Zhift Platforms Ltd

Compliance & Assurance

Zhift Platforms Ltd builds, deploys, and manages software platforms within a governance, risk, and compliance (GRC) framework aligned to NDPR, GDPR, and directives issued by the National Information Technology Development Agency (NITDA). This page summarises our key assurance practices.

1. Governance Model

Zhift operates an enterprise GRC committee chaired by the Chief Technology Officer with representation from security, engineering, legal, and operations. Policies are reviewed annually and after significant regulatory updates. We maintain documented procedures covering privacy, secure development, incident response, and vendor risk management.

2. Data Protection Programme

Our privacy compliance programme includes records of processing activities (ROPAs), lawful basis assessments, Data Protection Impact Assessments (DPIAs) for high-risk initiatives, and regular audits overseen by our Data Protection Officer. We align with NDPR Implementation Framework guidance and GDPR accountability principles.

3. Security & Technical Controls

Security practices map to ISO/IEC 27001, NIST CSF, and NITDA cybersecurity guidelines. Controls include Identity and Access Management (IAM) with MFA, encryption of data in transit and at rest, vulnerability and patch management, secure SDLC gates, configuration baselines, and 24/7 monitoring through our network operations centre.

4. Business Continuity & Resilience

We maintain business continuity and disaster recovery plans tested annually through tabletop and failover exercises. Recovery point and time objectives (RPO/RTO) are defined per client. Critical services are hosted across redundant availability zones with documented runbooks.

5. Vendor & Sub-processor Due Diligence

Third-party providers undergo risk assessments covering security certifications, geopolitical exposure, privacy posture, and financial stability. Contracts incorporate data protection clauses, and vendors are reassessed at least annually or when significant changes occur.

6. Audit & Testing

We commission independent penetration tests, internal audits, and compliance reviews. Clients may request summaries of findings, remediation status, and attestation letters (e.g., ISO 27001 certification scope, SOC-type reports where applicable).

7. Incident Response & Breach Notification

Incident response follows a documented playbook with defined severity criteria, escalation paths, and 24/7 coverage. Personal data breaches are reported to clients and regulators within NDPR and GDPR timelines, with root-cause analysis and corrective actions shared upon closure.

8. Training & Awareness

All staff complete onboarding and annual refreshers covering secure coding, privacy, anti-corruption, and incident reporting. Role-based training is mandated for engineers, SREs, support personnel, and leadership to ensure policies translate into operational behaviour.

9. Regulatory Engagement

Zhift maintains open channels with the Nigeria Data Protection Commission and NITDA. We support client regulatory filings, procurement due diligence, and supervisory audits by providing necessary documentation and participating in joint reviews.