NDPR Compliance

1. What is the NDPR?

The Nigeria Data Protection Regulation (NDPR) was issued in January 2019 by the National Information Technology Development Agency (NITDA). It was subsequently strengthened by the Nigeria Data Protection Act (NDPA) signed into law in June 2023, which established the Nigeria Data Protection Commission (NDPC) as the regulatory body.

The regulation applies to all transactions intended for the processing of personal data, and to all natural persons residing in Nigeria or Nigerian citizens residing abroad. As a platform that processes personal data of Nigerian students, parents, teachers, and school administrators, Eduva is fully within the scope of this regulation.

2. Lawful Basis for Processing

Under the NDPR, personal data must be processed on a lawful basis. Eduva processes personal data under the following lawful bases:

• Consent: Schools and users provide consent when they register on the Platform and accept our Terms of Service and Privacy Policy. Parents consent to the processing of their children's data when their accounts are created by the school.
• Contractual Necessity: Processing is necessary for the performance of our service agreement with schools — managing student records, academic data, fee collection, and communication.
• Legitimate Interest: We process certain usage data to improve platform performance, ensure security, and prevent fraud.
• Legal Obligation: We may process data where required by Nigerian law or regulatory authorities.

3. Data We Collect

In compliance with the NDPR principle of data minimization, we only collect data that is adequate, relevant, and necessary for the purposes of school management. This includes:

• Identity Data: Full names, email addresses, phone numbers, and profile photos of administrators, teachers, students, and parents.
• Academic Data: Grades, attendance records, exam scores, continuous assessment marks, and report cards.
• Financial Data: Fee payment records and transaction history. Card details are processed by our payment partner (Paystack) and never stored on our servers.
• Communication Data: Messages exchanged through the platform's chat and announcement features.
• Technical Data: IP addresses, browser type, device information, and usage patterns for platform improvement and security.

4. Children's Data Protection

Eduva processes the personal data of students, many of whom are minors under the age of 18. We take additional measures to protect children's data:

• Student accounts are created exclusively by authorized school administrators, not by the students themselves.
• Parents and guardians are linked to student accounts and can view their children's data through the parent portal.
• Student data is only accessible to authorized school staff (administrators and assigned teachers) within the same school.
• We do not use children's data for marketing, advertising, or profiling purposes.
• Multi-tenant data isolation ensures that one school cannot access another school's student data.

5. Data Subject Rights

In accordance with the NDPR and NDPA, all data subjects (users) have the following rights:

• Right of Access: You may request a copy of the personal data we hold about you at any time.
• Right to Rectification: You may request correction of inaccurate or incomplete personal data.
• Right to Erasure: You may request deletion of your personal data, subject to any legal retention obligations.
• Right to Data Portability: You may request your data in a structured, commonly used, and machine-readable format.
• Right to Object: You may object to the processing of your personal data for specific purposes, including direct marketing.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.
• Right to Lodge a Complaint: You may file a complaint with the Nigeria Data Protection Commission (NDPC) if you believe your data protection rights have been violated.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

6. Data Security Measures

In compliance with the NDPR requirement for appropriate security measures, Eduva implements the following technical and organizational safeguards:

• Encryption in Transit: All data transmitted between users and our servers is encrypted using TLS 1.2+ (HTTPS).
• Encryption at Rest: Sensitive data stored in our databases is encrypted at rest using AES-256 encryption.
• Password Security: User passwords are hashed using bcrypt with a cost factor of 12. We never store plaintext passwords.
• Access Control: Role-based access control (RBAC) ensures users only access data relevant to their role (Admin, Teacher, Student, Parent).
• Multi-Tenant Isolation: Each school's data is logically isolated using a schoolId-based tenant system. Cross-school data access is technically impossible.
• Audit Logging: Sensitive operations (login, data export, user creation, grade modifications) are logged with timestamps and user identity for accountability.
• Regular Backups: Automated daily database backups with secure offsite storage.
• JWT Authentication: Short-lived access tokens (15 minutes) with refresh token rotation (7 days) to minimize session hijacking risk.

7. Data Processing and Storage

• Data Controller: Each school using Eduva is the data controller for the personal data of its students, parents, and staff. Eduva acts as the data processor on behalf of the school.
• Storage Location: Data is stored on managed database infrastructure provided by DigitalOcean. We prioritize infrastructure locations that comply with data sovereignty requirements.
• Data Retention: We retain personal data for as long as the school's subscription is active, plus a 90-day grace period. After account termination, data is permanently deleted unless retention is required by law.
• Third-Party Processors: We share data with a limited number of third-party processors who are contractually bound to protect personal data: Paystack (payment processing), Mailgun (email delivery), Termii (SMS delivery), and DigitalOcean (cloud infrastructure).

8. Cross-Border Data Transfer

Where personal data is transferred outside Nigeria (e.g., to cloud infrastructure providers), we ensure that adequate safeguards are in place as required by the NDPR. This includes ensuring that the receiving jurisdiction provides an adequate level of data protection, or that appropriate contractual clauses are in place.

9. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of data subjects, Eduva will:

• Notify the Nigeria Data Protection Commission (NDPC) within 72 hours of becoming aware of the breach.
• Notify the affected school(s) without undue delay.
• Where the breach is likely to result in a high risk to data subjects, notify the affected individuals directly.
• Document all breaches, including the facts, effects, and remedial actions taken.

10. Data Protection Officer

In compliance with the NDPR, Eduva has designated a Data Protection Officer (DPO) responsible for overseeing data protection strategy and implementation. The DPO can be contacted at:

11. Compliance Audits

Eduva conducts periodic internal data protection audits to ensure ongoing compliance with the NDPR and NDPA. We also conduct a Data Protection Impact Assessment (DPIA) before implementing new features that involve significant processing of personal data.

12. Updates to This Policy

We may update this NDPR compliance statement from time to time. Changes will be posted on this page with an updated revision date. We encourage you to review this page periodically.

13. Related Policies

For more information about how we handle your data, please refer to:

• Privacy Policy — Full details on data collection, usage, and your rights.
• Terms of Service — The agreement governing your use of Eduva.
• Cookie Policy — How we use cookies and similar technologies.