated or manual checks that ensure controls remain effective over time. Rather than relying solely on periodic audits, continuous monitoring surfaces issues as they arise.
The practice of continuously collecting, assessing, and reporting compliance evidence so that an organization can demonstrate its compliance posture at any point in time — not just during scheduled audit windows.
The aggregated, point-in-time status of an organization’s compliance across all applicable frameworks, controls, and regulatory requirements.
The end-to-end process of connecting a written policy to the specific controls, evidence, and attestations that prove the policy is being followed. This is the core operating model of the ZeroH platform.
A widely adopted governance model (as defined by the Institute of Internal Auditors) with three layers of accountability: (1) operational management, which owns and executes controls; (2) risk and compliance functions, which provide oversight and monitoring; and (3) internal audit, which provides independent assurance.
See also: Chief Audit Executive (CAE), Independence
The process of identifying where an organization’s current controls, evidence, or processes fall short of what a regulatory framework or standard requires. Gap analysis produces a prioritized list of missing or inadequate controls.
See also: Maturity Model, Control Mapping
The process of connecting regulatory requirements to specific controls, evidence types, and responsible parties. Cross-framework control mapping identifies where a single control satisfies requirements from multiple standards simultaneously (for example, one access-control policy satisfying both ISO 27001 and SOC 2).
The formal process for documenting, approving, and tracking cases where a control requirement cannot be fully met. Exceptions must be explicitly justified, time-bound, and periodically reviewed — they are not permanent waivers.
See also: Darura
A binding requirement derived from a law, regulation, standard, or contract. Obligations sit at the top of the compliance hierarchy: each obligation maps to one or more control objectives, which in turn map to specific controls and evidence.
An issue discovered during a compliance assessment. Findings may be classified as gaps (missing controls), deficiencies (inadequate controls), observations (areas for improvement), or exceptions (acknowledged deviations).
See also: Corrective Action Plan (CAP), Root Cause Analysis (RCA)
A pejorative term for organizations that focus on form-filling and checkbox compliance rather than producing verifiable evidence of actual control effectiveness. ZeroH’s policy-to-proof approach is designed to replace compliance theater with evidence-based assurance.
A structured inventory of identified risks, documenting each risk’s description, likelihood, potential impact, assigned owner, existing controls, and treatment plan. The risk register is the central tool for tracking and managing an organization’s risk landscape.
See also: Risk Appetite, Risk Tolerance, KRI (Key Risk Indicator)
The broad level of risk an organization is willing to accept in pursuit of its strategic objectives, set by the board or senior leadership. Risk appetite is expressed in qualitative or quantitative terms and guides enterprise-wide decision-making.
See also: Risk Tolerance
The specific, measurable boundaries of acceptable variation around individual risk categories or objectives. While risk appetite is strategic and broad, risk tolerance is operational and precise — for example, “no more than 2% of transactions may fail Shariah screening in a given quarter.”
See also: Risk Appetite, KRI (Key Risk Indicator)
A quantitative metric used to signal increasing risk exposure before a risk event materializes. KRIs provide early warning — for example, a rising number of overdue control attestations may indicate weakening compliance posture.
See also: KPI (Key Performance Indicator), Continuous Monitoring
A measurable value that demonstrates how effectively an organization is achieving its objectives. In a GRC context, KPIs often track control effectiveness, remediation completion rates, or audit pass rates.
See also: KRI (Key Risk Indicator)
An internal control principle requiring that no single individual has authority over all phases of a critical process — such as authorization, execution, and review. SoD prevents fraud and errors by ensuring independent checks at each stage.
See also: Control Environment, Fraud
The process of identifying, assessing, and controlling risks arising from an organization’s relationships with external vendors, service providers, and partners. TPRM includes due diligence, ongoing monitoring, and contractual requirements for compliance and data protection.
See also: Data Processing Agreement (DPA)
A framework for assessing how well-developed an organization’s processes, controls, or capabilities are, typically on a scale from ad hoc (level 1) to optimized (level 5). Maturity models help organizations benchmark their current state and plan incremental improvements.
See also: Gap Analysis
A systematic assessment that identifies an organization’s critical business functions and the potential consequences of disruption — including financial loss, regulatory penalties, and reputational damage. The BIA is the foundation for business continuity and disaster recovery planning.
