Data Protection Policy
YPP Mandate — Forensic Electoral Technology | Technical & Organisational Measures
This Data Protection Policy (“DPP”) sets out the technical and organisational measures implemented by the Young Progressives Party (“YPP”) and VoteTrack Ltd to protect personal data processed through the YPP Mandate e-voting platform (vote.ypp.ng).
This DPP is a technical companion to the Privacy Policy, which addresses what data is collected and your rights. This DPP addresses how that data is protected — at the architectural, database, application, organisational, and procedural levels.
All Platform personnel, contractors, and data processors are required to comply with this policy. Non-compliance may result in disciplinary action, contract termination, and referral to the Nigeria Data Protection Commission (NDPC) and/or law enforcement.
Contents
- 1.Purpose & Scope
- 2.Data Protection Principles
- 3.Data Classification Framework
- 4.Roles & Responsibilities
- 5.Technical Safeguards
- 6.Architectural Privacy Guarantees
- 7.Organisational Controls
- 8.Access Control & Authentication
- 9.Incident Response & Breach Notification
- 10.Data Protection Impact Assessment
- 11.Third-Party Processor Management
- 12.VoterRegister Locking Protocol
- 13.Audit Trail & Forensic Readiness
- 14.Training & Awareness
- 15.Policy Review
- 16.Enforcement & Consequences
Purpose & Scope
1.1 Purpose
This policy establishes a formal framework for the protection of personal data processed by the YPP Mandate platform, ensuring compliance with the Nigeria Data Protection Act 2023 (NDPA), the Nigeria Data Protection Regulation 2019 (NDPR), and the Electoral Act 2022, and protecting the fundamental rights and freedoms of all data subjects.
1.2 Scope
This policy applies to:
- All personal data processed by the Platform in any format (digital or physical);
- All personnel who access Platform data, including YPP Electoral Committee members, VoteTrack Ltd engineers, panel members, and administrators;
- All third-party data processors engaged in connection with the Platform;
- All data processing activities — collection, storage, use, disclosure, retention, and deletion — related to the 2026 YPP Party Primaries.
1.3 Legal Foundation
This policy is grounded in the following legal instruments:
- Nigeria Data Protection Act 2023 (NDPA) — primary data protection legislation
- Nigeria Data Protection Regulation 2019 (NDPR) — subsidiary regulation
- Electoral Act 2022 — electoral data obligations
- Cybercrime (Prohibition, Prevention, Etc.) Act 2015 — cyber security obligations
- Evidence Act 2011 — admissibility of electronic evidence
- YPP Constitution, Section 51(b) — result submission mandate
Data Protection Principles
All personal data processing on this Platform adheres to the seven data protection principles established under the NDPA 2023 and NDPR 2019:
1. Lawfulness, Fairness & Transparency
All processing has a clearly identified legal basis (see Privacy Policy §5). This policy and the Privacy Policy provide full transparency. No data is collected covertly.
2. Purpose Limitation
Data is collected exclusively for electoral administration and INEC compliance. It is not re-used for commercial, research, or any non-electoral purpose.
3. Data Minimisation
Only data strictly necessary for voter eligibility verification, ballot administration, and INEC reporting is collected. The Vote table contains no voter identity fields by design.
4. Accuracy
Voter data is sourced directly from the YPP Member Registry. Aspirants can correct their application data before screening closure. Errors can be reported to the DPO.
5. Storage Limitation
Data is retained only for the periods specified in the Retention Schedule (Privacy Policy §8), which are driven by INEC statutory requirements. Automated purge procedures are scheduled at retention expiry.
6. Integrity & Confidentiality (Security)
Comprehensive technical and organisational security measures are detailed in Sections 5–8 of this policy. Ballot secrecy is architecturally enforced.
7. Accountability
YPP (as Data Controller) and VoteTrack Ltd (as Data Processor) maintain full records of processing activities, impact assessments, and compliance evidence. A DPO is appointed.
