Home About Team Investors Press Contact SoroSoke Jobs →
HomeNDPR Compliance
COMPIANCE

NDPR Compliance

Our transparent statement of how SoroSoke runs the data protection programme behind the platform — under the Nigeria Data Protection Act 2023 and the NDPR.

SoroSoke Global Platforms Ltd is committed to full compliance with the Nigeria Data Protection Act 2023 and the Nigeria Data Protection Regulation (NDPR). This page is a transparent statement of how we run the compliance programme behind the platform.

🇩🇩 The short version

We collect minimal data, we tell you what we collect and why, we let you correct or delete it, we don’t sell it, we keep it secure, and we have a Data Protection Officer you can email at dpo@sorosokegpl.com. We are registered with (or registering with) the Nigeria Data Protection Commission (NDPC).

What the NDPR is

The Nigeria Data Protection Regulation, issued in 2019 by the National Information Technology Development Agency (NITDA) and now reinforced by the Nigeria Data Protection Act 2023, is Nigeria’s primary data protection law. It governs how organisations collect, process, store, and transfer personal data of Nigerian citizens. It establishes the rights of Data Subjects (you) and the obligations of Data Controllers (us).

The Nigeria Data Protection Commission (NDPC) is the regulator. NDPC issues guidelines, audits compliance, investigates complaints, and imposes penalties on organisations that breach the regulation.

Our compliance commitments

1. Lawful basis for every processing activity

We document a lawful basis (consent, contract, legal obligation, legitimate interests, vital interests, or public interest) for every category of personal data we process. The full list is in our Privacy Policy §3.

2. Data minimisation

We collect only what we need to deliver the platform and pay you. We do not collect contacts, call logs, SMS, photos beyond what you upload, or data from other apps on your device.

3. Purpose limitation

Data collected for one purpose (e.g., KYC for S-Points recognition and account verification) is not repurposed for another (e.g., advertising) without your fresh, specific consent.

4. Transparency

Our Privacy Policy is in plain English, summarised at the top, with anchor links to specific sections. Every form on the platform that collects data tells you why it’s being collected. No dark patterns, no pre-ticked consent boxes.

5. Data Subject rights

We honour all NDPR-recognised Data Subject rights — access, rectification, erasure, portability, restriction, objection, and the right to lodge a complaint with NDPC. Requests go to our DPO and are answered within 30 days. (See Privacy Policy §6.)

6. Designated Data Protection Officer (DPO)

We have a named, contactable Data Protection Officer responsible for our NDPR programme. Reach the DPO at dpo@sorosokegpl.com.

7. Data Protection Impact Assessments

For new features that involve significant new personal data processing — for example, adding a new payout rail, a new identity verification provider, or a new analytics surface — we conduct a Data Protection Impact Assessment (DPIA) before going live. The DPIA documents the data flow, the risks, and the mitigations.

8. Vendor and processor due diligence

Every third-party data processor (cloud hosting, KYC providers, payment partners, analytics) is on a written Data Processing Agreement that meets NDPR standards. We maintain a vendor register internally and review it annually.

9. Cross-border transfer controls

Where personal data is transferred outside Nigeria (e.g., to a cloud hosting region), we use contractual safeguards equivalent to NDPR standards, in line with the NDPC’s framework on cross-border transfers.

10. Breach response & notification

We maintain an incident response plan. In the event of a personal data breach that meets the notification threshold, we will notify the NDPC within 72 hours of becoming aware, and notify affected users without undue delay where there is a high risk to their rights. Suspected breaches can be reported to dpo@sorosokegpl.com.

11. Annual data audit

As required of larger Data Controllers under the NDPR, we engage an external Data Protection Compliance Organisation (DPCO) accredited by NDPC to conduct an annual data audit and file the resulting compliance report with the regulator.

12. Staff training

All SGPL staff and certified Community Managers complete data protection training on onboarding and annually thereafter. Certification renewal is conditional on completing the refresher.

How to raise a concern

If you believe we have mishandled your personal data, you have three paths in order of escalation:

  1. Contact our DPO at dpo@sorosokegpl.com — we respond within 30 days.
  2. Escalate to senior management via legal@sorosokegpl.com if you are not satisfied with the DPO response.
  3. Lodge a complaint with the NDPC directly — ndpc.gov.ng. You always have the right to do this without going through us first.

Documents available on request

  • Privacy Policy (public — linked here)
  • Terms of Service (public — linked here)
  • Cookie statement (covered in our Privacy Policy §8)
  • Data Processing Agreement template (for institutional partners — email dpo@sorosokegpl.com)
  • NDPC compliance audit report — once published, will be linked here

SoroSoke Global Platforms Ltd · RC No. 1801907 · Data Protection Officer: dpo@sorosokegpl.com