See also: Business Continuity Plan (BCP), Disaster Recovery Plan (DRP), Recovery Time Objective (RTO), Recovery Point Objective (RPO)
A documented plan that describes the steps an organization will take to remediate a specific finding, deficiency, or noncompliance issue. A CAP includes the root cause, planned corrective actions, responsible parties, target completion dates, and verification criteria.
See also: Root Cause Analysis (RCA), POA&M (Plan of Action and Milestones), Remediation
A structured investigation method used to identify the underlying cause of a problem or failure, rather than addressing only its symptoms. Common RCA techniques include the “Five Whys,” fishbone diagrams (Ishikawa), and fault tree analysis.
See also: Corrective Action Plan (CAP), Finding
Islamic law derived from the Quran and the Sunnah (practices of the Prophet Muhammad). In a financial context, Shariah provides the principles governing permissible economic activity, contractual structures, and ethical conduct.
Ensuring that financial products, services, transactions, and institutional operations conform to the principles of Islamic law through review, certification, and ongoing governance.
See also: Shariah Audit, Shariah Supervisory Board (SSB), Fatwa
The higher objectives and purposes of Islamic law, as systematized by classical scholars Al-Ghazali and Al-Shatibi. The Maqasid comprise five essential preservations: protection of faith (hifz al-din), life (hifz al-nafs), intellect (hifz al-aql), lineage (hifz al-nasl), and wealth (hifz al-mal). These objectives guide Shariah-compliant decision-making and serve as the ethical foundation for Islamic finance governance.
A classical Islamic jurisprudential doctrine that permits actions normally prohibited under Shariah when genuine necessity demands it — for example, when life, wealth, or essential interests are at stake. Darura is governed by five maxims established by scholars such as Ibn Nujaym: (1) necessity permits the otherwise prohibited (al-darurat tubih al-mahzurat); (2) necessity is assessed proportionally (al-darura tuqaddar bi-qadariha); (3) what is permitted by necessity is restricted to the scope of that necessity; (4) hardship invites ease (al-mashaqqa tajlib al-taysir); and (5) the lesser of two harms is chosen (akhaf al-dararayn). In a GRC context, Darura provides the Shariah-grounded framework for exception governance — any exception must be explicitly justified, scoped, time-bound, and periodically reviewed by the Shariah Supervisory Board.
See also: Exception Governance
The Accounting and Auditing Organization for Islamic Financial Institutions, an international standard-setting body headquartered in Bahrain that publishes Shariah standards (SS), financial accounting standards (FAS), and governance standards (GS) for Islamic financial institutions. Key standards referenced in ZeroH materials include SS-13 (Mudarabah), SS-40 (Profit Distribution), SS-45 (Capital Protection), GS-1 (Shariah Supervisory Board), and FAS-4/6/19/28.
The Islamic Financial Services Board, an international standard-setting body based in Kuala Lumpur that issues prudential and governance standards for the Islamic financial services industry. Key standards include IFSB-1 (Risk Management), IFSB-10 (Shariah Governance), and IFSB-23 (Capital Adequacy).
A panel of qualified Islamic scholars appointed to review and certify that a financial institution’s products, transactions, and operations comply with Shariah. The SSB issues fatwas (rulings), approves new products before launch, and conducts periodic reviews (as required by AAOIFI Governance Standard GS-1).
See also: Fatwa, Shariah Audit
A formal legal opinion or ruling on a question of Islamic law, issued by a qualified scholar or Shariah Supervisory Board. Fatwas address whether a specific product, transaction, or practice is permissible under Shariah. They carry binding authority within the institution that requested them.
An independent review assessing whether a financial institution’s actual operations and products comply with the Shariah rulings, fatwas, and governance policies approved by its SSB.
See also: Audit, Shariah Supervisory Board (SSB)
The complete set of policies, roles, committees, reporting lines, and processes — including the Shariah Supervisory Board, internal Shariah review, and Shariah audit — that ensure an institution’s ongoing compliance with Islamic law (as outlined in AAOIFI GS-1 and IFSB-10).
