Nigerian Data Protection

01The Law We Follow

Nigeria's principal data-protection law is the Nigeria Data Protection Act 2023 ("NDPA"), signed into law on 12 June 2023. The Act is overseen by the Nigeria Data Protection Commission ("NDPC"), which replaced the earlier supervisory role of NITDA for data protection.

On 20 March 2025 the NDPC issued the General Application and Implementation Directive ("GAID"), which took effect on 19 September 2025. From that date, the older NDPR 2019 and its Implementation Framework ceased to be the operative rules and were replaced by the NDPA, read together with GAID. We use "NDPR" on this page as the familiar name people search for, but our practices are built around the current NDPA and GAID.

02Where Your Data Lives

MyTabulon is operated from Nigeria by Maximo AI LTD. Your workspace data may be hosted and processed in Nigeria and in other countries where we or our service providers operate, such as cloud, storage, security, payment, and AI infrastructure providers.

When personal data moves across borders, we apply transfer safeguards consistent with the NDPA, as described in the International Transfers section and in our Data Processing Agreement.

03How We Split Responsibility

Under the NDPA, a data controller decides why and how personal data is processed, and a data processor processes data on the controller's behalf. Most processing on MyTabulon involves both roles, and it matters which one applies to you.

For the personal data you put into your workspace about your clients, employees, vendors, and contacts, you are the controller and MyTabulon is your processor. For your account, billing, security, and platform-operation data, Maximo AI LTD is a controller. Our Data Processing Agreement sets out the processor terms in full.

04Lawful Bases and Principles

We process personal data in line with the NDPA's principles, including lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and accountability.

Our lawful bases include performance of a contract, consent, compliance with a legal obligation, legitimate interests, and, where relevant, protection of vital interests. The basis depends on the specific data and processing activity, as explained in our Privacy Policy.

05Data Subject Rights

The NDPA gives data subjects rights over their personal data. Subject to applicable conditions and identity verification, these include the right to be informed, to access, to rectify inaccurate data, to erasure, to restrict or object to certain processing, to withdraw consent, to data portability, and not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects.

If your data is held in a customer's MyTabulon workspace, that customer is the controller and your request is usually best directed to them. We help our customers respond using the tools and assistance described below.

06What We Give You to Comply

MyTabulon is built so our business customers can meet their own NDPA obligations. We provide:

• A Data Processing Agreement that sets out controller and processor responsibilities and forms part of our Terms.
• A current list of sub-processors on request, with prior notice of material changes.
• Security measures described in Annex A of the DPA, plus role-based access, audit events, and backup practices.
• Tools to export, correct, and delete workspace records so you can act on data-subject requests.
• Reasonable assistance with breach handling, data-protection impact assessments, and regulator enquiries, taking into account the information available to us.

07Registration and Governance Status

GAID sets out which organizations must register with the NDPC as data controllers or data processors of major importance, and categorizes them into Ultra-High Level, Extra-High Level, and Ordinary-High Level based on their processing activities and risk. Registration and reporting cadence — for example, one-time registration with an annual compliance audit return, or annual renewal — depend on the assigned category.

Maximo AI LTD treats NDPA and GAID compliance as an ongoing program. Where our processing brings us within a registration category, our approach includes maintaining incorporation with the Corporate Affairs Commission, appointing a Data Protection Officer, documenting our technical and organizational measures and processing activities, engaging a licensed Data Protection Compliance Organisation for audits where required, and filing with the NDPC as applicable.

08International Transfers

The NDPA allows cross-border transfers of personal data where there is an adequate level of protection or another lawful transfer mechanism. When we transfer your data outside Nigeria, we rely on mechanisms such as adequacy or whitelisting decisions, binding contractual safeguards including standard contractual clauses or their equivalent, your informed consent where appropriate, transfer-impact assessments, and technical measures such as encryption and access controls.

09Breach Notification

We maintain procedures to detect, assess, and respond to personal-data breaches. Where a breach affects data we control, we will notify the NDPC and affected data subjects where the law requires. Where a breach affects data we process for a customer, we will notify that customer without undue delay so they can meet their own obligations.

10Questions and Contact

For questions about how MyTabulon handles Nigerian data-protection requirements, or to raise a concern, contact our data-protection team at privacy@mytabulon.com. For general product support, contact support@mytabulon.com.

You also have the right to lodge a complaint with the Nigeria Data Protection Commission. We encourage you to reach out to us first so we can try to resolve the matter directly.