Every Nigerian fintech using AI is sending customer data outside Nigeria. Every OpenAI API call goes to the US. Every Anthropic call goes to the US. AWS, Google Cloud, Azure — your data is on servers in Ireland, Virginia, Frankfurt, or Singapore.
Under the NDPA, that's a cross-border data transfer requiring safeguards. If any of your users are in the EU, GDPR adds another layer.
Most Nigerian fintechs are doing this without any documentation. Here's how to fix it.
The data flow problem
A typical Nigerian fintech AI pipeline:
Customer (Nigeria) → Your App → AI API (US) → Response → Customer
↓
Database (AWS Ireland)
↓
Analytics (Google US)
In this pipeline, personal data crosses borders three times:
- Nigeria → US (AI API call)
- Nigeria → Ireland (database storage)
- Nigeria → US (analytics)
Each transfer needs documentation under NDPA. If the customer is in the EU, each transfer also needs GDPR-compliant safeguards.
Add a diaspora customer in London:
Customer (UK/EU) → Your App (Nigeria) → AI API (US)
Now the data goes EU → Nigeria → US. Two GDPR transfers plus the NDPA requirements.
Step 1: Map every data flow
Before you can comply, you need to know where data goes. For every AI feature in your fintech:
AI API providers:
- Which provider? (OpenAI, Anthropic, Google, Cohere, etc.)
- Where are their servers? (Usually US, sometimes EU)
- What data do you send? (Customer queries, transaction data, documents?)
- Do they retain your data? (Check their data processing terms)
- Do they use your data for training? (Most API tiers don't, verify)
Cloud infrastructure:
- Where is your database hosted? (AWS region, Google Cloud region)
- Where are your application servers?
- Where are backups stored?
Third-party services:
- Analytics (Google Analytics, Mixpanel — where does the data go?)
- Payment processing (Paystack, Flutterwave — data routing)
- Customer communication (SendGrid, WhatsApp API — server locations)
Document every hop. You'll need this for your DPIA, your CAR filing, and if a regulator asks.
Step 2: Sign DPAs with every provider
A Data Processing Agreement establishes the legal framework for how a third party handles your customer data. Under both NDPA and GDPR, you need one with every processor.
OpenAI: Offers a DPA at openai.com/policies/data-processing-addendum. Includes EU Standard Contractual Clauses. Sign it.
Anthropic: Offers a DPA covering data processing terms. Includes SCCs for EU transfers. Sign it.
AWS: Data Processing Addendum is part of the AWS Customer Agreement. Includes SCCs. If you haven't reviewed it, do so.
Google Cloud: Data Processing Addendum available in the Cloud Console. Includes SCCs.
What to check in each DPA:
- Does it cover cross-border transfers explicitly?
- Does it include Standard Contractual Clauses (for GDPR)?
- What sub-processors does the provider use? Where are they?
- What happens to your data when the agreement ends?
- Does the provider commit to zero retention / no training on your data?
- What are the breach notification obligations?
Most major providers have DPAs ready to sign. The common failure is simply not signing them — the DPA exists but nobody at the fintech has executed it.
Step 3: Minimise what you send
The most effective compliance measure: don't send personal data if you don't need to.
Before the AI API call:
- Strip customer names if the query doesn't need them
- Remove phone numbers and email addresses
- Replace account numbers with tokens or pseudonyms
- Only send the minimum data needed for the AI to produce a useful response
Example — customer support chatbot:
Bad:
"Customer Ade Okonkwo (ade@fintech.ng, BVN 12345678901) wants to know why his transfer of ₦500,000 to account 1234567890 hasn't arrived."
Better:
"Customer wants to know why their transfer hasn't arrived. Transfer reference: TX-78901."
The AI can still answer the question. But names, email, BVN, and account numbers never leave your infrastructure.
Tools like agent-shield can automate PII detection and redaction before API calls.
Step 4: Use zero-retention API tiers
Both OpenAI and Anthropic offer API tiers where your data is not retained after processing and is not used for model training.
Verify for each provider:
- API usage ≠ consumer usage. ChatGPT consumer app has different terms than the API.
- Zero-retention must be explicitly confirmed in your tier's terms or DPA.
- Some providers retain data for abuse monitoring for a short period (30 days typical). This is a processing activity — document it.
