1. Purpose and Scope
This Data Compliance Policy ("Policy") sets out the internal framework by which Arveth Multi-Concept ("the Company"), through its technology subsidiary Arveth Technologies, ensures that its collection, processing, storage, and transfer of data โ including Personal Data, financial data, and transaction data processed through the ArvethPay gateway โ complies with applicable Nigerian and international law. It applies to all employees, contractors, agents, and third-party service providers who process data on behalf of the Company.
2. Regulatory Framework
This Policy is designed to ensure ongoing compliance with, among others:
- The Nigeria Data Protection Act, 2023 (NDPA) and its subsidiary regulations.
- The Nigeria Data Protection Regulation, 2019 (NDPR) and its Implementation Framework, pending full transition to NDPA-issued instruments.
- Central Bank of Nigeria (CBN) Guidelines on Electronic Payments, the CBN Consumer Protection Framework, and CBN KYC/AML/CFT Regulations.
- The Money Laundering (Prevention and Prohibition) Act, 2022 and Terrorism (Prevention and Prohibition) Act, 2022, as they relate to customer due diligence and suspicious transaction reporting.
- The Federal Competition and Consumer Protection Act, 2018 (FCCPA), where applicable to consumer-facing digital services.
- Payment Card Industry Data Security Standard (PCI DSS), to the extent the Company or its processors handle cardholder data.
- Where relevant to users outside Nigeria, the EU General Data Protection Regulation (GDPR) and other applicable foreign data protection laws.
3. Data Protection Principles
In line with Section 24 of the NDPA, the Company commits to processing Personal Data in accordance with the following principles:
- Lawfulness, fairness, and transparency in all processing activities.
- Purpose limitation โ data is collected only for specified, explicit, and legitimate purposes.
- Data minimization โ only data that is adequate, relevant, and necessary is collected.
- Accuracy โ reasonable steps are taken to keep data accurate and up to date.
- Storage limitation โ data is retained only as long as necessary.
- Integrity and confidentiality โ appropriate technical and organizational security measures are applied.
- Accountability โ the Company maintains records demonstrating compliance with these principles.
4. Governance and Roles
4.1 Data Protection Officer (DPO)
The Company shall designate a Data Protection Officer responsible for overseeing compliance with this Policy, serving as the primary contact point for data subjects and the Nigeria Data Protection Commission (NDPC), and conducting periodic compliance audits.
4.2 Data Controller and Processor Roles
Arveth Technologies acts as the Data Controller for Personal Data collected through the ArvethPay Platform. Third-party infrastructure and payment providers engaged by the Company (including database/edge-function hosting, security/CDN, transactional email, and licensed payment processing partners) act as Data Processors and are bound by written Data Processing Agreements (DPAs) requiring equivalent standards of protection.
4.3 Employee Responsibilities
All personnel with access to Personal Data or financial data must complete data protection training, follow the principle of least-privilege access, and report any suspected data incident immediately to the DPO.
5. Data Protection Impact Assessments (DPIA)
The Company shall conduct a Data Protection Impact Assessment before deploying any new feature, system, or third-party integration likely to result in high risk to the rights and freedoms of data subjects โ for example, before onboarding a new payment processor, introducing biometric verification, or materially changing the receipt-verification (OCR) workflow.
6. Vendor and Third-Party Risk Management
Before engaging any third-party processor, the Company shall:
- Conduct due diligence on the vendor's security posture and regulatory standing.
- Execute a written Data Processing Agreement specifying the scope, purpose, and duration of processing, confidentiality obligations, and audit rights.
- Restrict credentials such that only designated secure services (e.g., the Company's dedicated proxy layer) hold direct access to database or service-role keys โ no client-side exposure of privileged credentials is permitted.
- Review vendor compliance (e.g., SOC 2, ISO 27001 certifications where available) on a periodic basis.
