Consent & NDPR
Consent requirements and NDPR compliance for identity resolution.
PlatformXe requires proof of consent for every identity resolution request. This page explains why, what you need to provide, and how PlatformXe handles personal data.
Why consent is mandatory
The Nigeria Data Protection Regulation (NDPR) and the Nigeria Data Protection Act (NDPA) require that personal data is processed only with the informed consent of the data subject. Identity resolution involves querying national databases that contain sensitive personal information — names, dates of birth, and government-issued identification numbers.
PlatformXe enforces consent at the API level because it has no direct relationship with the data subject. Your application is the data controller and must obtain consent before calling the identity resolution API.
What you must provide
Every request to /api/v1/identity/resolve must include a consent object:
{
"consent": {
"reference": "consent_ref_abc123",
"obtainedAt": "2026-04-01T10:00:00.000Z"
}
}
| Field | Type | Description |
|---|---|---|
consent.reference | string | A unique identifier from your application's consent management system. This ties the API request back to the specific consent record you hold. |
consent.obtainedAt | string | ISO 8601 timestamp indicating when the data subject gave consent. |
Requests without a valid consent object are rejected with a BAD_REQUEST error. PlatformXe does not proceed with identity lookups without consent proof.
Your responsibilities as data controller
As the calling application, you are responsible for:
- Obtaining informed consent — the data subject must understand what data will be accessed, why, and how it will be used.
- Recording consent — store the consent record with a unique reference, the timestamp, the purpose, and the scope of data accessed.
- Providing a withdrawal mechanism — the data subject must be able to revoke consent at any time.
- Retaining consent records — keep consent records for the duration required by NDPR/NDPA (minimum 2 years after the last processing activity).
How PlatformXe handles personal data
PlatformXe is designed as a pass-through service for identity data:
- No PII is stored in the database. Identity resolution results are never written to persistent storage.
- Redis cache only. Results are cached in Redis with a 24-hour TTL to reduce provider calls. After 24 hours, the cache entry is automatically deleted.
- Consent reference is logged. PlatformXe records the consent reference in its audit log so there is a traceable link between the API call and your consent record. The audit log does not contain the resolved identity data itself.
PlatformXe acts as a data processor under NDPR. Your organization (the API caller) is the data controller. The consent reference creates an auditable chain between the API request and the consent obtained from the data subject.
Audit trail
Each identity resolution request generates an audit log entry containing:
- Organization ID (your tenant)
- API key ID (hashed)
- Identity type requested (e.g.,
bvn) - Consent reference
- Consent timestamp
- Resolution timestamp
- Whether the result was served from cache
- Provider used (internal reference only)
This audit trail is available via the PlatformXe audit log API and is retained for 90 days.
Summary
| Aspect | Handling |
|---|---|
| Consent | Required on every request — your app obtains it, PlatformXe enforces it |
| PII storage | None — pass-through with 24-hour Redis TTL cache |
| Audit | Consent reference logged, identity data not logged |
| Data controller | Your application |
| Data processor | PlatformXe |