Security & privacy,
nothing hidden
This page documents how ReassureQI protects Nigerian customer data, where it is processed, what certifications we hold or are pursuing, and how to report security issues.
Where your data lives
Nigerian customer PII never leaves Nigeria. Here is an exact account of where every category of data is processed and stored.
Primary Processing: Nigeria (AWS af-south-1)
All Nigerian customer PII — NIN, BVN, date of birth, address, biometric reference data — is processed and stored exclusively in AWS's Cape Town region (af-south-1), the closest AWS region to Nigeria with Nigerian data sovereignty alignment. No Nigerian PII is transmitted to or processed in regions outside this boundary.
International Bureau Queries
When querying international sanctions lists (OFAC, UN, EU), a pseudonymised reference token — not raw PII — is sent. The original PII never leaves Nigeria. Matching is performed locally using downloaded list snapshots refreshed every 6 hours.
Backup & Disaster Recovery
Encrypted backups are replicated to a secondary Nigerian data zone. Backups are encrypted with AES-256 using keys managed in AWS KMS (Nigeria-region). Recovery Point Objective: 1 hour. Recovery Time Objective: 4 hours.
Encryption Key Management
Encryption keys are managed via AWS KMS with hardware security modules (HSMs) in af-south-1. Keys are rotated annually and on demand. Customer API keys are stored as SHA-256 hashes — ReassureQI cannot recover a key once issued.
Sub-processors
| Sub-processor | Purpose | Data region |
|---|---|---|
| Amazon Web Services (AWS) | Infrastructure, database, storage | af-south-1 (Lagos) |
| NIMC | NIN verification | Nigeria |
| NIBSS | BVN verification | Nigeria |
| Credit Registry (CRC) | Credit bureau queries | Nigeria |
| FirstCentral Credit Bureau | Credit bureau queries | Nigeria |
| XDS Data / CreditChek | Alternative credit data | Nigeria |
| Datadog | Application performance monitoring (pseudonymised only) | EU (no PII) |
Nigeria Data Protection Act 2023
This privacy notice applies to personal data processed by ReassureQI on behalf of data controllers who integrate our APIs. Last updated: March 2026.
Data Controller
ReassureQI (SafeNest Digital Limited). Data Protection Officer: contact@reassureqi.com
Categories of Personal Data
Identity data (NIN, BVN, full name, date of birth, address), biometric data (facial images, liveness captures), financial reference data (credit bureau reports), device data (IP address, device fingerprint), usage data (API call logs, verification timestamps).
Legal Basis for Processing
Processing is conducted on the following bases under NDPA 2023: (a) Performance of a contract — to deliver verification services; (b) Legal obligation — to comply with CBN KYC and NFIU AML/CFT requirements; (c) Legitimate interests — fraud prevention and platform security.
Data Retention
KYC verification records are retained for 5 years from last activity per CBN and NFIU requirements. Credit bureau queries are retained for 3 years. Audit logs are retained for 7 years. Biometric captures (selfies, liveness video) are deleted within 90 days unless your organisation's retention policy requires otherwise.
Data Subject Rights
Under NDPA Sections 28–35, Nigerian data subjects have the right to: access their personal data, request correction of inaccuracies, withdraw consent, request erasure (subject to legal retention obligations), and lodge complaints with the NDPC. Submit requests to: contact@reassureqi.com. Response within 30 days.
Third-Party Processors
ReassureQI shares data with: NIMC (NIN verification), NIBSS (BVN verification), CRC / FirstCentral / XDS (credit bureau queries), AWS (infrastructure hosting). All sub-processors are bound by data processing agreements and NDPA-equivalent standards.
International Transfers
ReassureQI does not transfer Nigerian customer PII outside Nigeria. Where pseudonymised data is sent to international sanctions screening services, it is covered by appropriate safeguards including standard contractual clauses.
To exercise your rights under NDPA 2023, email contact@reassureqi.com with subject line “NDPA Data Subject Request”. Include your full name and the organisation through which you interacted with ReassureQI. We respond within 30 days.
Need our compliance pack?
Enterprise clients can request a full security questionnaire response, DPA template, penetration test executive summary, and data flow diagrams.
Request Compliance Pack