Legal Document

Data Protection Policy

YPP Mandate — Forensic Electoral Technology | Technical & Organisational Measures

Version: 1.0Effective Date: 1 May 2026Classification: PublicOwner: VoteTrack Ltd DPO / YPP Electoral Committee

This Data Protection Policy (“DPP”) sets out the technical and organisational measures implemented by the Young Progressives Party (“YPP”) and VoteTrack Ltd to protect personal data processed through the YPP Mandate e-voting platform (vote.ypp.ng).

This DPP is a technical companion to the Privacy Policy, which addresses what data is collected and your rights. This DPP addresses how that data is protected — at the architectural, database, application, organisational, and procedural levels.

All Platform personnel, contractors, and data processors are required to comply with this policy. Non-compliance may result in disciplinary action, contract termination, and referral to the Nigeria Data Protection Commission (NDPC) and/or law enforcement.

1

Purpose & Scope

1.1 Purpose

This policy establishes a formal framework for the protection of personal data processed by the YPP Mandate platform, ensuring compliance with the Nigeria Data Protection Act 2023 (NDPA), the Nigeria Data Protection Regulation 2019 (NDPR), and the Electoral Act 2022, and protecting the fundamental rights and freedoms of all data subjects.

1.2 Scope

This policy applies to:

  • All personal data processed by the Platform in any format (digital or physical);
  • All personnel who access Platform data, including YPP Electoral Committee members, VoteTrack Ltd engineers, panel members, and administrators;
  • All third-party data processors engaged in connection with the Platform;
  • All data processing activities — collection, storage, use, disclosure, retention, and deletion — related to the 2026 YPP Party Primaries.

1.3 Legal Foundation

This policy is grounded in the following legal instruments:

  • Nigeria Data Protection Act 2023 (NDPA) — primary data protection legislation
  • Nigeria Data Protection Regulation 2019 (NDPR) — subsidiary regulation
  • Electoral Act 2022 — electoral data obligations
  • Cybercrime (Prohibition, Prevention, Etc.) Act 2015 — cyber security obligations
  • Evidence Act 2011 — admissibility of electronic evidence
  • YPP Constitution, Section 51(b) — result submission mandate
2

Data Protection Principles

All personal data processing on this Platform adheres to the seven data protection principles established under the NDPA 2023 and NDPR 2019:

1. Lawfulness, Fairness & Transparency

All processing has a clearly identified legal basis (see Privacy Policy §5). This policy and the Privacy Policy provide full transparency. No data is collected covertly.

2. Purpose Limitation

Data is collected exclusively for electoral administration and INEC compliance. It is not re-used for commercial, research, or any non-electoral purpose.

3. Data Minimisation

Only data strictly necessary for voter eligibility verification, ballot administration, and INEC reporting is collected. The Vote table contains no voter identity fields by design.

4. Accuracy

Voter data is sourced directly from the YPP Member Registry. Aspirants can correct their application data before screening closure. Errors can be reported to the DPO.

5. Storage Limitation

Data is retained only for the periods specified in the Retention Schedule (Privacy Policy §8), which are driven by INEC statutory requirements. Automated purge procedures are scheduled at retention expiry.

6. Integrity & Confidentiality (Security)

Comprehensive technical and organisational security measures are detailed in Sections 5–8 of this policy. Ballot secrecy is architecturally enforced.

7. Accountability

YPP (as Data Controller) and VoteTrack Ltd (as Data Processor) maintain full records of processing activities, impact assessments, and compliance evidence. A DPO is appointed.

3

Data Classification Framework

All data on the Platform is classified into one of four tiers, determining access controls and handling requirements:

TierClassificationExamplesAccessHandling
T1RESTRICTED — Electoral SecretBallot choices, vote-to-voter linkage (IMPOSSIBLE by design)No one — architecturally inaccessibleCannot be accessed, disclosed, or reproduced under any circumstance
T2CONFIDENTIALVoterRegister (individual entries), member phone numbers, UVP hashes, aspirant application details, screening outcomesAuthorised YPP Electoral Committee + DPO onlyEncrypted at rest & in transit; role-based access; audit logged; INEC-only disclosure
T3INTERNALAccreditation timestamps, accreditation counts, panel member identities, admin logsPlatform administrators + Electoral CommitteeEncrypted in transit; access logged; not disclosed externally except to INEC or courts
T4PUBLICCandidate names and offices, election results (aggregate), receipt verification responses (no vote choice revealed), this legal documentationAll usersPublished on Platform; no handling restrictions
T1 — Electoral Secret:The Platform's architecture makes Tier 1 data technically non-existent as a linked entity. The Vote table has no member_id column. There is no way to reconstruct how any individual voted — not through administrative access, database queries, log analysis, or any other means.
4

Roles & Responsibilities

YPP National Working Committee

Data Controller. Bears ultimate legal responsibility for compliance with the NDPA 2023. Appoints the Electoral Committee and approves this policy.

