Internal Governance

Data Protection Policy

TASKERLY LIMITED – DATA PROTECTION POLICY

Effective Date: 23rd August 2025

1. Policy Statement and Scope

Taskerly Limited (“Taskerly,” “we,” “us,” or “our”) is committed to ensuring the lawful, fair, and transparent processing of Personal Information in accordance with the Nigeria Data Protection Act 2023 (NDPA) and applicable regulatory frameworks. This Data Protection Policy (“Policy”) establishes our internal governance principles, operational procedures, and accountability measures for the protection of Personal Information across all business functions and systems.

2. Data Protection Principles

In line with the core tenets of the NDPA, Taskerly adheres to and operationalizes the following data protection principles:

1

Lawfulness, Fairness, and Transparency

Processing activities shall have a lawful basis and be conducted transparently.

2

Purpose Limitation

Personal Information shall be collected for specified, explicit, and legitimate purposes.

3

Data Minimisation

Only Personal Information that is adequate, relevant, and necessary shall be processed.

4

Accuracy

Reasonable steps shall be taken to ensure Personal Information is accurate and up to date.

5

Storage Limitation

Personal Information shall not be kept in identifiable form longer than necessary.

6

Integrity and Confidentiality

Personal Information shall be processed securely and protected against unauthorized processing.

7

Accountability

Taskerly shall implement measures to demonstrate compliance with these principles.

3. Processing of Sensitive and High-Risk Data

Identity Verification

3.1. National Identification Number (NIN): Processed solely for mandatory identity verification required under Nigerian law and Platform security protocols.

3.2. Bank Verification Number (BVN): Processed exclusively for validating bank accounts and performing financial risk assessments in connection with payouts.

3.3. Restricted Access: Access to raw NIN and BVN data is strictly restricted to authorized personnel and systems on a need-to-know basis, governed by stringent access controls.

3.4. Minimisation Strategy: Where feasible, Taskerly stores verification status tokens or outcomes rather than raw identifiers.

4. Access Control and Confidentiality

  • 4.1. RBAC: Implementation of Role-Based Access Control and the principle of least privilege.

  • 4.2. MFA: Multi-factor authentication mandated for all privileged administrative and technical access.

  • 4.3. Contractual Bonds: All employees and contractors bound by strict confidentiality obligations.

  • 4.4. Vendor Compliance: Processor agreements incorporate robust data protection clauses according to the NDPA.

5. Incident Response and Breach Management

Formal Security Incident Response Plan procedures include:

Detection & Containment

Immediate detection, containment, and eradication of security incidents.

Scope Assessment

Comprehensive assessment of the scope, impact, and nature of the breach.

Statutory Notification

Compliance with notification obligations to the NDPC and affected Data Subjects.

Post-Incident Review

Documentation and implementation of corrective actions to prevent recurrence.

6. Third-Party Processors and Vendor Management

Engagements governed by written contracts stipulating obligations to:

  • Process Personal Information only on documented instructions.
  • Implement appropriate technical and organisational security measures.
  • Provide necessary cooperation in fulfilling Data Subject rights and breach notifications.

7. Data Subject Rights (DSR) Procedure

Taskerly provides designated channels for requests concerning access, correction, deletion, restriction, objection, data portability, and withdrawal of consent. All requests are subject to verification and handled within NDPA prescribed timelines.

8. Data Retention and Secure Disposal

8.1

Maintenance of a documented Data Retention Schedule aligned with legal requirements.

8.2

Secure and permanent deletion or anonymisation using industry-standard methods when data is no longer necessary.

8.3

Legal holds may override standard retention in the context of litigation or investigations.

9. Governance, Training, and Continuous Improvement

Our commitment to accountability includes:

Training

Regular, mandatory training for all employees.

Review

Annual policy review and updates.

Oversight

Executive management oversight & improvement.

10. Changes to this Policy

Taskerly reserves the right to amend this Data Protection Policy at any time by posting a revised version on the Platform. The updated version will be indicated by a revised “Effective Date”. Your continued use of the Platform following the posting of changes constitutes your acceptance of such changes.

11. Contact Information

For all enquiries or communications related to this Policy or data protection matters, please contact our Data Protection Officer.