Skip to main content
eRecruiter Africa

Information Security Policy (Public Summary)

Last updated: 22 October 2025


Owner: Head of IT

Approved by: Executive

Review: at least annually or after material changes.



1) Purpose & scope

We protect personal and business information across people, processes and technology. Controls align to recognised standards (e.g., ISO/IEC 27001) referenced in the NDPR Implementation Framework. Scope covers staff, contractors, devices, cloud/SaaS (Zoho), ATS (Zoho Recruit), analytics (Google), and data processed during recruitment.

2) Roles & governance

  • Executive accountability for security and privacy.
  • DPO/Privacy Lead (Nigeria-based): oversee NDPR/GDPR, DPIAs, training, vendor governance, breach response, NITDA liaison. Triggers for DPO include >10,000 data subjects per annum or regular sensitive data.
  • All personnel: complete induction and periodic refresher training; follow acceptable use, classification and handling rules.

3) Risk management & DPIAs

We maintain a risk register and conduct DPIAs for high-risk processing (profiling, automated decisions with legal/similar significant effects, systematic monitoring, sensitive data, innovative tech).

4) Core controls (summary)

  • Access control: RBAC/least privilege, MFA, JML processes, periodic recertification.
  • Asset & data classification: Public / Internal / Confidential / Restricted.
  • Cryptography: TLS in transit; encryption at rest; key management.
  • Secure development & change: security by design, code review, patching, pre-release testing.
  • Logging & monitoring: centralised logs, alerting, anomaly detection.
  • Endpoint security: EDR/AV, disk encryption, screen lock, removable-media controls.
  • Email & identity security: phishing controls, SPF/DKIM/DMARC.
  • Backups, DR & BCP: tested recovery objectives; off-platform resilience where feasible.
  • Vendor management: due diligence, NDPR/GDPR DPAs, transfer safeguards, periodic reviews.
  • Data lifecycle: minimisation, retention per NDPR defaults (3-year last activity / 6-year contractual) and secure destruction with evidence.

5) Training & awareness

Induction and recurring training for staff that collect or process personal data, at least biennially (or more frequently per risk).

6) Incident response & breach notification

We operate playbooks for detect → contain → assess → eradicate → recover → lessons learned. We notify NITDA within 72 hours where required and inform impacted individuals where high risk is likely; notifications include all elements prescribed by the Framework.

7) Compliance monitoring & audits

Internal reviews and metrics; remedial plans tracked to closure. If >2,000 data subjects are processed in the prior 12 months, we file an annual NDPR audit through a DPCO; NITDA may carry out scheduled or spot audits.