SabiSavvy Logo
Sign up
Contact us

Data Handling

At SabiSavvy, we recognize that your professional data—career assessments, contact information, and business inquiries—requires the same rigor and care we apply to our educational programs. This statement outlines our approach to data handling and security.

1. Data Storage Infrastructure

All user data is stored in enterprise-grade cloud environments provided by industry-recognized platforms:

  • Primary email and contact management: Brevo (EU-based, GDPR-compliant, ISO 27001 certified)
  • Database backup and analytics: Airtable (SOC 2 Type II certified)
  • Corporate CRM: HubSpot (SOC 2 certified, GDPR-compliant)
  • Form collection: Tally (GDPR-compliant infrastructure)

Encryption standards:

  • Data in transit: TLS 1.2 or higher (SSL/HTTPS)
  • Data at rest: AES-256 encryption where supported by processors

2. Access Controls

Access to the SabiSavvy database is restricted based on the principle of least privilege:

  • Administrative access: Limited to the founder and authorized personnel with a demonstrated business need
  • Multi-factor authentication (2FA): Mandatory for all accounts with access to personal data
  • Audit logs: Key platforms maintain access logs for security review
  • Third-party access: Service providers access data only as necessary to perform contracted services, under data processing agreements

3. Data Processing Agreements

We maintain written data processing agreements (DPAs) with all third-party processors, ensuring they:

  • Process data only on our documented instructions
  • Implement appropriate security measures
  • Assist with data subject rights requests
  • Notify us of any data breaches
  • Delete or return data upon termination of service

4. Data Minimization Practices

We collect only the data necessary for stated purposes:

  • Quiz forms request name, email, role, and professional context—no sensitive personal information
  • Corporate inquiry forms collect organization details only to the extent needed to respond to requests
  • We do not request or store health data, religious beliefs, political opinions, or other special category data

5. Data Retention and Disposal

Active data:
Personal data is retained while you remain engaged with SabiSavvy services (subscribed to communications, enrolled in courses, or in active business dialogue).

Inactive data:
We conduct annual reviews of our database. Contacts who have not engaged with our communications for 24 months are:

  • Flagged for review
  • Moved to an archived segment, or
  • Deleted entirely (except where retention is required for legal, tax, or accounting purposes)

Secure disposal:
When data is deleted, we instruct our processors to permanently remove it from active and backup systems within their standard retention windows.

Suppression lists:
We maintain a list of unsubscribed email addresses to honor opt-out requests, as required by anti-spam regulations.

6. Cross-Border Data Transfers

SabiSavvy operates in Nigeria, but our technology infrastructure spans multiple jurisdictions:

  • EU/EEA: Brevo, Tally (GDPR-compliant with Standard Contractual Clauses)
  • United States: Airtable, HubSpot (SOC 2 certified, relying on SCCs and equivalent protections)

We verify that all processors handling cross-border transfers comply with:

  • NDPA requirements for adequate safeguards
  • GDPR standards (Standard Contractual Clauses, adequacy decisions, or equivalent mechanisms)

7. Security Incident Response

In the event of a data breach or security incident, SabiSavvy follows this protocol:

a) Detection and Containment

  • Identify the scope, nature, and cause of the breach
  • Immediately contain the issue (e.g., revoke compromised credentials, isolate affected systems)

b) Assessment

  • Determine what data was accessed or compromised
  • Evaluate the risk to affected individuals

c) Notification

  • If the breach poses a risk to data subjects’ rights and freedoms, we will:
    • Notify the Nigeria Data Protection Commission (NDPC) within 72 hours (as required by NDPA)
    • Notify affected individuals without undue delay, where required
    • For EU/UK data subjects, comply with GDPR breach notification requirements

d) Documentation

  • Maintain a record of all breaches, including facts, effects, and remedial actions taken

8. Third-Party Vetting

Before engaging a new service provider that will process personal data, we assess:

  • Their security certifications (ISO 27001, SOC 2, etc.)
  • Compliance with NDPA/GDPR standards
  • Data processing agreement terms
  • Breach notification procedures
  • Subprocessor policies

9. Employee and Contractor Access

Confidentiality:
All team members, contractors, and virtual assistants with access to personal data must:

  • Sign a confidentiality agreement
  • Complete privacy and security training
  • Adhere to this Data Handling Statement

Offboarding:
When a team member’s access is no longer required, we:

  • Immediately revoke system access
  • Recover or wipe any devices containing SabiSavvy data
  • Remind the individual of ongoing confidentiality obligations

10. Regular Review and Updates

We review our data handling practices and security measures periodically, and update this statement as necessary to reflect:

  • Changes in our service providers or infrastructure
  • New regulatory requirements
  • Lessons learned from security assessments or incidents

11. Contact for Data Security Inquiries

For questions about our data handling practices or to report a security concern:

Email: hello@sabisavvy.com (Subject: “Privacy Request” or “Security Concern”)
Address: Wuye, Abuja (FCT), Nigeria 900281