🇳🇬 NDPR Compliance Audit Report — firmflow.¶
Date: February 2026
Status: 🟢 Compliant (Internal Audit)
Scope: firmflow. On-Premise Platform v1.2.0
1. Data Inventory & Privacy Impact (PIAs)¶
The following PII (Personally Identifiable Information) is processed by the platform:
| Data Category | Purpose | Legal Basis | Protection |
|---|---|---|---|
| Firm Staff Data | Authentication, Audit Logs | Contractual Necessity | AES-256-GCM (Secrets) |
| Client PII (CAC/TIN) | KYC, Compliance Filing | Legal Obligation | Database Encryption |
| Client Documents | Storage, Analysis | Contractual Necessity | AES-256-GCM (File-level) |
| Biometric/Signature | E-Signatures | Consent | Encrypted Field-level |
2. Technical Safeguards (Safeguard Assessment)¶
- [x] Encryption at Rest: All documents are encrypted using AES-256-GCM before storage. Master keys are firm-managed.
- [x] Field-Level Encryption: Sensitive database fields (MFA secrets, signatures) are encrypted using a separate
FIELD_ENCRYPTION_KEY. - [x] Immutable Audit Trail: All data access is logged in a cryptographically chained ledger to detect tampering.
- [x] Node-Locked Licensing: Prevents unauthorized server replication which could lead to data leakage.
3. Data Subject Rights (DSAR)¶
- [x] Right to Access: Automated DSAR export utility generates a portable JSON/ZIP of all subject data.
- [x] Right to Erasure: Implementation of "Soft Delete" with permanent purge capability (Manual verification required).
- [x] Right to Portability: Data exported in standardized JSON format.
4. AI & Privacy Gateway (SmartRequestAI™)¶
- [x] PII Scrubbing: Active scanning for BVN, TIN, and Phone numbers before sending data to LLMs.
- [x] Outbound-Only Tunnels: AI requests are restricted to validated endpoints via Network Policies.
- [x] Auditability: Every AI request is logged with flow metadata to ensure non-malicious use.
5. Nigerian Market Specifics¶
- BVN/TIN Handling: Scanned and flagged as sensitive data.
- Local Storage: Support for on-premise NAS/SMB ensures data residency within the firm's physical jurisdiction (meeting NITDA requirements).
🚦 Recommended Next Steps¶
- Retention Policy Auto-Purge: Implement a scheduled job to permanently delete documents older than the firm's retention policy (usually 6-10 years in Nigeria).
- External Audit: Engaged with a licensed DPCO (Data Protection Compliance Organization) for official NDPR certification.