Company/Trust & security

The controls behind the platform.

Privacy software that doesn't take its own security seriously is a contradiction. Here is how we run ours — auditable, Lagos-built, and engineered for the NDPC era.

Request the security pack Disclose a vulnerability

Why it matters

The enforcement gap is no longer theoretical.

NDPC numbers, public as of 2025. Roughly 30,000 organisations are required to file compliance audit returns and haven't. Trust is no longer a slide — it's an exhibit.

₦7.2B

NDPC fines issued since 2023

1,368

Default notices in Aug 2025 alone

5 min

Recovery point objective (RPO)

1 hour

Recovery time objective (RTO)

Certifications

Where we are, and where we're going.

ISO 27001

Audit in progress · 2026

Information security management — Stage 1 readiness review complete.

SOC 2 Type II

Planned · H2 2026

Operational controls, monitored continuously by an independent auditor.

NDPC-licensed DPCO

Active

Operated by ASIRI Compliance Ltd — three years of NDPA programs run by hand.

Controls

Nine pillars of the security program.

Encryption

AES-256 at rest, TLS 1.3 in transit. BYOK and HSM-backed keys on Enterprise.

Access

SSO (SAML/OIDC), SCIM provisioning, hardware-key 2FA. Role-based plus ABAC, scoped to tenant.

Auditability

Hash-chained audit log, signed evidence exports, auditor rooms — every action verifiable in one click.

Residency

AWS af-south-1 (Cape Town) by default. Lagos Local Zone available on Enterprise.

Sub-processors

Public list, 30-day change notifications, contractual flow-down of NDPA obligations.

Resilience

RPO 5 min · RTO 1 hour. Disaster-recovery exercises tested and documented quarterly.

Tenant isolation

Row-level security in Postgres, per-tenant encryption keys, hard schema boundaries.

Monitoring

24/7 detection, anomaly alerts, immutable logs shipped to a separate security tenant.

Incident response

On-call engineers in Lagos. NDPC 72-hour breach clock wired into the runbook.

How we run it

Security as a daily practice, not a poster.

Secure SDLC

Threat modelling on every module. Code review, dependency scanning and SAST gate every release.

People & access

Background checks, least-privilege by default, quarterly access reviews — including for founders.

Vendor management

Every sub-processor risk-assessed against NDPA Article 29 before onboarding.

Common questions

The things procurement always asks.

Where does our data physically sit?

AWS af-south-1 (Cape Town) by default, with a Lagos Local Zone option for Enterprise customers who need in-country residency.

How is tenant data isolated?

Postgres row-level security plus per-tenant encryption keys. There is no shared admin path that can read across tenants without a signed, audited break-glass.

What happens during a breach?

Our on-call rotation triggers the NDPC 72-hour clock automatically. We notify affected tenants, file the Article 40 report and ship a post-incident pack within 14 days.

Can we run a penetration test?

Yes. Enterprise customers can run an annual independent test against a staging tenant. Reports are shared under NDA.

Coordinated disclosure

Found something? Tell us.

We run a coordinated disclosure program. Send PGP-signed reports to security@asiri.ng. We acknowledge inside 24 hours, triage inside 72, and credit researchers in our hall of thanks.

security@asiri.ng

Core modules

Governance

Intelligence

By industry

By role

Partners

Learn

Stay current

Build

About

Talk to us