iQStep
Legal

Data Protection

How iQStep complies with data protection laws across Africa and internationally

πŸ‡°πŸ‡ͺ
Kenya DPA
Compliant
πŸ‡³πŸ‡¬
Nigeria NDPA
Compliant
πŸ‡ΏπŸ‡¦
SA POPIA
Compliant
πŸ‡ͺπŸ‡Ί
EU GDPR
Compliant

At iQStep, we are committed to protecting the personal data of our customers across all African markets we serve. We comply with applicable data protection laws in each jurisdiction, including Kenya's Data Protection Act, Nigeria's NDPA, South Africa's POPIA, Ghana's Data Protection Act, and the EU's GDPR for our European customers.

African Data Protection Laws

πŸ‡°πŸ‡ͺ

Kenya

Data Protection Act 2019

Regulator: Office of the Data Protection Commissioner (ODPC)

Consent required for data processing
72-hour breach notification
Data localization for sensitive data
Registration with ODPC required
πŸ‡³πŸ‡¬

Nigeria

Nigeria Data Protection Act 2023

Regulator: Nigeria Data Protection Commission (NDPC)

Lawful basis for processing
Data Protection Impact Assessments
Annual compliance audits
Cross-border transfer restrictions
πŸ‡ΏπŸ‡¦

South Africa

POPIA (Protection of Personal Information Act)

Regulator: Information Regulator

8 conditions for lawful processing
Appointment of Information Officer
Data subject access rights
Transborder data flow controls
πŸ‡¬πŸ‡­

Ghana

Data Protection Act 2012

Regulator: Data Protection Commission

Registration of data controllers
Fair and lawful processing
Data quality principles
Security safeguards required

Our Data Protection Commitments

Data Minimization

We only collect data necessary for our services

Purpose Limitation

Data is used only for stated purposes

Storage Limitation

Data retained only as long as necessary

Data Security

Industry-standard encryption and security

Lawful Processing

Clear legal basis for all processing

Transparency

Clear privacy notices and policies

Accountability

Documented compliance measures

Breach Response

72-hour notification to authorities

Your Rights

Under applicable data protection laws, you have the following rights:

Right to Access

Request a copy of your personal data

Right to Rectification

Correct inaccurate or incomplete data

Right to Erasure

Request deletion of your personal data

Right to Portability

Receive your data in a portable format

Right to Object

Object to certain types of processing

Right to Withdraw Consent

Withdraw consent at any time

Data Storage & Localization

We store customer data in accordance with local data localization requirements:

  • πŸ‡°πŸ‡ͺKenya: Primary data stored on AWS Africa (Cape Town) with backup in EU
  • πŸ‡³πŸ‡¬Nigeria: Data processed in accordance with NDPA cross-border transfer requirements
  • πŸ‡ΏπŸ‡¦South Africa: Data stored in AWS Africa (Cape Town) region
  • πŸ‡ͺπŸ‡ΊEU Customers: Data stored in AWS EU (Frankfurt) with SCCs for any transfers
πŸ‡ͺπŸ‡Ί

GDPR Compliance

For our European Union customers

For customers in the European Economic Area (EEA), we also comply with the General Data Protection Regulation (GDPR). This includes:

  • Standard Contractual Clauses (SCCs) for international data transfers
  • Data Processing Agreements (DPAs) available upon request
  • EU representative appointed for GDPR purposes
  • Records of processing activities maintained

Sub-processors

We use the following sub-processors to deliver our services:

Sub-processorPurposeLocation
Amazon Web ServicesCloud infrastructureCape Town, Frankfurt
VercelApplication hostingGlobal CDN
AnthropicAI processingUSA (SCCs)
PaystackPayment processing (Africa)Nigeria, SA, Ghana, Kenya
StripePayment processing (Int'l)USA (SCCs)

Contact Us

For any data protection inquiries or to exercise your rights, contact our Data Protection Officer:

Email: dpo@iqstep.com

Address: Data Protection Officer, iQStep Ltd, Westlands, Nairobi, Kenya

Response Time: Within 30 days of receiving your request