For financial data, zero-retention is essential. You don't want customer transaction details sitting on a third-party server longer than the milliseconds it takes to process the query.
Step 5: Document the transfer mechanisms
For NDPA, you need documented safeguards for each cross-border transfer. For GDPR, you need an approved transfer mechanism.
What to document for each transfer:
| Field | Example |
|---|---|
| Data type | Customer support queries (names, account references) |
| Source | Your app (Nigeria) |
| Destination | Anthropic API (US) |
| Provider | Anthropic PBC |
| DPA signed | Yes — dated [date] |
| Transfer mechanism | Contractual clauses (DPA Section X) |
| GDPR SCCs | Included in DPA — Module 2 (Controller to Processor) |
| Data minimisation | PII redaction applied before API call |
| Retention | Zero-retention API tier confirmed |
| Purpose | Customer support query processing |
Create this table for every data flow. It becomes part of your DPIA and your records of processing.
Step 6: Configure for data residency where possible
Some cloud providers offer African or EU regions that reduce transfer complexity:
AWS: Africa (Cape Town) region — af-south-1. Keeps data on the continent. Doesn't eliminate cross-border issues (South Africa ≠ Nigeria) but is better than US or EU for NDPA purposes.
Google Cloud: No African region currently. Closest is europe-west1 (Belgium).
Azure: South Africa North region available.
For GDPR compliance with diaspora customers, EU regions (AWS Ireland, Google Cloud Belgium) keep EU data within the EU — reducing the GDPR transfer burden.
Practical approach: Host your database and core application in an African or EU region. Accept that AI API calls go to the US (unavoidable for now) but document the transfer and apply PII redaction.
Step 7: Build the compliance documentation
For each AI feature using cloud services, produce:
- DPIA covering NDPA + GDPR risk assessment, with specific analysis of each cross-border transfer
- Records of processing entry with transfer documentation
- Privacy notice updates disclosing international transfers and safeguards
- DPA register tracking which DPAs are signed, with whom, and when they need review
This documentation serves three purposes:
- CAR filing — your DPCO needs it for the annual audit
- GDPR accountability — demonstrates compliance if an EU DPA investigates
- Due diligence — enterprise clients and banking partners increasingly request this before working with fintechs
Common mistakes
"We use AWS so our data stays in the cloud." Yes, but which cloud? AWS has 30+ regions globally. Your data is in a specific region on specific servers in a specific country. You need to know which one.
"OpenAI is GDPR compliant so we're fine." OpenAI's GDPR compliance doesn't automatically make YOUR use of OpenAI GDPR compliant. You need your own DPA, your own DPIA, and your own privacy notices.
"We're a Nigerian company, GDPR doesn't apply." If you have any EU users, it does. And even without EU users, your international partners and investors increasingly expect GDPR-level data protection.
"We just use the API, we don't store anything." The API call itself is a data processing event. The data travels from your server to the provider's server and back. That's a transfer, even if nothing is stored.
"Nobody enforces this in Nigeria." NDPC is enforcing. The CAR filing requirement alone means NDPC knows which organisations are and aren't compliant. And your GDPR exposure is enforced by EU regulators who have a track record of fining non-EU companies.
Need help making your fintech's cloud AI stack compliant? We map your data flows, review your DPAs, and build the documentation framework for both NDPA and GDPR. Nigerian lawyer (BL), CIPP/E certified. Get a quote.
Need help with this?
We build compliant AI systems and handle the documentation. Tell us what you need.
Get in TouchRelated Articles
Nigeria
Data Protection for Nigerian Banks Using AI: NDPA, CBN, and GDPR in One Framework
How Nigerian banks and financial institutions handle data protection across three regulatory layers when deploying AI. NDPA obligations, CBN requirements, and GDPR extraterritorial reach.
Nigeria
NDPA and GDPR for Nigerian Fintechs: Dual Compliance When You Use AI
How Nigerian fintechs comply with both the NDPA and GDPR when building AI systems. Dual jurisdiction requirements, practical framework, and where the two laws diverge.
Nigeria
Nigerian Fintech Serving Diaspora Customers? Your GDPR Obligations
When and how GDPR applies to Nigerian fintechs serving Nigerian diaspora in Europe. Practical compliance requirements for remittances, payments, and financial services across borders.