YPP Electoral Committee

Operational Data Controller. Authorises data processing activities, approves VotingSession creation, approves VoterRegister snapshot locking, and reviews INEC submissions.

Data Protection Officer (DPO) — VoteTrack Ltd

Independent compliance oversight. Advises on NDPA obligations, conducts DPIAs, monitors compliance, liaises with NDPC, and handles data subject rights requests. Contact: dpo@votetrack.ng.

VoteTrack Ltd Engineering Team

Data Processor. Designs, builds, and maintains the Platform in accordance with this policy and the Data Processing Agreement. Has read-only access to anonymised audit logs only; no access to T1 or T2 data in production.

Platform Administrators (YPP ICT Team)

Operate the admin dashboard. T3 data access for electoral administration. Cannot access T1 (architecturally blocked). T2 access is limited to the VoterRegister management functions and is fully audit-logged.

All Personnel

Responsible for complying with this policy, protecting data within their custody, reporting suspected breaches immediately to the DPO, and completing mandatory data protection training.

5

Technical Safeguards

The following technical controls are implemented and active on the Platform:

TLS 1.3 Encryption in Transit

TransportActive

All HTTP traffic is encrypted with TLS 1.3. HTTP Strict Transport Security (HSTS) is enforced with a 1-year max-age and includeSubDomains. Certificate transparency is monitored.

AES-256 Encryption at Rest

StorageActive

All database storage (Supabase / PostgreSQL) is encrypted at rest using AES-256. Encryption is managed at the infrastructure level by Supabase, which is SOC 2 Type II compliant.

bcrypt Password / PIN Hashing

CryptographyActive

Aspirant passwords and Unique Voter PINs (UVPs) are hashed using bcrypt with a cost factor of 12 (minimum). Plain-text credentials are never written to persistent storage. Hashes are salted per OWASP recommendations.

Row Level Security (RLS)

DatabaseActive

PostgreSQL Row Level Security policies are enabled on all voting tables (VotingSession, Vote, VoterRegister, AspirantScreening, ElectoralAppeal, ConsensusConsent, etc.). Each user role sees only the rows it is authorised to access.

SECURITY DEFINER Stored Procedures

DatabaseBy Design

The cast_vote_secure and verify_vote_receipt functions are PostgreSQL SECURITY DEFINER procedures. They execute with elevated privileges but strictly enforce eligibility, double-vote prevention, and session window checks. No direct INSERT into the Vote table is possible for any role.

Vote Table Schema — No member_id

ArchitectureBy Design

The Vote table contains no column that references a voter's identity. The ballot-to-voter link is severed at the schema level. This cannot be reversed without a destructive schema migration, which requires DPO and Electoral Committee approval.

VoterRegister Immutability Lock

DatabaseActive

The snapshot_locked boolean on VoterRegister rows, once set to true, triggers a database-level constraint preventing any subsequent UPDATE or DELETE on that register. The lock cannot be released through application code — only through a DBA operation that generates an audit alert.

Parameterised Queries / ORM

ApplicationActive

All database interactions use parameterised queries through the Supabase client SDK. Direct string concatenation in SQL is prohibited by code review policy. This prevents SQL injection attacks.

Content Security Policy (CSP)

ApplicationActive

A strict Content Security Policy is enforced, blocking inline scripts, unauthorised external resources, and cross-origin data exfiltration attempts.

IP Rate Limiting

InfrastructureActive

Rate limiting is applied at the API gateway level to prevent brute-force attacks on the UVP entry endpoint and to mitigate denial-of-service attacks during VotingSession windows.

Dependency Scanning

Supply ChainActive

All npm dependencies are scanned for known vulnerabilities using automated tools prior to each deployment. Critical CVEs block deployment.

Tamper-Evident Audit Logging

ForensicsActive

All administrative actions, accreditation events, and API calls are logged with timestamps, user IDs, action types, and request fingerprints. Logs are append-only and cannot be modified through application interfaces.

6

Architectural Privacy Guarantees

Beyond individual security controls, the Platform embeds privacy by design at the architectural level through the following structural guarantees:

Privacy by Design: These guarantees are not policies that can be bypassed by misconfiguration or privilege escalation. They are structural properties of the database schema and application architecture.

