Deskpadi
Sign InStart Free
verifiedRegulatory Standard

NDPR Compliance

Deskpadi is fully committed to the Nigeria Data Protection Regulation (NDPR) and the Nigeria Data Protection Act (NDPA) 2023. Our platform provides the infrastructure required for organisations to process personal data with transparency, integrity, and security.

Last updated: 1 March 2025

lock

Security

AES-256

PII encryption at rest

encrypted

Authentication

TOTP 2FA

Multi-factor security

verified_user

Compliance

NDPR

Compliant by design

infoIntroduction to NDPR

The Nigeria Data Protection Regulation (NDPR), issued by NITDA in 2019, is Nigeria's primary data protection framework. It was succeeded and reinforced by the Nigeria Data Protection Act (NDPA) signed into law in 2023.

NDPR and NDPA apply to all organisations that collect, process, store, or use personal data of Nigerian residents — regardless of where the organisation is based. Compliance is not optional; failure to comply carries financial penalties of up to ₦10 million or 2% of annual gross revenue, whichever is higher.

Deskpadi is designed to be compliant by default. However, as a data controller for your employees' data, your organisation also has independent NDPR obligations. We help you meet them.

Processing Principles

Deskpadi enforces the following core principles across all data pipelines to ensure NDPR alignment.

Lawfulness & Consent

Deskpadi processes personal data only where there is a lawful basis — contract performance, legitimate interest, or explicit consent where required.

Purpose Limitation

We collect only the personal data necessary to provide the service. We do not use data for purposes beyond those stated at the time of collection.

Data Minimisation

We collect the minimum personal data needed to operate the platform. Company administrators are responsible for keeping employee records accurate.

Storage Limitation

Data is retained only for as long as necessary to fulfil its purpose. Audit logs are kept for 24 months; operational records for the duration of your subscription plus 90 days.

Integrity & Confidentiality

We apply technical and organisational measures including AES-256-GCM encryption, TLS in transit, JWT authentication, and role-based access control.

Accountability

Deskpadi maintains records of data processing activities, conducts regular security reviews, and designates a Data Protection Officer responsible for NDPR compliance.

Your Rights as a Data Subject

Every individual whose data is processed through Deskpadi has the following rights under NDPR and NDPA:

Right of Access

You may request a copy of personal data we hold about you. We will provide this within 30 days of a verified request.

How to exercise: Contact your company administrator or email [email protected]

Right to Rectification

If your personal data is inaccurate or incomplete, you may request correction.

How to exercise: Contact your company administrator. They can update your records directly in the platform.

Right to Erasure

You may request deletion of your personal data where it is no longer necessary, subject to any legal retention requirements.

How to exercise: Submit a request to [email protected]. We will respond within 30 days.

Right to Data Portability

You may request your personal data in a structured, commonly used, machine-readable format.

How to exercise: Company administrators can export data from the Admin panel. Individual users may request exports via [email protected].

Right to Object

You may object to processing of your personal data for specific purposes.

How to exercise: Contact [email protected] with your objection. We will assess and respond within 30 days.

Right to Restriction

You may request that we restrict processing of your data in certain circumstances, such as while a dispute is being resolved.

How to exercise: Contact [email protected] with your request.

Security Measures & Infrastructure

We employ enterprise-grade protocols to protect the confidentiality, integrity, and availability of personal data.

  • check_circleAES-256-GCM encryption for all sensitive PII fields stored at rest (bank details, phone numbers, home addresses)
  • check_circleTLS 1.2+ encryption for all data in transit between your browser and our servers
  • check_circleBcrypt password hashing — plaintext passwords are never stored or transmitted
  • check_circleJWT-based authentication with short-lived access tokens and secure refresh flows
  • check_circleRole-based access control (RBAC) enforced at the API level on every endpoint
  • check_circleComprehensive audit logging of all data access, creation, modification, and deletion events
  • check_circleRate limiting and brute-force protection on all authentication endpoints
  • check_circleMulti-tenant data isolation — each company's data is stored in separate database schemas
  • check_circleRegular security assessments and code reviews following OWASP Top 10 guidelines
  • check_circleAutomated backup with point-in-time recovery and encrypted backup storage
lock AES-256 Encryption
shield NDPR Compliant

Data Controller vs Data Processor

Understanding the distinction is important for NDPR compliance:

Your organisation (Controller)

  • check_circle Decides what data is collected
  • check_circle Responsible for obtaining employee consent
  • check_circle Must file NDPR audit reports with NITDA annually
  • check_circle Responsible for ensuring data accuracy

Deskpadi (Processor)

  • check_circle Processes data only on your instruction
  • check_circle Maintains technical and organisational security
  • check_circle Provides tools to exercise data subject rights
  • check_circle Notifies you of breaches within 72 hours

A Data Processing Agreement (DPA) is available upon request for organisations that require formal documentation of the controller-processor relationship.

Data Breach Response

In the event of a data breach that poses a risk to individuals:

  • We will notify affected company administrators within 72 hours of becoming aware of the breach.
  • We will notify NITDA as required by NDPR/NDPA.
  • We will provide details of the nature of the breach, data categories affected, likely consequences, and measures taken.
  • Company administrators may be required to notify their employees and other affected individuals.

Cross-Border Data Transfers

Deskpadi stores data primarily on servers located in or compliant with Nigerian data protection standards. Where infrastructure providers operate outside Nigeria, we ensure that appropriate safeguards are in place, including contractual clauses that provide equivalent protections to those under NDPR.

We do not transfer personal data to countries that do not provide an adequate level of data protection without appropriate safeguards.

support_agent

Have compliance questions?

Our dedicated DPO and legal team are available to help you navigate the complexities of NDPR and data privacy.

Contact Compliance

Data Protection Officer — Quantumica Ltd

Email: [email protected] · We respond within 30 days.

Privacy PolicyTerms of ServiceBack to Home