A profit-sharing partnership in which one party (the Rab al-Mal, or capital provider) contributes the investment capital, while the other party (the Mudarib, or entrepreneur) provides labor, expertise, and management. Profits are shared according to a pre-agreed ratio; losses are borne by the capital provider unless the Mudarib is negligent (as defined by AAOIFI SS-13).
See also: Rab al-Mal, Mudarib, Profit-Sharing Ratio (PSR), PSIA (Profit Sharing Investment Account), Diminishing Musharakah
The capital provider or investor in a Mudarabah contract. The Rab al-Mal supplies the funds but does not participate in day-to-day management.
The entrepreneur or fund manager in a Mudarabah contract. The Mudarib provides the labor, management, and expertise to deploy the capital productively.
The pre-agreed percentage split defining how profits from a Mudarabah or Musharakah contract are distributed between the parties. For example, a 70/30 PSR means the capital provider receives 70% and the manager receives 30% of profits.
A joint partnership where two or more parties contribute capital and may participate in management. Profits are shared according to agreed ratios, while losses are distributed in proportion to each partner’s capital contribution (as defined by AAOIFI SS-12 and FAS-4).
See also: Diminishing Musharakah
A partnership arrangement in which one partner gradually buys out the other partner’s share over time, eventually acquiring full ownership. Commonly used for home and asset financing as a Shariah-compliant alternative to conventional mortgages. The financier and client jointly own the asset; the client makes periodic payments that are part rental (for the financier’s share) and part purchase (acquiring additional ownership units).
See also: Musharakah, Ijarah Muntahia Bittamleek
A cost-plus sale in which a financial institution purchases an asset and resells it to the client at a disclosed markup. The institution must have legal ownership and possession of the asset before resale, and the cost price and profit margin must be transparently disclosed to the buyer (as defined by AAOIFI SS-8).
See also: Tawarruq
An Islamic leasing arrangement in which one party (the lessor) owns an asset and leases it to another party (the lessee) for an agreed rental payment. The lessor retains ownership and bears the risks of asset ownership throughout the lease term (as defined by AAOIFI SS-9).
See also: Ijarah Muntahia Bittamleek
A lease-to-own arrangement in which the lessee has the option — or obligation — to acquire ownership of the leased asset at the end of the lease term, through a sale, gift, or gradual transfer. This structure is widely used for equipment and property financing in Islamic banks. It combines the principles of Ijarah (leasing) with an eventual transfer of title (as referenced in AAOIFI SS-9).
See also: Ijarah, Diminishing Musharakah
A forward sale contract in which the buyer pays the full purchase price in advance at the time of contracting, and the seller undertakes to deliver a specified commodity of defined quality and quantity at a future date. Salam is one of the few exceptions in Islamic law to the general prohibition on selling what one does not yet possess. It is commonly used in agricultural and commodity financing (as defined by AAOIFI SS-10).
See also: Istisnaa
A manufacturing or construction contract in which one party (the buyer) commissions another party (the manufacturer or contractor) to produce or build a specified item according to agreed specifications, for a price that may be paid upfront, in installments, or upon delivery. Unlike Salam, Istisnaa allows flexible payment timing. It is commonly used for infrastructure, real estate development, and project financing (as defined by AAOIFI SS-11).
See also: Salam
A liquidity arrangement in which a buyer purchases a commodity on a deferred-payment basis and immediately sells it to a third party for cash, thereby obtaining liquidity without a conventional interest-based loan. Organized Tawarruq (where the institution arranges the entire chain of transactions) is subject to ongoing scholarly debate. Some scholars and the OIC Fiqh Academy have raised concerns about form-over-substance when all steps are pre-arranged, while others consider it permissible under certain conditions (as addressed in AAOIFI SS-30).
See also: Murabaha
A transfer of debt in which the original debtor is released from liability and the obligation is assumed by a third party. In practice, Hawalah functions as a Shariah-compliant mechanism for remittance, settlement, and payment transfer (as defined by AAOIFI SS-7).
A guarantee or surety in which a guarantor assumes responsibility for an obligation of another party — for example, guaranteeing the performance of a contract or the repayment of a debt. Kafalah may be provided with or without a fee, subject to Shariah conditions (as defined by AAOIFI SS-5).