Data Classification Framework
All data on the Platform is classified into one of four tiers, determining access controls and handling requirements:
| Tier | Classification | Examples | Access | Handling |
|---|---|---|---|---|
| T1 | RESTRICTED — Electoral Secret | Ballot choices, vote-to-voter linkage (IMPOSSIBLE by design) | No one — architecturally inaccessible | Cannot be accessed, disclosed, or reproduced under any circumstance |
| T2 | CONFIDENTIAL | VoterRegister (individual entries), member phone numbers, UVP hashes, aspirant application details, screening outcomes | Authorised YPP Electoral Committee + DPO only | Encrypted at rest & in transit; role-based access; audit logged; INEC-only disclosure |
| T3 | INTERNAL | Accreditation timestamps, accreditation counts, panel member identities, admin logs | Platform administrators + Electoral Committee | Encrypted in transit; access logged; not disclosed externally except to INEC or courts |
| T4 | PUBLIC | Candidate names and offices, election results (aggregate), receipt verification responses (no vote choice revealed), this legal documentation | All users | Published on Platform; no handling restrictions |
Vote table has no member_id column. There is no way to reconstruct how any individual voted — not through administrative access, database queries, log analysis, or any other means.Roles & Responsibilities
YPP National Working Committee
Data Controller. Bears ultimate legal responsibility for compliance with the NDPA 2023. Appoints the Electoral Committee and approves this policy.
YPP Electoral Committee
Operational Data Controller. Authorises data processing activities, approves VotingSession creation, approves VoterRegister snapshot locking, and reviews INEC submissions.
Data Protection Officer (DPO) — VoteTrack Ltd
Independent compliance oversight. Advises on NDPA obligations, conducts DPIAs, monitors compliance, liaises with NDPC, and handles data subject rights requests. Contact: dpo@votetrack.ng.
VoteTrack Ltd Engineering Team
Data Processor. Designs, builds, and maintains the Platform in accordance with this policy and the Data Processing Agreement. Has read-only access to anonymised audit logs only; no access to T1 or T2 data in production.
Platform Administrators (YPP ICT Team)
Operate the admin dashboard. T3 data access for electoral administration. Cannot access T1 (architecturally blocked). T2 access is limited to the VoterRegister management functions and is fully audit-logged.
All Personnel
Responsible for complying with this policy, protecting data within their custody, reporting suspected breaches immediately to the DPO, and completing mandatory data protection training.
Technical Safeguards
The following technical controls are implemented and active on the Platform:
TLS 1.3 Encryption in Transit
All HTTP traffic is encrypted with TLS 1.3. HTTP Strict Transport Security (HSTS) is enforced with a 1-year max-age and includeSubDomains. Certificate transparency is monitored.
AES-256 Encryption at Rest
All database storage (Supabase / PostgreSQL) is encrypted at rest using AES-256. Encryption is managed at the infrastructure level by Supabase, which is SOC 2 Type II compliant.
bcrypt Password / PIN Hashing
Aspirant passwords and Unique Voter PINs (UVPs) are hashed using bcrypt with a cost factor of 12 (minimum). Plain-text credentials are never written to persistent storage. Hashes are salted per OWASP recommendations.
Row Level Security (RLS)
PostgreSQL Row Level Security policies are enabled on all voting tables (VotingSession, Vote, VoterRegister, AspirantScreening, ElectoralAppeal, ConsensusConsent, etc.). Each user role sees only the rows it is authorised to access.
SECURITY DEFINER Stored Procedures
The cast_vote_secure and verify_vote_receipt functions are PostgreSQL SECURITY DEFINER procedures. They execute with elevated privileges but strictly enforce eligibility, double-vote prevention, and session window checks. No direct INSERT into the Vote table is possible for any role.
Vote Table Schema — No member_id
The Vote table contains no column that references a voter's identity. The ballot-to-voter link is severed at the schema level. This cannot be reversed without a destructive schema migration, which requires DPO and Electoral Committee approval.
VoterRegister Immutability Lock
The snapshot_locked boolean on VoterRegister rows, once set to true, triggers a database-level constraint preventing any subsequent UPDATE or DELETE on that register. The lock cannot be released through application code — only through a DBA operation that generates an audit alert.
Parameterised Queries / ORM
All database interactions use parameterised queries through the Supabase client SDK. Direct string concatenation in SQL is prohibited by code review policy. This prevents SQL injection attacks.
Content Security Policy (CSP)
A strict Content Security Policy is enforced, blocking inline scripts, unauthorised external resources, and cross-origin data exfiltration attempts.
IP Rate Limiting
Rate limiting is applied at the API gateway level to prevent brute-force attacks on the UVP entry endpoint and to mitigate denial-of-service attacks during VotingSession windows.
Dependency Scanning
All npm dependencies are scanned for known vulnerabilities using automated tools prior to each deployment. Critical CVEs block deployment.
Tamper-Evident Audit Logging
All administrative actions, accreditation events, and API calls are logged with timestamps, user IDs, action types, and request fingerprints. Logs are append-only and cannot be modified through application interfaces.