6.1 Unlinkable Ballot Architecture

The separation between the VoterRegister (identity + eligibility) and the Vote table (ballot choice) is absolute. There is no foreign key, join table, correlation ID, or any other database structure that connects a ballot to a voter. Even with unrestricted database access, it is computationally infeasible to determine how any individual voted.

6.2 Principle of Least Privilege by Default

The Platform is built on Supabase's Row Level Security framework, where the default posture is “deny all.” Access is granted explicitly by policy, not assumed. New database tables are denied all access until explicit RLS policies are added and reviewed.

6.3 Separation of Duties

No single person can both administer a VotingSession and view detailed voter data. The Electoral Committee creates sessions; administrators manage the register; the system records votes autonomously. Accreditation data and ballot data are written by different application functions with no shared transaction scope.

6.4 Cryptographic Receipt Architecture

The Vote Receipt Token is a cryptographic hash of the session ID, a server-side secret, and a random nonce. It can be verified (existence confirmed) but cannot be reversed to reveal ballot contents or voter identity. The verify_vote_receipt function returns only a boolean and session title — no voter or candidate data.

6.5 Immutable Electoral Record

Once a VoterRegister snapshot is locked and an INEC submission is recorded, neither can be altered through any application pathway. Any attempt to alter these records at the database level generates an automated alert to the DPO and the Electoral Committee within 5 minutes.

7

Organisational Controls

7.1 Data Processing Agreement (DPA)

A comprehensive Data Processing Agreement is in place between YPP (Data Controller) and VoteTrack Ltd (Data Processor), compliant with Schedule 2 of the NDPA 2023. The DPA specifies the subject matter, duration, nature and purpose of processing, type of personal data, and obligations of the processor.

7.2 Processor Due Diligence

All third-party data processors (Supabase, SMS gateway) are subject to:

  • Pre-engagement due diligence (security certifications, NDPA compliance evidence);
  • NDPA-compliant Data Processing Agreement prior to any data access;
  • Annual compliance review for multi-year engagements.

7.3 Clean Desk & Device Policy

Personnel with access to T2 or T3 data must not store, print, or transmit that data on personal devices or to personal accounts. All work is conducted on managed devices with full disk encryption. Screens must be locked when unattended.

7.4 Secure Disposal

At the end of the retention period, digital data is deleted using cryptographic erasure (overwriting encryption keys). Printed electoral materials containing personal data are shredded using cross-cut shredders rated to DIN 66399 Security Level P-4 or higher.

7.5 Records of Processing Activities (ROPA)

VoteTrack Ltd maintains a comprehensive Register of Processing Activities for this Platform in accordance with Section 27 of the NDPA 2023, covering all processing operations, their purposes, legal bases, data categories, recipients, and retention schedules.

8

Access Control & Authentication

8.1 Role-Based Access Control (RBAC)

Access to Platform data and functions is controlled by the following roles:

RoleVoterRegisterAccreditation DataVote TableAdmin FunctionsAudit Logs
anon (voter)Own entry onlyOwn record onlyvia cast_vote_secure onlyNoneNone
aspirantNoneNoneNoneNoneNone
panel_memberRead (filtered)Read (session)NoneScreening onlyOwn actions
adminRead + lockRead (session)Count only (via function)Session mgmtRead
service_role (API only)Read/Write (controlled)Write (controlled)via cast_vote_secureFullWrite
DBA (emergency only)Read (audit context)Read (audit context)Read (audit context)None via appFull — all access audited

8.2 Privileged Access Management

Service role keys (which bypass RLS) are stored only as environment variables in the server-side Next.js environment and Supabase Edge Function runtime. They are never exposed to the browser, never committed to version control, and are rotated at least annually or immediately upon suspected compromise.

8.3 Multi-Factor Authentication

All administrative dashboard access requires multi-factor authentication. Panel members and Electoral Committee members accessing the platform are required to use TOTP-based 2FA. Voter access is authenticated solely via UVP (by design — MFA would compromise anonymity).

8.4 Session Management

Voter sessions are time-limited to the accreditation window of the VotingSession. Admin sessions expire after 60 minutes of inactivity. All sessions use httpOnly, secure, SameSite=Strict cookies to prevent CSRF and session hijacking.