See also: Hawalah
A benevolent, interest-free loan in which the borrower is obligated to return only the principal amount. Any additional benefit to the lender is prohibited, as it would constitute Riba. Qard is used in Islamic banking for interbank lending, liquidity management, and customer overdraft facilities (as defined by AAOIFI SS-19).
See also: Riba
Shariah-compliant investment certificates that represent proportional ownership in an underlying asset, project, or investment activity — as distinct from conventional bonds, which represent a debt obligation. Sukuk holders share in the returns generated by the underlying asset (as defined by AAOIFI SS-17).
A cooperative, Shariah-compliant insurance arrangement in which participants contribute to a common fund used to compensate members against specified losses. Takaful operates on principles of mutual assistance and shared responsibility, avoiding the elements of conventional insurance that conflict with Shariah (as defined by AAOIFI FAS-19).
See also: Wakala
An agency arrangement in which one party (the agent, or wakil) acts on behalf of another party (the principal) for a specified fee. Commonly used in Islamic finance for fund management and Takaful operations.
See also: Takaful
An obligatory annual wealth purification payment, one of the five pillars of Islam. Zakah is calculated as a percentage of eligible wealth (typically 2.5% of net assets held for one lunar year above a minimum threshold, or nisab). Islamic financial institutions are required to calculate and disclose Zakah obligations on their own assets and to facilitate Zakah calculation for depositors and investors. Shariah governance frameworks must ensure accurate Zakah computation and distribution to eligible categories (as addressed in AAOIFI SS-35 and FAS-9).
See also: Maqasid al-Shariah
Interest or usury, which is strictly prohibited under Shariah. Any guaranteed, predetermined return on a financial transaction unrelated to the actual outcome of a productive activity is considered riba. Detecting and avoiding riba is a primary concern of Shariah compliance screening.
See also: Qard
Excessive uncertainty or ambiguity in a contract, which is prohibited under Shariah. Contracts must have clearly defined terms, pricing, and subject matter. Excessive gharar makes a transaction void.
Gambling or speculation, prohibited under Shariah. Financial transactions must be based on real economic activity, not on chance or speculative outcomes.
An Islamic endowment in which assets are dedicated in perpetuity for charitable or religious purposes. The principal is preserved while the returns are used to fund the designated beneficiaries.
An Islamic banking deposit product structured as a Mudarabah, in which the depositor (Rab al-Mal) provides funds and the bank (Mudarib) invests them, sharing profits according to a pre-agreed ratio.
See also: Mudarabah
The jurisprudence academy of the Organisation of Islamic Cooperation, which issues authoritative rulings on contemporary questions of Islamic law relevant to finance, commerce, and governance.
The major schools of Islamic jurisprudence (Hanafi, Maliki, Shafi’i, and Hanbali), each with distinct interpretive traditions. Shariah compliance requirements may vary by school and jurisdiction — for example, Saudi Arabia predominantly follows the Hanbali school, while Malaysia follows the Shafi’i school.
A machine-readable data format developed by NIST for representing security and compliance controls, assessment plans, assessment results, and system security plans. OSCAL enables organizations to express compliance requirements as structured data rather than documents, allowing automated assessment and cross-framework mapping.
A US agency that publishes widely used cybersecurity and risk-management frameworks. Key publications include the NIST Cybersecurity Framework (CSF) with its five functions (Identify, Protect, Detect, Respond, Recover), and the SP 800-series of special publications (including SP 800-53, which defines security and privacy controls for federal systems).
An audit framework developed by the American Institute of CPAs (AICPA) that evaluates a service organization’s controls across five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy. SOC 2 reports are commonly required by enterprise customers evaluating technology vendors.
An international standard for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). The 2022 revision organizes 93 controls across four themes: organizational, people, physical, and technological.
An international standard for Compliance Management Systems, structured around the Plan-Do-Check-Act (PDCA) cycle. It defines requirements for establishing compliance policies, identifying obligations, assessing risks, implementing controls, and monitoring effectiveness. Core principles include integrity, good governance, proportionality, transparency, and accountability.
An international standard for AI Management Systems, providing requirements for establishing, implementing, and improving responsible AI governance within organizations.
An enterprise internal control framework published by the Committee of Sponsoring Organizations of the Treadway Commission. It defines five components of effective internal control: Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring Activities, organized across 17 principles.