Architectural Privacy Guarantees
Beyond individual security controls, the Platform embeds privacy by design at the architectural level through the following structural guarantees:
6.1 Unlinkable Ballot Architecture
The separation between the VoterRegister (identity + eligibility) and the Vote table (ballot choice) is absolute. There is no foreign key, join table, correlation ID, or any other database structure that connects a ballot to a voter. Even with unrestricted database access, it is computationally infeasible to determine how any individual voted.
6.2 Principle of Least Privilege by Default
The Platform is built on Supabase's Row Level Security framework, where the default posture is “deny all.” Access is granted explicitly by policy, not assumed. New database tables are denied all access until explicit RLS policies are added and reviewed.
6.3 Separation of Duties
No single person can both administer a VotingSession and view detailed voter data. The Electoral Committee creates sessions; administrators manage the register; the system records votes autonomously. Accreditation data and ballot data are written by different application functions with no shared transaction scope.
6.4 Cryptographic Receipt Architecture
The Vote Receipt Token is a cryptographic hash of the session ID, a server-side secret, and a random nonce. It can be verified (existence confirmed) but cannot be reversed to reveal ballot contents or voter identity. The verify_vote_receipt function returns only a boolean and session title — no voter or candidate data.
6.5 Immutable Electoral Record
Once a VoterRegister snapshot is locked and an INEC submission is recorded, neither can be altered through any application pathway. Any attempt to alter these records at the database level generates an automated alert to the DPO and the Electoral Committee within 5 minutes.
Organisational Controls
7.1 Data Processing Agreement (DPA)
A comprehensive Data Processing Agreement is in place between YPP (Data Controller) and VoteTrack Ltd (Data Processor), compliant with Schedule 2 of the NDPA 2023. The DPA specifies the subject matter, duration, nature and purpose of processing, type of personal data, and obligations of the processor.
7.2 Processor Due Diligence
All third-party data processors (Supabase, SMS gateway) are subject to:
- Pre-engagement due diligence (security certifications, NDPA compliance evidence);
- NDPA-compliant Data Processing Agreement prior to any data access;
- Annual compliance review for multi-year engagements.
7.3 Clean Desk & Device Policy
Personnel with access to T2 or T3 data must not store, print, or transmit that data on personal devices or to personal accounts. All work is conducted on managed devices with full disk encryption. Screens must be locked when unattended.
7.4 Secure Disposal
At the end of the retention period, digital data is deleted using cryptographic erasure (overwriting encryption keys). Printed electoral materials containing personal data are shredded using cross-cut shredders rated to DIN 66399 Security Level P-4 or higher.
7.5 Records of Processing Activities (ROPA)
VoteTrack Ltd maintains a comprehensive Register of Processing Activities for this Platform in accordance with Section 27 of the NDPA 2023, covering all processing operations, their purposes, legal bases, data categories, recipients, and retention schedules.
Access Control & Authentication
8.1 Role-Based Access Control (RBAC)
Access to Platform data and functions is controlled by the following roles:
| Role | VoterRegister | Accreditation Data | Vote Table | Admin Functions | Audit Logs |
|---|---|---|---|---|---|
| anon (voter) | Own entry only | Own record only | via cast_vote_secure only | None | None |
| aspirant | None | None | None | None | None |
| panel_member | Read (filtered) | Read (session) | None | Screening only | Own actions |
| admin | Read + lock | Read (session) | Count only (via function) | Session mgmt | Read |
| service_role (API only) | Read/Write (controlled) | Write (controlled) | via cast_vote_secure | Full | Write |
| DBA (emergency only) | Read (audit context) | Read (audit context) | Read (audit context) | None via app | Full — all access audited |
8.2 Privileged Access Management
Service role keys (which bypass RLS) are stored only as environment variables in the server-side Next.js environment and Supabase Edge Function runtime. They are never exposed to the browser, never committed to version control, and are rotated at least annually or immediately upon suspected compromise.
8.3 Multi-Factor Authentication
All administrative dashboard access requires multi-factor authentication. Panel members and Electoral Committee members accessing the platform are required to use TOTP-based 2FA. Voter access is authenticated solely via UVP (by design — MFA would compromise anonymity).
8.4 Session Management
Voter sessions are time-limited to the accreditation window of the VotingSession. Admin sessions expire after 60 minutes of inactivity. All sessions use httpOnly, secure, SameSite=Strict cookies to prevent CSRF and session hijacking.