9

Incident Response & Breach Notification

9.1 Incident Classification

SeverityDefinitionResponse TimeNotification
P1 — CriticalActive breach of T2/T3 data; system compromise during active VotingSession; suspected vote manipulation attemptImmediate (< 1 hour)DPO + Electoral Committee + INEC + NDPC within 72 hours
P2 — HighConfirmed unauthorised access attempt; mass UVP exposure risk; DDoS during election window< 4 hoursDPO + Electoral Committee within 24 hours; NDPC if personal data affected
P3 — MediumIsolated anomaly in audit logs; single failed unauthorised access attempt; third-party processor incident< 24 hoursDPO within 24 hours; Electoral Committee informed
P4 — LowBug report with potential data exposure risk (not exploited); minor policy violation< 72 hoursDPO informed; tracked in incident register

9.2 Breach Notification — NDPA 2023 Obligations

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, VoteTrack Ltd will notify:

  • NDPC (Nigeria Data Protection Commission): within 72 hours of becoming aware of the breach, in accordance with Section 40 of the NDPA 2023. If notification cannot be made within 72 hours, the reasons for delay will be included.
  • YPP (Data Controller): immediately upon discovery, so that YPP can fulfil its obligations as Data Controller.
  • Affected data subjects: where the breach is likely to result in a high risk to their rights and freedoms, notification will be made without undue delay and in plain language.
  • INEC: where the breach affects electoral data or integrity of the electoral process, INEC will be notified concurrently with NDPC.

9.3 Reporting Channel

Any person (staff, voter, aspirant, or member of the public) who becomes aware of or suspects a data breach or security incident must report it immediately to:

security@votetrack.ng — subject line: SECURITY INCIDENT — YPP Mandate

10

Data Protection Impact Assessment (DPIA)

10.1 DPIA Requirement

In accordance with Section 35 of the NDPA 2023, a full Data Protection Impact Assessment has been conducted for the YPP Mandate platform, given that it:

  • Processes personal data at large scale (all registered YPP members);
  • Relates to a particularly sensitive context (democratic elections);
  • Uses novel technology (forensic e-voting, UVP cryptography, SECURITY DEFINER procedures);
  • Involves systematic processing of eligibility data that affects individuals' political rights.

10.2 DPIA Findings

The DPIA concluded that the Platform's architectural approach — particularly the schema-level ballot secrecy and UVP hashing — provides privacy protection that exceeds the minimum requirements of the NDPA 2023. Key residual risks identified and mitigated:

Residual RiskMitigationResidual Risk Level
UVP interception during SMS deliverybcrypt hash stored; plain text purged; SMS provider DPA in place; voter notified if delivery failsLow
Cross-border data transfer riskStandard Contractual Clauses; Supabase SOC 2 Type II; DPA in placeLow
Insider threat (admin access)RBAC; audit logging; no direct Vote table access; separation of dutiesLow
DDoS during voting windowRate limiting; CDN protection; multi-region availabilityMedium — accepted, mitigated
Voter coercion via Receipt TokenReceipt confirms participation only; vote choice not revealed by any functionLow

10.3 DPIA Review

The DPIA is reviewed before each election cycle, after any significant change to the Platform architecture, and after any P1 or P2 security incident. The DPO is responsible for maintaining the DPIA register.

11

Third-Party Processor Management

11.1 Approved Processors

Only the following processors are authorised to process YPP Mandate personal data:

  • Supabase, Inc. (database infrastructure) — DPA executed; ISO 27001 & SOC 2 Type II; Standard Contractual Clauses for cross-border transfers.
  • SMS Gateway Provider (TBC) — DPA executed before first use; NDPA-compliant; phone numbers processed for UVP delivery only, not retained.

11.2 Prohibited Sub-Processors

No authorised processor may engage sub-processors for YPP Mandate data without prior written approval from the YPP DPO. Any unauthorised sub-processing constitutes a material breach of the Data Processing Agreement.

11.3 Processor Audit Rights

YPP and VoteTrack Ltd reserve the right to audit any approved processor's compliance with the NDPA and this policy, either directly or through an independent auditor, with 30 days' notice (or immediately in the event of a suspected breach).

12

VoterRegister Locking Protocol

The VoterRegister locking procedure is the most critical data integrity operation in the electoral lifecycle. It is irreversible. This section governs the authorisation and execution of this operation.

12.1 Pre-Lock Requirements

Before the VoterRegister for any VotingSession may be locked, the following must be satisfied:

  • The Electoral Committee Chair or delegated officer has formally approved the register in writing;
  • A human review of the register has been completed for obvious errors (duplicates, non-members, incorrect ward assignments);
  • The register count has been reconciled against the YPP Member Registry;
  • The DPO has been notified of the planned lock date and time;
  • An INEC submission date has been confirmed.

