Legal · Compliance

Compliance & Security

The frameworks we operate within and the measures we use to protect the data you and your respondents trust us with.

Last updated: 1 July 2026Applies to: Tornado Tech Nigeria Ltd. & Tornado Tech Ltd. (UK)

Trust is the foundation of data intelligence. This page sets out the regulatory frameworks Tornado-Tech operates within and the technical and organisational measures we use to protect the data entrusted to us across ResearchGains, Opinyze, and our wider services.

01Regulatory frameworks

Our compliance programme is built around the laws and standards that govern data protection in the markets we serve:

  • Nigeria Data Protection Act (NDPA) 2023 — our primary framework for processing personal data in Nigeria, including lawful basis, data-subject rights, and breach handling.
  • NDPC General Application and Implementation Directive (GAID) 2025 — the operational guidance we align our controls to.
  • UK GDPR and the Data Protection Act 2018 — applicable to Tornado Tech Ltd. (UK) and to processing involving UK or EU data subjects.

Tornado-Tech maintains registration and compliance posture consistent with the Nigeria Data Protection Commission's requirements, which is why the NDPC compliance mark appears across our platform.

02Data governance

We treat data governance as an operational discipline, not a checkbox:

  • Clear controller and processor roles are defined for every engagement.
  • Data-processing activities are documented, and high-risk processing is subject to a data-protection impact assessment.
  • Access to personal data follows the principle of least privilege and is reviewed regularly.
  • Third-party processors are vetted and bound by written data-processing agreements.

03Technical security measures

We apply layered technical controls to protect data in transit and at rest:

  • Encryption of data in transit using TLS, and encryption of sensitive data at rest.
  • Pseudonymous sub-identifier architecture so that survey and poll data can be analysed without exposing respondent identities.
  • Role-based access control, authentication, and audit logging across our platforms.
  • Secure software-development practices, including code review and dependency management.
  • Regular backups and tested recovery procedures.

04Offline-first field security

Our field data-collection tools are designed for environments with limited connectivity. Data captured offline is stored securely on-device and synchronised over encrypted channels when a connection is available, reducing the risk of loss or interception during collection.

05Organisational measures

Technology alone does not secure data. We combine it with:

  • Confidentiality obligations for staff, enumerators, and contractors.
  • Training on data protection and secure handling of respondent information.
  • Vendor due diligence and ongoing oversight of processors.
  • Documented policies for access, retention, and disposal.

06Incident response

We maintain an incident-response process to detect, contain, and remediate security events. Where a personal-data breach is likely to result in risk to affected individuals, we notify the relevant supervisory authority — the NDPC or the ICO — and affected individuals within the timeframes required by law.

To report a suspected security issue or vulnerability, contact admin@tornado-tech.co. We welcome responsible disclosure and will acknowledge legitimate reports promptly.

07Respondent protection

Respondents are at the heart of our data ecosystem, and we protect them accordingly:

  • Participation is based on informed consent, with clear information about how responses will be used.
  • Results are delivered to clients in aggregated or pseudonymised form wherever the study permits.
  • Respondents can withdraw consent and request deletion of their data, consistent with our Privacy Policy.

08Sub-processors and hosting

We use reputable infrastructure and service providers to deliver the Services. Each sub-processor is bound by contractual data-protection obligations, and we assess where data is hosted to ensure appropriate safeguards for any cross-border transfer between our Nigerian and UK operations.

09Contact our compliance team

Compliance & security
admin@tornado-tech.co
Nigeria
35/36 Okotiebo Street, Utako, FCT Abuja, Nigeria
United Kingdom
4th Floor, Silverstream House, 45 Fitzroy Street, Fitzrovia, London W1T 6EB