The controls behind the platform.
Privacy software that doesn't take its own security seriously is a contradiction. Here is how we run ours — auditable, Lagos-built, and engineered for the NDPC era.
Trust claims need operating evidence.
Public regulator activity and buyer scrutiny make unsupported trust claims risky. ASIRI keeps this page focused on dated evidence, readiness boundaries, and the review artifacts procurement teams can request.
Framework posture is tracked as readiness or documented boundary language.
Owners refresh control evidence while external validation remains pending.
Customer-facing vendor changes are handled through the public policy workflow.
Architecture notes, summaries, and sensitive implementation evidence are shared in procurement review.
Where we are, and where we're going.
Information security management controls are tracked as readiness evidence. ASIRI does not claim ISO/IEC 27001 certification unless an accredited certification body issues a certificate.
SOC 2 control mapping is readiness-only. ASIRI does not claim SOC 2 Type I or Type II unless an independent CPA firm issues the applicable report.
Designed for Nigerian privacy operators, client portfolios, and DPCO review of NDPA evidence workflows.
ASIRI does not store, process, or transmit raw cardholder data in the application environment unless a future PCI scope assessment says otherwise.
Regulatory Intelligence outputs are source-linked, reviewable, and subject to human approval; they do not replace legal advice, DPCO review, auditor review, regulator decisions, or customer counsel.
Nine pillars of the security program.
TLS in transit and encrypted storage at rest are baseline controls. BYOK and HSM-backed keys are scoped for Enterprise deployments.
Role-based access, MFA support, and tenant scoping are active; SSO, SCIM, and hardware-key policies are available on Enterprise.
Hash-chained audit log, signed evidence exports, and auditor workspace patterns designed for reviewable sensitive actions.
AWS af-south-1 (Cape Town) is the default region. Lagos Local Zone can be scoped for Enterprise deployments.
Public list, 30-day change notifications, contractual flow-down of NDPA obligations.
Recovery targets are documented for readiness review. Restore-test and DR exercise evidence remains tracked before operating-effectiveness claims.
Tenant isolation uses tenant-scoped access controls, Postgres RLS patterns, and customer-specific evidence boundaries.
Detection, anomaly alerts, and immutable logging are part of the security program; 24/7 coverage is scoped for enterprise operations.
Incident runbooks align response owners, tenant notification, evidence capture, and the NDPC 72-hour breach clock.
Security as a daily practice, not a poster.
Threat modelling, code review, dependency scanning, and SAST gates are tracked across security-sensitive releases.
Background checks, least-privilege by default, quarterly access reviews — including for privileged admins.
Sub-processors are reviewed against NDPA Article 29 before onboarding and published with purpose and region.
The things procurement always asks.
AWS af-south-1 (Cape Town) is the default region. Enterprise deployments can be scoped for Lagos Local Zone when in-country residency is required.
Tenant isolation is designed around scoped tenant membership, Postgres row-level security patterns, auditable staff actions, and controlled break-glass review.
The incident runbook is designed to start the NDPC 72-hour clock, notify affected tenants, preserve decision evidence, and produce a post-incident review pack.
Yes. Enterprise customers can run an annual independent test against a staging tenant. Reports are shared under NDA.
Found something? Tell us.
We run a coordinated disclosure program. Send PGP-signed reports to security@asiri.ng. We acknowledge inside 24 hours, triage inside 72, and credit researchers in our hall of thanks.