See also: Control Environment, Three Lines of Defense
See “Three Lines of Defense” under GRC & Compliance. Published by the Institute of Internal Auditors, this model defines the roles and responsibilities of management, risk/compliance functions, and internal audit.
See also: Chief Audit Executive (CAE), Independence, Objectivity
An international regulatory framework for banks, published by the Basel Committee on Banking Supervision, that sets standards for capital adequacy, stress testing, and market liquidity risk. IFSB-23 provides the Islamic finance equivalent of Basel III capital adequacy requirements.
An international standard (OMG) for modeling and automating business decision logic using decision tables and decision requirements diagrams. Used in compliance contexts to express regulatory rules in a structured, executable format.
The US Federal Risk and Authorization Management Program, which provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud services used by federal agencies.
The US Health Insurance Portability and Accountability Act, which establishes requirements for protecting the privacy and security of individually identifiable health information.
The Payment Card Industry Data Security Standard, which defines security requirements for organizations that handle credit card data.
US legislation requiring public companies to maintain adequate internal controls over financial reporting and to have those controls independently audited.
See also: Control Environment, Segregation of Duties (SoD)
EU regulation requiring financial entities to manage ICT-related risks through comprehensive frameworks for ICT risk management, incident reporting, resilience testing, and third-party risk management.
See also: Operational Resilience, Third-Party Risk Management (TPRM)
EU directive requiring companies to report on environmental, social, and governance (ESG) performance using standardized frameworks.
A set of criteria used to evaluate an organization’s environmental impact, social responsibility, and governance practices. ESG reporting is increasingly required by regulators and investors.
An international standards organization that provides a widely used framework for sustainability reporting.
A standards body that provides industry-specific sustainability disclosure standards for investors.
Qatar’s foundational data protection law (Law No. 13 of 2016), the first comprehensive data privacy law in the GCC region. Key provisions include requirements for consent (Article 3), purpose limitation (Article 4), data minimization (Article 5), data accuracy (Article 6), storage limitation (Article 7), security (Article 8), data subject rights (Article 9), breach notification (Article 12), and cross-border transfer restrictions (Article 13).
Qatar’s banking regulator. QCB has issued binding regulations for all QCB-licensed financial institutions, including AI Guidelines (September 2024) requiring an AI systems registry, risk classification, board-level accountability, and quarterly reporting; and Data Handling Regulations (February 2025) mandating that personally identifiable, sensitive personal, and sensitive financial information must reside within Qatar.
A financial and business center in Doha operating under its own legal and regulatory framework. The QFC Regulatory Authority (QFCRA) applies Data Protection Regulations 2005 (as amended) with requirements including per-transfer justification for cross-border data movement and 72-hour breach notification.
Qatar’s national cybersecurity authority, responsible for enforcing cybersecurity standards and, through the National Data Privacy Office (NDPO), enforcing the PDPPL.
Qatar’s data privacy enforcement body, operating within the NCSA. The NDPO has issued binding compliance orders with 60–90 day remediation timelines, beginning with three enforcement actions in December 2024.
The regulatory requirement that certain categories of data must be stored and processed within a specific country’s borders. QCB regulations mandate that PII, SPI, and SFI must reside on Qatar soil.
Saudi Arabia’s central bank and financial services regulator, which issues prudential and governance requirements for Saudi financial institutions.
Malaysia’s central bank, which publishes a Shariah Governance Policy and other regulatory requirements for Islamic financial institutions operating in Malaysia.
A regional body comprising Bahrain, Kuwait, Oman, Qatar, Saudi Arabia, and the United Arab Emirates. GCC member states are increasingly harmonizing data protection and financial regulation requirements.
ZeroH’s core capability: linking written policies to the concrete controls, evidence, and attestations that prove those policies are being followed. The platform automates the policy-to-proof chain so that compliance is operational and continuous rather than seasonal and manual.
The platform’s approach to compliance, in which evidence is collected, assessed, and reported on an ongoing basis. This enables organizations to demonstrate their compliance posture at any moment rather than scrambling to assemble documentation before scheduled audits.
See also: Continuous Monitoring
A portable, curated bundle of compliance evidence assembled to satisfy the requirements of a specific control, policy, or audit request. An evidence pack typically includes the policy catalog (what was expected), the evidence bundle (what was observed), assessment results (verdicts), a remediation plan for any failures, and a manifest with content digests for integrity verification.
