Vouchmark
Trust & compliance

How we handle your data.

Vouchmark is built for procurement, banking, and SAP-grade due diligence. This page documents our regulatory posture, security controls, sub-processors, and breach commitments — written plainly so a security questionnaire can be answered without inventing answers.

Data protection

NDPR compliance and your rights as a data subject

Vouchmark processes personal data in accordance with the Nigeria Data Protection Regulation (NDPR, 2019) and the Nigeria Data Protection Act (NDPA, 2023). Our lawful basis for processing is contractual necessity for account holders and legitimate interest for vendor due diligence, both as defined under the NDPA.

You retain the following rights over data we hold about you. Each can be exercised in-app or by email; we respond within 30 days, in line with the NDPA timelines.

  • Access

    Download every record we hold about you from Settings → Privacy, or email our DPO. We respond within 30 days.

  • Correction

    Edit your account profile in-app at any time. For records you cannot edit, raise a correction request with our DPO.

  • Erasure

    Delete your account from Settings → Account → Delete account. Personal data is removed from primary storage immediately and from backups within 30 days.

  • Portability

    Export your account, search history, and monitored vendors as JSON via Settings → Privacy.

  • Objection

    Opt out of any non-essential processing (analytics, marketing) from Settings → Privacy. Required processing for service delivery is documented in our Privacy Policy.

  • Restriction

    Pause processing of your data while a correction or objection is being reviewed by emailing our DPO.

For specific requests, write to dpo@vouchmark.com. You may also contact the Nigeria Data Protection Commission directly if you believe a request was mishandled.

Regulatory framework

NDPC, NITDA, and our standing

Vouchmark operates within Nigeria’s data-protection framework administered by the Nigeria Data Protection Commission (NDPC). We are a registered Data Controller and Data Processor, and our annual NDPR audit is filed by a licensed Data Protection Compliance Organisation (DPCO).

We do not currently hold NITDA accreditation as a Consulting Service Provider — that scope does not apply to our product. We do follow NITDA’s public guidelines on data localisation, retention, and breach reporting where they affect our service.

Documentation we will share under NDA on request: NDPR audit attestation, DPCO contact, and our internal data-flow map.

Information security

Controls in place today

Our security programme is mapped to the ISO/IEC 27001:2022 Annex A control set. We are not yet certified — controls are in implementation, with our certification target in Q4 2026. We say so honestly because procurement teams should not have to take an unverified claim on faith.

  • Encryption in transit

    TLS 1.2+ enforced on every public endpoint and admin surface.

  • Encryption at rest

    AES-256 on the MongoDB Atlas cluster and on AWS S3 buckets that hold uploaded documents.

  • Authentication

    HttpOnly session cookies, refresh-token rotation with family detection, password hashing via bcrypt.

  • Access logging

    Every administrative action writes to an immutable AdminAuditLog. Operator access is reviewed quarterly.

  • Rate limiting

    Per-IP and per-user limits on auth, password, and search endpoints; circuit breakers on monitoring agents to protect upstream sources.

  • Backups

    Nightly MongoDB dumps to S3 in a separate region, retained for 30 days. Quarterly restore drills.

  • Incident response

    On-call rotation with structured runbooks; security incidents triaged within 1 business hour.

  • Vulnerability management

    Monthly dependency audit (pnpm audit + Snyk); critical findings patched within 7 days.

  • Secure SDLC

    Mandatory code review, automated lint/typecheck, and security review on every release branch.

Penetration tests are scoped before each major release; the most recent summary is available under NDA. Production secrets are stored in AWS Secrets Manager and rotated on a defined schedule.

Data residency

Where your data lives

Application infrastructure runs on AWS in eu-west-1 (Ireland). Encrypted backups are replicated nightly to eu-central-1 (Frankfurt). Customer-uploaded documents (CAC certificates, tax certificates, dispute evidence) live in S3 with bucket-level AES-256 encryption and versioning enabled.

Sub-processors that receive customer-identifiable data are listed below. Public-source data we ingest from CAC, FIRS, CBN, GDELT, Google News, and OpenSanctions is processed in the same EU region as the rest of the application.

Customers requiring Nigerian data residency should contact us before signing — we maintain a Lagos-region deployment for regulated banks and government clients on an annual contract.

Sub-processors

Every external service that touches customer data

We maintain a single, complete list. Any addition is logged and announced to administrators of paying accounts at least 30 days before going live.

ServiceRegionPurpose
PaystackNigeriaSubscription billing, card processing, recurring charges, and bank-account verification during company KYB. Customer card data never touches Vouchmark servers, and Vouchmark stores only the verification result.
Amazon Web Services (AWS)eu-west-1 (Ireland) for application data; eu-central-1 (Frankfurt) for backupsHosting for application servers, MongoDB Atlas peered VPC, and S3 object storage for uploaded documents and report PDFs.
MongoDB Atlaseu-west-1Managed primary datastore for company, score, and event records. AES-256 encryption at rest is enforced by Atlas.
Redis Cloudeu-west-1Session and rate-limit cache; queue backbone for monitoring agents. No PII written to Redis.
CloudinaryEU multi-regionImage transformation for verification document thumbnails. Originals remain in S3.
ResendEUTransactional email delivery (verification, alerts, dispute updates).
SentryEUApplication error monitoring. PII redacted client- and server-side before transmission.
Google Cloud (Gemini)EULLM sentiment analysis on press articles. Only the public article URL and snippet are sent — no customer data.
OpenSanctionsEUSanctions, PEP, and watchlist screening data. Vouchmark sends company names; OpenSanctions returns matches.

Breach notification

We notify affected customers within 72 hours

In the event of a personal-data breach affecting your account, we will notify the registered account administrator and, where applicable, the NDPC, within 72 hours of becoming aware — the timeline required by the NDPA. The notice describes the nature of the incident, the categories and approximate volume of records affected, the remediation under way, and the contact point for follow-up.

Security incidents that do not result in unauthorised data access are logged internally and summarised in the next customer status update. Suspected breaches can be reported by anyone — customers, security researchers, or members of the public — at security@vouchmark.com.

Contact

Who to talk to

See also our Privacy Policy and Terms & Conditions.