Current categories of third-party processors include: cloud database and serverless function hosting, content delivery/security/bot-mitigation services, transactional email delivery, and licensed payment processing/settlement services.
7. Know-Your-Customer (KYC) and Anti-Money-Laundering (AML) Compliance
In line with CBN KYC requirements and the Money Laundering (Prevention and Prohibition) Act, 2022, the Company shall:
- Verify customer identity using BVN, NIN, and/or government-issued identification before enabling full transactional capability.
- Apply tiered KYC levels with corresponding transaction and balance limits, consistent with CBN's tiered KYC framework for financial services.
- Screen customers and transactions against relevant sanctions and politically-exposed-persons (PEP) watchlists.
- Monitor transactions for patterns indicative of fraud, structuring, or money laundering, and file Suspicious Transaction Reports (STRs) with the Nigerian Financial Intelligence Unit (NFIU) where warranted.
- Maintain human review procedures for flagged transactions, including manual verification of payment receipts below the confidence threshold used by the Company's automated verification tooling.
8. Payment Card and Financial Data Security
Where the Company processes, transmits, or stores cardholder data, it shall align its practices with PCI DSS requirements, including: never storing sensitive authentication data after authorization, tokenizing stored card references, restricting access on a need-to-know basis, and using properly configured firewalls and encryption for all cardholder data environments. Wherever feasible, card data handling is delegated entirely to PCI-DSS-certified payment processing partners rather than handled directly by Company infrastructure.
9. Data Breach Response and Notification
The Company maintains an incident response procedure requiring that:
- Any suspected or confirmed data breach is reported internally to the DPO within twenty-four (24) hours of discovery.
- Where a breach poses a risk to the rights and freedoms of data subjects, the NDPC is notified within seventy-two (72) hours, in accordance with NDPA breach notification requirements.
- Affected data subjects are notified without undue delay where the breach is likely to result in a high risk to their rights, including guidance on protective steps they can take.
- A post-incident review is conducted to identify root cause and remediate any underlying vulnerability.
10. Data Retention and Secure Disposal
Data retention periods are defined by data category and applicable regulatory requirement (see the Privacy Policy). Upon expiry of the relevant retention period, data is securely deleted, overwritten, or anonymized using methods that prevent reconstruction, and disposal actions are logged for audit purposes.
11. Cross-Border Data Transfer Compliance
Any transfer of Personal Data outside Nigeria is assessed for adequacy under NDPA Section 41 and, where the destination jurisdiction is not recognized as adequate, is supported by appropriate safeguards such as Standard Contractual Clauses, Binding Corporate Rules, or explicit data subject consent, as applicable.
12. Monitoring, Audit, and Review
The Company shall conduct periodic internal compliance reviews (at minimum annually, or upon material system change) covering: access control logs, vendor compliance status, breach and incident records, DPIA outcomes, and data subject request handling. Findings shall be documented and reported to senior management, and this Policy shall be reviewed and updated accordingly.
13. Enforcement and Sanctions
Non-compliance with this Policy by employees, contractors, or agents may result in disciplinary action, up to and including termination of engagement, and may also expose the Company to regulatory sanctions under the NDPA โ including administrative fines of up to the higher of โฆ10,000,000 or 2% of the annual gross revenue of the preceding financial year for data controllers/processors of major importance โ as well as potential criminal liability under related legislation for serious breaches.
14. Records of Processing Activities
The Company shall maintain a Register of Data Processing Activities, documenting the categories of data processed, purposes of processing, data flows, retention periods, and security measures applied, to demonstrate accountability in line with NDPA requirements.
15. Contact and Regulatory Registration
- Data Protection Officer: Hariph Micheal โ info.arveth@gmail.com
- Phone: +234-7069-303501
- Tax Identification Number (TIN): 1086070388
- Head Office Address: 107 Opkanam Rd, Asaba, Delta State, Nigeria
This Policy shall be reviewed at least annually, and immediately upon any material change in applicable law or Company processing activities.