A determinate conclusion — compliant, non-compliant, or exception — produced by the platform’s assessment logic based on mapped controls and collected evidence.
The platform’s ability to map a single control to multiple regulatory frameworks simultaneously, reducing duplicated compliance effort. For example, one access-control policy can satisfy requirements from AAOIFI, NIST, ISO 27001, and QCB guidelines at the same time.
The process of identifying where different regulatory frameworks overlap and mapping equivalent, related, or partially overlapping requirements to shared controls. This allows organizations regulated by multiple frameworks to eliminate redundant compliance work.
The platform’s automated assessment of where an organization’s current controls and evidence fall short of what is required by one or more regulatory frameworks, producing a prioritized remediation roadmap.
Regular, automated or manually triggered confirmations from responsible parties that specific controls remain effective. Continuous attestations replace point-in-time audit snapshots with an ongoing record of compliance status.
See also: Control Self-Assessment (CSA)
A mandatory compliance checkpoint in a workflow that blocks all downstream activity until the requirement is satisfied. For example, Shariah Supervisory Board approval is a hard gate that must be cleared before a Mudarabah contract can proceed to execution.
An immutable record anchored on the Hedera distributed ledger that captures every significant data operation (credential issuance, access grant, evidence submission, etc.) with a tamper-proof, nanosecond-precision timestamp. Digital Receipts provide an independently verifiable audit trail.
A cryptographically signed attestation about a subject (such as a person, organization, or transaction) that can be independently verified without contacting the original issuer. ZeroH uses the W3C Verifiable Credentials standard as the core data structure for privacy-preserving compliance records.
A privacy-preserving derivative of a Verifiable Credential that reveals only the specific data fields authorized for a particular recipient, purpose, and context. Different stakeholders (regulators, auditors, business partners) receive different presentations from the same underlying credential.
The cryptographic ability to reveal only a subset of fields from a signed credential while mathematically proving that those fields came from the original, unaltered document. ZeroH uses BBS+ signature technology to enforce data minimization by mathematics rather than by contract.
A disclosure policy that is cryptographically attached to a Verifiable Credential at the moment of issuance. The bound-policy defines which data fields may be shared, with whom, for what purpose, and under what conditions. The policy travels inseparably with the data, ensuring governance cannot be bypassed.
A governance pattern in which AI or automated systems propose actions or decisions, but a qualified human (such as a Data Protection Officer or Compliance Officer) must review and approve before the action takes effect. ZeroH requires HITL approval before any disclosure schema is activated.
A design principle in which every platform operation automatically produces audit-ready evidence as a natural byproduct — including trace identifiers, timestamps, input and output hashes, and provenance records. Evidence is created at the moment of activity, not assembled after the fact.
The platform’s ability to automatically reuse previous compliance submissions as templates for subsequent reporting periods, highlighting only what has changed. This reduces quarterly compliance effort by building on prior work rather than starting from scratch.
An AI-driven compliance workflow in which the platform’s AI agents autonomously execute multi-step tasks such as gap analysis, evidence collection, regulatory monitoring, and document preparation — with human oversight and approval at critical decision points.
ZeroH’s AI-powered Shariah compliance advisor, which assists Islamic finance professionals with contract analysis, Shariah red-flag detection, madhahib comparison, PSR recommendations, and fatwa documentation. AskAli is trained on AAOIFI, IFSB, and jurisdictional Shariah standards.
Any information that can identify a natural person, directly or indirectly. This includes names, identification numbers, addresses, phone numbers, email addresses, dates of birth, and any combination of data points that could identify an individual.
A subset of personal data that directly or indirectly identifies a specific individual. Under QCB regulations, PII must reside within Qatar.
Data about protected characteristics or sensitive attributes — including religion, health conditions, biometric data, political opinions, ethnicity, trade union membership, and sexual orientation. SPI requires the highest level of protection under both PDPPL and QCB regulations.
Financial account and transaction data including bank account numbers (IBAN), credit card numbers, account balances, credit scores, and investment portfolio details. Under QCB regulations, SFI must reside within Qatar.
The entity that determines the purposes and means of processing personal data. The data controller bears primary responsibility for compliance with data protection laws.
