DPA Compliance
The Nigeria Data Protection Regulation (NDPR) 2023 requires a Data Processing Agreement between Voicebip (sub-processor) and developers (data controllers) who process personal data through the platform.
Accepting the DPA
Accept the DPA via API before processing personal data:
Response:
You can also accept via the dashboard at Settings > Data Processing Agreement.
Checking DPA Status
What the DPA Covers
- Data residency: NDPR cross-border transfer safeguards applied to all Nigerian user data
- Retention: Default 90-day retention period, configurable per workspace
- Sub-processors: Paystack (payments), AWS (infrastructure)
- Security: TLS 1.3, AES-256 encryption at rest, PostgreSQL RLS for tenant isolation
- Breach notification: 72-hour notification to NITDA and affected developers per NDPR Article 2.11
- Data subject rights: Developers erase individual contact data via
DELETE /v1/contacts/{e164}(see Contact Erasure guide); data is purged after the configured retention period
Developer Obligations
As a data controller under NDPR, you are responsible for:
- Obtaining valid consent from your end-users before processing their data
- Honoring opt-out requests (Voicebip’s STOP keyword handling automates this for SMS)
- Ensuring a lawful basis for all data processing
- Notifying your own end-users in case of a data breach
Right to Erasure
NDPR Article 3.1(9) gives data subjects the right to have their personal data erased. When a user asks you to delete their data, use DELETE /v1/contacts/{e164}:
records_affected is the total number of call and message records anonymized. Call transcripts are replaced with ["[REDACTED]"], recording URLs are set to null, and message bodies are replaced with [REDACTED]. An audit log entry is created automatically for your compliance records.
For full details — what exactly is anonymized, opt-out list behavior, idempotency, and a UI integration example — see the Contact Erasure guide.