12.2 Lock Operation

The lock is executed by calling the POST /api/admin/register-snapshot endpoint with the session ID, authenticated with the service role key. This triggers the register-snapshot Edge Function, which seeds the VoterRegister and sets snapshot_locked = true. The operation is atomic — it either completes fully or rolls back entirely.

12.3 Post-Lock Restrictions

Once locked, no row in the VoterRegister for that session may be added, modified, or deleted through any application interface or direct database statement (the constraint is enforced by a database trigger). Any attempt generates an alert to the DPO.

12.4 Emergency Corrections

If a material error is discovered after locking (e.g., a court order mandating inclusion of a specific voter), the correction requires: (a) written authorisation from the YPP Electoral Committee and the DPO; (b) a DBA operation with full audit logging; (c) notification to INEC; and (d) generation of a corrected INEC submission. This procedure is available only before the voting window opens.

13

Audit Trail & Forensic Readiness

13.1 Audit Log Contents

The Platform maintains append-only audit logs containing:

  • Timestamp (UTC, millisecond precision);
  • Actor (user ID / role / system function);
  • Action type (CREATE / READ / UPDATE / LOCK / CAST / ACCREDIT / EXPORT / LOGIN / etc.);
  • Affected resource (table + row ID where applicable, excluding T1 data);
  • Request fingerprint (hashed IP + user agent);
  • Outcome (success / failure / reason).

13.2 Forensic Readiness

All audit logs are stored in a format compliant with the Evidence Act 2011 for admissibility as electronic evidence in Nigerian courts. VoteTrack Ltd maintains a documented chain of custody procedure for producing audit logs in response to court orders or INEC demands.

13.3 Log Integrity

Audit logs are append-only. Write access to the log table is restricted to the service_role (automated Platform functions only). No user, administrator, or engineer can modify or delete audit log entries through any application interface.

13.4 Log Retention

Audit logs are retained for 2 years (general security logs) and 7 years (electoral event logs — accreditation, vote casting, register operations, INEC submissions), in accordance with the INEC archival requirements and the NDPA data minimisation principle.

14

Training & Awareness

All personnel with access to Platform data must complete the following training before being granted access credentials:

  • NDPA 2023 Fundamentals — data protection principles, data subject rights, breach reporting obligations (min. 2 hours);
  • Electoral Data Handling — classification framework, prohibited disclosures, INEC obligations, VoterRegister handling (min. 1 hour);
  • Platform Security Awareness — phishing, social engineering, clean desk, incident reporting procedures (min. 1 hour);
  • Refresher training — required annually and after any significant policy change or security incident.

Training completion is recorded and maintained by the DPO.

15

Policy Review

This Data Protection Policy is reviewed:

  • Annually — as a standing schedule;
  • Before each election cycle — to incorporate any changes in INEC guidelines or YPP procedures;
  • After any P1 or P2 security incident — to address newly identified risks;
  • After any material change in applicable law — including NDPA regulations, INEC guidelines, or Electoral Act amendments.

The DPO is responsible for initiating and completing the review. All revisions are approved by the YPP National Working Committee before taking effect.

16

Enforcement & Consequences

16.1 Internal Consequences

Breach of this policy by YPP personnel or contractors may result in:

  • Immediate revocation of Platform access credentials;
  • YPP disciplinary proceedings (including suspension or expulsion);
  • Termination of contract (for contractors and third-party processors);
  • Civil liability for damages caused by the breach.

16.2 Regulatory Consequences

Non-compliance with the NDPA 2023 may result in regulatory enforcement by the NDPC, including fines of up to ₦10 million or 2% of annual gross revenue (whichever is greater) for a Data Controller, and administrative sanctions against the Data Processor.

16.3 Criminal Consequences

Where a breach constitutes a criminal offence under the Cybercrime Act 2015, the NDPA 2023, or the Electoral Act 2022, the matter will be referred to the Nigerian Police Force Cybercrime Unit and/or INEC for prosecution.

Policy Authentication

This Data Protection Policy has been approved by the YPP National Working Committee and the VoteTrack Ltd Data Protection Officer. It is effective from 1 May 2026 and supersedes all previous data protection documentation issued in connection with YPP electoral activities.

Forensic Electoral Technology © VoteTrack Ltd | Ref: YPP/ICT/EVOT/001/2026 | vote.ypp.ng

Reviewed by: Counsel admitted to the Nigerian Bar Association | NDPA-accredited DPO