An entity that processes personal data on behalf of, and under the instructions of, a data controller.
Freely given, specific, informed, and unambiguous agreement by an individual to have their personal data processed for stated purposes. Under the PDPPL, consent must be revocable, and organizations must maintain records of when and how consent was obtained.
The principle that personal data must be collected for specified, explicit purposes and not further processed in ways incompatible with those original purposes (PDPPL Article 4, GDPR Article 5(1)(b)).
The principle that personal data processing must be limited to what is necessary for the stated purpose. Only the minimum data required should be collected and retained (PDPPL Article 5, GDPR Article 5(1)(c)).
See also: Selective Disclosure
A legally binding contract between a data controller and a data processor that defines the scope of processing, security obligations, audit rights, and data breach procedures.
See also: Third-Party Risk Management (TPRM)
A structured assessment of the privacy risks associated with a data processing activity, particularly when the processing is likely to result in high risk to individuals. DPIAs are required under PDPPL, QCB AI Guidelines, and GDPR for high-risk processing.
A designated role responsible for monitoring an organization’s data protection compliance, advising on privacy obligations, and serving as the primary point of contact for regulators. Appointment of a DPO is required by QCB Data Handling Regulations for all QCB-licensed financial institutions.
Comprehensive records that document all personal data processing activities conducted by an organization, including the categories of data processed, the purposes, the recipients, and the retention periods. RoPA maintenance is required under the PDPPL.
Irreversible processing of personal data so that the individual is no longer identifiable by any means. Properly anonymized data falls outside the scope of data protection laws.
See also: Pseudonymization
Processing that replaces identifying data fields with artificial identifiers (pseudonyms), but where the original identity can still be restored using additional information kept separately. Pseudonymized data remains subject to data protection laws.
See also: Anonymization
The European Union’s regulation governing the processing and protection of personal data for individuals in the EU and EEA. The GDPR establishes data subject rights, consent requirements, breach notification obligations, and cross-border transfer restrictions that have influenced data protection laws globally — including Qatar’s PDPPL.
The California Consumer Privacy Act and its amendment, the California Privacy Rights Act, which establish consumer data privacy rights for California residents, including rights to know, delete, and opt out of the sale of personal information.
The movement of personal data from one jurisdiction to another. Most data protection laws (PDPPL, GDPR, QCB regulations) restrict cross-border transfers and require specific legal mechanisms or safeguards before data can leave the originating jurisdiction.
Pre-approved contractual terms that provide legal grounds for transferring personal data across borders. SCCs are a traditional mechanism for cross-border compliance, though their adequacy has been challenged (notably by the Schrems II ruling in the EU).
Internal policies adopted by multinational organizations to govern the transfer of personal data between group entities across jurisdictions, providing an alternative to SCCs for intra-group transfers.
The principle that data is subject to the laws of the country in which it is stored. Data sovereignty requirements are increasingly common, with Qatar, the EU, and other jurisdictions mandating that certain categories of data remain within their borders.
See also: Data Residency
A directive requiring an organization to preserve specified records, documents, and electronic data that may be relevant to pending or anticipated legal proceedings, regulatory investigations, or audits.
A cryptographic method that allows one party to prove to another that a statement is true without revealing any information beyond the truth of the statement itself. In a compliance context, ZKPs can prove that data meets certain criteria (for example, that an individual is over 18) without revealing the underlying data.
See also: Selective Disclosure
The European Union’s framework for electronic identification and trust services, which establishes standards for digital identity, electronic signatures, and Verifiable Credentials that are interoperable across EU member states.
An enterprise-grade public distributed ledger using hashgraph consensus technology. ZeroH uses the Hedera Consensus Service (HCS) to anchor Digital Receipts with immutable, nanosecond-precision timestamps that are independently verifiable by any party.
A category of technology in which transaction records are maintained across multiple nodes in a network, with no single point of control. Blockchain and hashgraph are both forms of DLT.
A government-backed private permissioned distributed ledger deployed in Qatar (a collaboration between Qatar’s Ministry of Communications and Information Technology, Google, and Hedera) that enables on-soil data storage and audit trail anchoring.