Incident Response & Breach Notification
9.1 Incident Classification
| Severity | Definition | Response Time | Notification |
|---|---|---|---|
| P1 — Critical | Active breach of T2/T3 data; system compromise during active VotingSession; suspected vote manipulation attempt | Immediate (< 1 hour) | DPO + Electoral Committee + INEC + NDPC within 72 hours |
| P2 — High | Confirmed unauthorised access attempt; mass UVP exposure risk; DDoS during election window | < 4 hours | DPO + Electoral Committee within 24 hours; NDPC if personal data affected |
| P3 — Medium | Isolated anomaly in audit logs; single failed unauthorised access attempt; third-party processor incident | < 24 hours | DPO within 24 hours; Electoral Committee informed |
| P4 — Low | Bug report with potential data exposure risk (not exploited); minor policy violation | < 72 hours | DPO informed; tracked in incident register |
9.2 Breach Notification — NDPA 2023 Obligations
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, VoteTrack Ltd will notify:
- NDPC (Nigeria Data Protection Commission): within 72 hours of becoming aware of the breach, in accordance with Section 40 of the NDPA 2023. If notification cannot be made within 72 hours, the reasons for delay will be included.
- YPP (Data Controller): immediately upon discovery, so that YPP can fulfil its obligations as Data Controller.
- Affected data subjects: where the breach is likely to result in a high risk to their rights and freedoms, notification will be made without undue delay and in plain language.
- INEC: where the breach affects electoral data or integrity of the electoral process, INEC will be notified concurrently with NDPC.
9.3 Reporting Channel
Any person (staff, voter, aspirant, or member of the public) who becomes aware of or suspects a data breach or security incident must report it immediately to:
security@votetrack.ng — subject line: SECURITY INCIDENT — YPP Mandate
Data Protection Impact Assessment (DPIA)
10.1 DPIA Requirement
In accordance with Section 35 of the NDPA 2023, a full Data Protection Impact Assessment has been conducted for the YPP Mandate platform, given that it:
- Processes personal data at large scale (all registered YPP members);
- Relates to a particularly sensitive context (democratic elections);
- Uses novel technology (forensic e-voting, UVP cryptography, SECURITY DEFINER procedures);
- Involves systematic processing of eligibility data that affects individuals' political rights.
10.2 DPIA Findings
The DPIA concluded that the Platform's architectural approach — particularly the schema-level ballot secrecy and UVP hashing — provides privacy protection that exceeds the minimum requirements of the NDPA 2023. Key residual risks identified and mitigated:
| Residual Risk | Mitigation | Residual Risk Level |
|---|---|---|
| UVP interception during SMS delivery | bcrypt hash stored; plain text purged; SMS provider DPA in place; voter notified if delivery fails | Low |
| Cross-border data transfer risk | Standard Contractual Clauses; Supabase SOC 2 Type II; DPA in place | Low |
| Insider threat (admin access) | RBAC; audit logging; no direct Vote table access; separation of duties | Low |
| DDoS during voting window | Rate limiting; CDN protection; multi-region availability | Medium — accepted, mitigated |
| Voter coercion via Receipt Token | Receipt confirms participation only; vote choice not revealed by any function | Low |
10.3 DPIA Review
The DPIA is reviewed before each election cycle, after any significant change to the Platform architecture, and after any P1 or P2 security incident. The DPO is responsible for maintaining the DPIA register.
Third-Party Processor Management
11.1 Approved Processors
Only the following processors are authorised to process YPP Mandate personal data:
- Supabase, Inc. (database infrastructure) — DPA executed; ISO 27001 & SOC 2 Type II; Standard Contractual Clauses for cross-border transfers.
- SMS Gateway Provider (TBC) — DPA executed before first use; NDPA-compliant; phone numbers processed for UVP delivery only, not retained.
11.2 Prohibited Sub-Processors
No authorised processor may engage sub-processors for YPP Mandate data without prior written approval from the YPP DPO. Any unauthorised sub-processing constitutes a material breach of the Data Processing Agreement.
11.3 Processor Audit Rights
YPP and VoteTrack Ltd reserve the right to audit any approved processor's compliance with the NDPA and this policy, either directly or through an independent auditor, with 30 days' notice (or immediately in the event of a suspected breach).
VoterRegister Locking Protocol
12.1 Pre-Lock Requirements
Before the VoterRegister for any VotingSession may be locked, the following must be satisfied:
- The Electoral Committee Chair or delegated officer has formally approved the register in writing;
- A human review of the register has been completed for obvious errors (duplicates, non-members, incorrect ward assignments);
- The register count has been reconciled against the YPP Member Registry;
- The DPO has been notified of the planned lock date and time;
- An INEC submission date has been confirmed.
