NDPA 2023 Compliance
NaijaBase is designed from the ground up to help Nigerian businesses comply with the Nigeria Data Protection Act (NDPA) 2023.
Data Residency
All data processed and stored by NaijaBase resides entirely within Nigeria:
| Detail | Value |
|---|---|
| Physical location | Rack Centre, Victoria Island, Lagos, Nigeria |
| Availability zone | nobus-wa-az1 (Nobus Cloud) |
| Jurisdiction | Federal Republic of Nigeria |
| Cross-border transfers | None — data never leaves Nigeria |
This satisfies NDPA 2023 Section 41 on cross-border data transfers. Nigerian fintechs, healthtech companies, and government contractors using NaijaBase can demonstrate that all personal data of Nigerian citizens remains within Nigerian jurisdiction.
What you get on each plan
| Feature | Starter | Growth | Scale | Business | Compliance Pro |
|---|---|---|---|---|---|
| Nigerian data residency | ✓ | ✓ | ✓ | ✓ | ✓ |
| Data residency certificate | — | ✓ | ✓ | ✓ | ✓ |
| Signed DPA | — | — | — | ✓ | ✓ |
| Audit log (90 days) | — | — | — | ✓ | ✓ |
| Audit log (1 year) | — | — | — | — | ✓ |
| NDPC registration support | — | — | — | — | ✓ |
| Dedicated account manager | — | — | — | — | ✓ |
| Quarterly compliance review | — | — | — | — | ✓ |
Downloading your Data Residency Certificate
- Go to your project at app.naijabase.dev
- Click the Settings tab
- Click Download NDPA Certificate (PDF)
- A signed PDF certificate is generated instantly
The certificate confirms:
- Your project name and account holder
- Physical data location (Rack Centre, Victoria Island, Lagos)
- Availability zone (nobus-wa-az1)
- Issue date and 12-month expiry
- NaijaBase as your Data Processor
Share it with regulators, investors, enterprise clients, or your legal team.
The data residency certificate is available on Growth, Scale, Business, and Compliance Pro plans. Free Starter accounts do not include certificate download.
Data Processing Agreement (DPA)
On the Business plan and above, we provide a signed DPA that:
- Confirms NaijaBase as your Data Processor under NDPA 2023
- Confirms your organization as the Data Controller
- Documents all data processing activities, purposes, and retention schedules
- Lists all sub-processors (Paystack for payments, Resend for email, Nobus for infrastructure)
- Meets NDPA 2023 requirements for data processor agreements
To request your DPA, email ofatokun@telecitytech.com with your account email and project ID.
Your obligations as Data Controller
Using NaijaBase makes us your Data Processor — you remain the Data Controller and are responsible for:
- Having a lawful basis for collecting your users' personal data
- Publishing a privacy policy for your app
- Responding to your users' data rights requests (access, deletion, portability)
- Registering with the NDPC if required for your business type
- Notifying the NDPC within 72 hours of a data breach
Security measures
NaijaBase implements the following technical measures required under NDPA 2023:
- Encryption in transit — TLS 1.3 for all connections
- Password hashing — bcrypt with strong cost factor
- Row Level Security — PostgreSQL RLS on all databases
- Access controls — key-based server access, principle of least privilege
- Breach notification — we notify you and the NDPC within 72 hours of any breach
Nigeria Data Protection Commission (NDPC)
If you have questions about your obligations under NDPA 2023, or wish to register with the NDPC:
- Website: ndpc.gov.ng
- Email: info@ndpc.gov.ng
For NaijaBase compliance questions, contact ofatokun@telecitytech.com.