Cross-Border Data Transfers Nigeria: NDPA Rules for Cloud, AI & SaaS

If you use AWS, Google Cloud, OpenAI, Slack, HubSpot, or basically any modern SaaS tool from Nigeria, your data is leaving the country. Every API call, every cloud database query, every email through Google Workspace.

Most Nigerian businesses do this without thinking about it. Under the NDPA, every one of those transfers needs documented safeguards. And almost nobody has them.

I've audited the data flows of Nigerian fintechs and found 10-15 undocumented international transfers in the first hour. It's not that they're doing something wrong; it's that nobody told them cloud infrastructure means cross-border transfers.

What counts as a transfer

Any time personal data moves from Nigeria to another country. Not files being emailed; data being processed on servers outside Nigeria. Which means:

Cloud hosting. Your app runs on AWS Ireland, Google Cloud US, or Azure Frankfurt. Every piece of customer data stored there has been transferred out of Nigeria.

AI APIs. Every call to OpenAI, Anthropic, Google AI, or any external AI provider sends customer data to servers outside Nigeria. Usually the US. If your chatbot processes customer conversations through Claude or GPT-4, that's a cross-border transfer on every single interaction.

SaaS tools. HubSpot, Salesforce, Slack, Google Workspace, Mailchimp, Mixpanel: your CRM, email, analytics, and communication tools all store data outside Nigeria.

Payment processors. Paystack and Flutterwave handle some data locally, but international payment flows route through external servers.

Group companies. Sharing employee or customer data with a parent company or subsidiary abroad.

If you're a Nigerian business using modern technology (and you are) you're transferring data internationally. The question is whether you've documented it.

What the NDPA requires

The NDPA restricts cross-border transfers to ensure Nigerian residents' data stays protected when it leaves the country. Three lawful mechanisms:

Adequacy determination. The NDPC can certify that a receiving country has adequate data protection. In practice, this framework is still developing. Very few countries have formal NDPC adequacy decisions as of April 2026. Don't wait for this.

Appropriate safeguards. This is the practical route. You need contractual agreements binding the recipient to data protection standards equivalent to the NDPA. For most businesses, this means a Data Processing Agreement (DPA) with each provider that includes transfer-specific protections. Standard Contractual Clauses, familiar from GDPR, serve this function.

Derogations. Limited exceptions: explicit consent (the person understands the transfer risks), contractual necessity, legal claims, vital interests. Don't rely on consent for routine transfers; getting and managing consent for every data flow to every cloud service is impractical.

What to actually do, by scenario

Cloud hosting (AWS, Google Cloud, Azure)

Your customer data lives on servers in Ireland, Virginia, Frankfurt, wherever your cloud region is. That's a transfer.

What you need: a DPA with your cloud provider (AWS, Google, and Microsoft all offer them, but most businesses just haven't signed them), a record in your processing register documenting the transfer and safeguards, and a privacy notice that tells users their data goes to [country] under [safeguard].

Worth considering: AWS has an Africa (Cape Town) region. It's not Nigeria, but keeping data on the continent reduces transfer complexity and improves latency.

AI APIs (OpenAI, Anthropic, Google AI)

Every customer query sent to an AI API is personal data leaving Nigeria. Usually going to the US.

What you need: a DPA with the AI provider (most offer them), data minimisation before the API call (strip names, emails, and account numbers if the query doesn't need them), confirmation the provider doesn't retain your data for training (most API tiers offer zero-retention; verify it), a DPIA covering the combined risk of AI processing and international transfer, and documentation of the full data flow.

The AI provider piece is where I see the most gaps. Fintechs build chatbots, connect them to OpenAI, and never sign the DPA. The DPA exists. It's usually a few clicks on the provider's website. But nobody does it because nobody told them to.

SaaS platforms

HubSpot, Salesforce, Slack, Google Workspace, Mailchimp: each one is a cross-border transfer.

Audit your entire SaaS stack. List every tool that touches personal data. For each: check if you've signed a DPA (free-tier accounts often don't come with one by default; you need to actively request it), document what data the platform holds and where, and include each platform in your privacy notice.

You probably use more SaaS tools with personal data than you think. Spend an hour listing them. You'll find 15-20 minimum.

Group companies

Sharing data with a parent company or subsidiary abroad needs a formal agreement: binding corporate rules or an intra-group DPA covering what data is shared, why, who has access, and what protections apply. Nigerian employees must be told their data goes abroad.

Building your transfer framework

Step 1: Map every data flow. List every service, platform, partner, and group company that receives personal data from your Nigerian operations. For each: what data, which country, why, and what safeguards. This takes 2-3 days for an SME. It's tedious but it's the foundation of everything else.

Step 2: Sign DPAs. For every processor receiving Nigerian personal data. Check that each DPA covers cross-border transfer obligations, sub-processors, and breach notification. Most major providers have DPAs ready. The gap is usually that nobody at the company has executed them.

Step 3: Update privacy notices. Users must know their data leaves Nigeria, which countries it goes to, and what safeguards are in place. Not in general terms; specifically. "Your conversation data is processed by Anthropic (US) under Standard Contractual Clauses."

Step 4: Include in your DPIA. Cross-border transfers are a specific risk factor in your impact assessment. What additional risks does the transfer create? What mitigations are in place? Is the transfer proportionate?

Step 5: Document for your CAR filing. When your DPCO files the Compliance Audit Return, cross-border transfers are part of it. NDPC wants to know where Nigerian personal data goes.

What I keep seeing go wrong

"We don't send data abroad." Yes you do. You use Gmail, AWS, and HubSpot. That's three cross-border transfers before you've written a line of code.

No DPAs with SaaS providers. The free tier doesn't come with one. You need to go find it and sign it. Takes 10 minutes per provider but nobody does it.

Privacy notices that don't mention transfers. Even if you have DPAs in place, your customers still need to know about the transfers. Silence isn't compliance.

No documentation at all. The transfers happen daily but nobody's written down where, why, and under what safeguards. When the NDPC asks (and they will, through your CAR filing at minimum) you need answers, not guesses.

Relying on consent for routine transfers. Getting explicit consent for every data flow to every cloud service is impractical. Use contractual safeguards as your primary mechanism and keep consent as a fallback for edge cases.

---

Need help mapping your data flows and documenting transfers? Our NDPA Fintech Compliance Programme includes full data flow mapping, DPA review, and transfer documentation, from ₦3,500,000. Not sure where you stand? Start with an NDPA Readiness Diagnostic, ₦500,000.