Privacy Overview

Controller and Processor Roles

The tenant organisation is the data controller. Hercules is the data processor and acts only on documented controller instructions, governed by the executed Data Processing Agreement. The controller retains primary responsibility for employee notification, consent management where required, and NDPC filing obligations.

Personal Data Processed

Hercules processes employee names, work email addresses, simulation interaction events (opens, link clicks, report-phish actions), training completion records, and device metadata associated with those interactions. No sensitive personal data as defined under NDPR Article 1.3(i) is processed.

Lawful Basis

The lawful basis for processing is legitimate interest (NDPR Article 2.2). Security awareness simulation is a recognised obligation under the CBN Cyber Resilience Framework for regulated financial institutions and aligns with ISO 27001 Annex A.7.2.2. Tenant-controllers are responsible for conducting a legitimate interest assessment appropriate to their sector and for communicating processing purposes to employees as required by NDPR Article 2.4.

Data Residency and Cross-Border Transfers

Hercules is hosted on Railway infrastructure. Railway's managed services may operate on cloud infrastructure located outside Nigeria. Cross-border transfer provisions under NDPR Article 2.11 and NDPA Chapter 7 may apply. Hercules provides contractual safeguards through the DPA. Tenant-controllers subject to CBN data residency directives should raise this during procurement to confirm applicable protections.

Data Subject Rights

Employees have the right under NDPR Articles 2.6 and 3.1 to access, correct, delete, and object to the processing of their personal data. Rights requests directed to Hercules are acknowledged within 72 hours and coordinated with the tenant-controller as the party primarily responsible for fulfilment.

NDPC Filing Obligations

Organisations processing the personal data of more than 1,000 data subjects within a six-month period must submit a summary of data processing activities to the Nigeria Data Protection Commission (NDPC) by 15 March and 15 September each year (NDPR Article 3.1(5), NDPA 2023). This obligation rests with the data controller. Hercules, as data processor, can provide processing activity summaries to support the filing on request.

Data Breach Notification

In the event of a personal data breach affecting data processed on behalf of a tenant-controller, Hercules will notify the affected tenant-controller without undue delay and no later than 72 hours after becoming aware of the breach, in accordance with NDPA 2023 Section 40. The notification will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.

The tenant-controller, as data controller, is responsible for determining whether and how to notify affected data subjects and for any required filing with the NDPC. Hercules will cooperate fully with any such notification process and provide all reasonably requested information.

Right to Lodge a Complaint

In addition to the rights described above, employees and data subjects have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) if they believe their personal data has been processed in a manner that does not comply with applicable Nigerian data protection law. The NDPC can be contacted at ndpc.gov.ng.