A cryptographic signature scheme that enables a credential holder to selectively reveal specific fields from a signed document while keeping other fields mathematically hidden. Hidden fields cannot be recovered even with unlimited computational resources — providing stronger privacy guarantees than contractual redaction.
See also: Selective Disclosure
A cryptographic proof recorded on the Hedera ledger before any data crosses a trust boundary. This provides contemporaneous, independently verifiable evidence that governance policies were enforced prior to data movement — not merely asserted after the fact.
A formally approved specification defining which fields from a Verifiable Credential may be disclosed, to which roles, for which purposes, and under which conditions. No data can be shared without an approved disclosure schema that has passed Human-in-the-Loop review.
A tamper-resistant hardware device that securely generates, stores, and manages cryptographic keys. ZeroH stores BBS+ signing keys in HSMs, ensuring that private keys are never exported or exposed.
The most senior audit professional within an organization, responsible for leading the internal audit function, establishing audit plans, reporting findings to the board or audit committee, and ensuring the internal audit function operates with independence and objectivity. The CAE role is defined by the IIA’s Global Internal Audit Standards.
See also: Three Lines of Defense, Independence
A structured process in which the managers and staff who own and operate controls evaluate the effectiveness of those controls themselves, rather than waiting for an independent audit. CSA supplements traditional auditing by embedding control awareness within day-to-day operations.
See also: Continuous Attestation, Control
In an audit context, a specific audit assignment or project with a defined scope, objectives, timeline, and deliverables. Engagements may include assurance engagements (evaluating controls and compliance) or consulting engagements (advisory services to improve processes).
The freedom from conditions that threaten the ability of the internal audit function to carry out its responsibilities in an unbiased manner. Independence requires that the CAE reports functionally to the board or audit committee and is free from interference in determining audit scope, performing work, and communicating results.
See also: Objectivity, Chief Audit Executive (CAE)
An unbiased mental attitude that allows internal auditors to perform engagements in a manner that produces honest, fair conclusions and avoids conflicts of interest. While independence is an organizational condition, objectivity is an individual professional standard.
See also: Independence
An intentional act of deception committed for personal gain or to cause harm, including misappropriation of assets, corruption, and fraudulent financial reporting. Internal audit plays a key role in fraud prevention through control evaluation, and in fraud detection through investigative procedures.
See also: Segregation of Duties (SoD), Control Environment
A documented set of procedures and arrangements that enable an organization to continue delivering critical products and services at acceptable predefined levels during and after a disruptive event. A BCP covers crisis management, communication plans, alternative operating procedures, and recovery strategies.
See also: Disaster Recovery Plan (DRP), Business Impact Analysis (BIA)
A focused subset of the broader business continuity plan that addresses the recovery of technology infrastructure, systems, and data after a disruptive event. The DRP defines procedures, responsibilities, and timelines for restoring IT services to operational status.
See also: Business Continuity Plan (BCP), Recovery Time Objective (RTO), Recovery Point Objective (RPO)
The maximum acceptable duration of time that a business process, application, or system can be offline before the disruption causes unacceptable harm to the organization. RTO answers the question: “How quickly must we recover?”
See also: Recovery Point Objective (RPO), Disaster Recovery Plan (DRP)
The maximum acceptable amount of data loss measured in time. RPO defines the point in time to which data must be restored after a disruption — for example, an RPO of four hours means the organization can tolerate losing no more than four hours of data. RPO answers the question: “How much data can we afford to lose?”
See also: Recovery Time Objective (RTO), Disaster Recovery Plan (DRP)
The ability of an organization to prevent, adapt to, respond to, recover from, and learn from operational disruptions. Unlike traditional business continuity (which focuses on recovery), operational resilience emphasizes the end-to-end capacity to absorb shocks and continue delivering critical services. Regulatory frameworks such as DORA now require financial institutions to demonstrate operational resilience.
See also: Business Continuity Plan (BCP), DORA (Digital Operational Resilience Act)
This glossary draws on the following authoritative standards and publications. Consult the original sources for binding regulatory language and detailed technical requirements.
This glossary reflects terminology used across ZeroH product materials, compliance documentation, and regulatory filings. Terms are defined for a business audience and may carry additional technical nuance in engineering contexts. For questions about specific regulatory requirements or standards, consult the referenced source documents listed above.