Legal Framework

Data Protection Policies

Effective Date: July 6, 2026 | Version: 1.0 (Stable) | DPO Contact: Ola Phillips (support@keepsafe.ng)

This document outlines the data protection and privacy policies governing the Keepsafe Employee Onboarding & Performance Rating Service. Keepsafe is committed to processing all employee and user data in strict compliance with the Nigeria Data Protection Act 2023 (NDPA).

Policy 1: Employee Privacy Notice

This notice applies to all users of the Keepsafe Application. It covers two main streams of data processing:

  • Identity verification data: One regulatory identity document (NIN Slip, Passport, or Driver’s License) and biometric selfie scans.
  • Performance monitoring data: Performance reviews, ratings, KPIs, peer feedback, and project metrics.

Lawful Basis (NDPA 2023)

ActivityLawful Basis
Identity VerificationLegal Obligation (Labour Act, tax laws)
Performance MonitoringLegitimate Interest (workforce management)

What Data We Collect & Why

Data CategoryExamplesPurposeStorage
Identity DocumentsNIN Slip, Passport, or Driver's License, Selfie / Liveness checkRight-to-work checks & verificationEncrypted DB folders, access restricted to HR / authorized managers
Performance DataKPIs, manager ratings, peer feedback, assessmentsPerformance reviews, ratings, promotionsSecure HRIS database system with role-based access

Your Rights

Under the NDPA, you have the right to access, correct, delete, restrict processing of, object to the processing of, and request portability of your data. Detailed request instructions are provided in Policy 4 below.

Policy 2: Performance Rating Data Policy

Data collected specifically for the performance rating service includes project metrics (completion rate, quality scores), peer feedback, self-assessments, and final performance scores.

Lawful Basis: Employment Contract (explicitly allowing performance reviews) and Legitimate Interest (to improve productivity and fairness).

How Ratings Are Calculated & Limits on Automated Decision-Making

Ratings are 70% manager assessment + 30% project metrics. Peer feedback is used strictly for qualitative developmental comments, not for automated scoring.

No Automated Termination: Keepsafe enforces a strict limit on automated decision-making. No decision that significantly affects an employee (such as termination or demotion) may be made automatically; a human manager must review and approve every final rating and action.

Policy 3: Data Retention & Erasure Policy

Data CategoryRetention PeriodLawful Basis
Identity Documents (Right-to-work)3 years after employment endsLabour Act
General Personnel File3 years after employment endsTax / Pension Laws
Performance Ratings (Active)Current + 1 prior cycleLegitimate Interest
Performance Ratings (After Exit)2 years after exitContractual Necessity
System Logs containing personal data6 monthsOperational Need

Secure Disposal Methods

  • Physical documents (paper ID scans): Cross-cut shredder.
  • Digital files (HDD/SSD): Secure deletion software (e.g., shred on Linux, Eraser on Windows).
  • Cloud/SaaS data: Secure API vendor certification of permanent deletion.

Policy 4: Data Subject Request (DSR) Procedure

Employees can exercise their rights (Access, Rectification, Erasure, Restriction, Portability, and Objection) under the NDPA by submitting a request to our DPO:

Step-by-Step Process:

  1. Submission: Email Ola Phillips (DPO) at support@keepsafe.ng using your registered email.
  2. Identity Check: The DPO will verify your identity (via registered employer data or a secure liveness match).
  3. Review: The DPO reviews the request to check for legal requirements (e.g., if tax laws require keeping your details, erasure might be restricted).
  4. Response: We will process and fulfill your request within 30 days of submission, at no cost to you.

Policy 5: Third-Party & Processor Management Policy

Before engaging any third-party processor (such as ID verification platforms), Keepsafe performs strict due diligence. We sign a Data Processing Agreement (DPA) containing NDPA-compliant clauses and ensure that biometric and personal records are not transferred outside Nigeria without adequate security guarantees.

Primary Identity Processor: Keepsafe integrates with Dojah Inc. (Dojah SDK) to perform biometric matching, liveness checks, and registry lookups securely. All data transmitted to Dojah is encrypted end-to-end and is used solely for the verification request initiated by the employer.

Policy 6: Breach Response Protocol

In the event of a security incident, Keepsafe adheres to a strict detection and containment timeline to minimize data exposure.

PhaseActionOwner / Timeline
DetectionIncident detected by employee or system alertAnyone / Immediate
EscalationDPO is officially notified with logsDiscoverer / Within 1 hour
ContainmentRevoke permissions, isolate servers, preserve database logsIT Team / Within 4 hours
AssessmentReview scope, affected records, and risk levelDPO / Within 12 hours
NotificationFile breach report to the NDPC PortalDPO / Within 72 hours
CommunicationNotify affected employees if risk is high (e.g. ID scans leaked)DPO + HR / Within 72 hours