12.2 Lock Operation
The lock is executed by calling the POST /api/admin/register-snapshot endpoint with the session ID, authenticated with the service role key. This triggers the register-snapshot Edge Function, which seeds the VoterRegister and sets snapshot_locked = true. The operation is atomic — it either completes fully or rolls back entirely.
12.3 Post-Lock Restrictions
Once locked, no row in the VoterRegister for that session may be added, modified, or deleted through any application interface or direct database statement (the constraint is enforced by a database trigger). Any attempt generates an alert to the DPO.
12.4 Emergency Corrections
If a material error is discovered after locking (e.g., a court order mandating inclusion of a specific voter), the correction requires: (a) written authorisation from the YPP Electoral Committee and the DPO; (b) a DBA operation with full audit logging; (c) notification to INEC; and (d) generation of a corrected INEC submission. This procedure is available only before the voting window opens.
Audit Trail & Forensic Readiness
13.1 Audit Log Contents
The Platform maintains append-only audit logs containing:
- Timestamp (UTC, millisecond precision);
- Actor (user ID / role / system function);
- Action type (CREATE / READ / UPDATE / LOCK / CAST / ACCREDIT / EXPORT / LOGIN / etc.);
- Affected resource (table + row ID where applicable, excluding T1 data);
- Request fingerprint (hashed IP + user agent);
- Outcome (success / failure / reason).
13.2 Forensic Readiness
All audit logs are stored in a format compliant with the Evidence Act 2011 for admissibility as electronic evidence in Nigerian courts. VoteTrack Ltd maintains a documented chain of custody procedure for producing audit logs in response to court orders or INEC demands.
13.3 Log Integrity
Audit logs are append-only. Write access to the log table is restricted to the service_role (automated Platform functions only). No user, administrator, or engineer can modify or delete audit log entries through any application interface.
13.4 Log Retention
Audit logs are retained for 2 years (general security logs) and 7 years (electoral event logs — accreditation, vote casting, register operations, INEC submissions), in accordance with the INEC archival requirements and the NDPA data minimisation principle.
Training & Awareness
All personnel with access to Platform data must complete the following training before being granted access credentials:
- NDPA 2023 Fundamentals — data protection principles, data subject rights, breach reporting obligations (min. 2 hours);
- Electoral Data Handling — classification framework, prohibited disclosures, INEC obligations, VoterRegister handling (min. 1 hour);
- Platform Security Awareness — phishing, social engineering, clean desk, incident reporting procedures (min. 1 hour);
- Refresher training — required annually and after any significant policy change or security incident.
Training completion is recorded and maintained by the DPO.
Policy Review
This Data Protection Policy is reviewed:
- Annually — as a standing schedule;
- Before each election cycle — to incorporate any changes in INEC guidelines or YPP procedures;
- After any P1 or P2 security incident — to address newly identified risks;
- After any material change in applicable law — including NDPA regulations, INEC guidelines, or Electoral Act amendments.
The DPO is responsible for initiating and completing the review. All revisions are approved by the YPP National Working Committee before taking effect.
Enforcement & Consequences
16.1 Internal Consequences
Breach of this policy by YPP personnel or contractors may result in:
- Immediate revocation of Platform access credentials;
- YPP disciplinary proceedings (including suspension or expulsion);
- Termination of contract (for contractors and third-party processors);
- Civil liability for damages caused by the breach.
16.2 Regulatory Consequences
Non-compliance with the NDPA 2023 may result in regulatory enforcement by the NDPC, including fines of up to ₦10 million or 2% of annual gross revenue (whichever is greater) for a Data Controller, and administrative sanctions against the Data Processor.
16.3 Criminal Consequences
Where a breach constitutes a criminal offence under the Cybercrime Act 2015, the NDPA 2023, or the Electoral Act 2022, the matter will be referred to the Nigerian Police Force Cybercrime Unit and/or INEC for prosecution.
Policy Authentication
This Data Protection Policy has been approved by the YPP National Working Committee and the VoteTrack Ltd Data Protection Officer. It is effective from 1 May 2026 and supersedes all previous data protection documentation issued in connection with YPP electoral activities.
Forensic Electoral Technology © VoteTrack Ltd | Ref: YPP/ICT/EVOT/001/2026 | vote.ypp.ng
Reviewed by: Counsel admitted to the Nigerian Bar Association | NDPA-accredited DPO