What "NDPA registered · CBN aligned · ISO 27001 in progress" actually buys you

Most enterprise SaaS landing pages list four to six certification badges in their footer. SOC 2 Type II, ISO 27001, GDPR, HIPAA, PCI-DSS, FedRAMP. Some of those are real; some are aspirational. For Phase 1 of Migratio, our compliance line reads: NDPA registered · CBN aligned · ISO 27001 in progress. Three signals. Each one true and verifiable. Here's what each means.

NDPA registered

Cognis Group Limited is registered with the Nigeria Data Protection Commission as an Ultra-High Level data controller. Migratio is listed as a processing activity in our Record of Processing Activities (ROPA). We can share our Data Protection Compliance Officer (DPCO) documentation on request, including the registration certificate.

This is the right and required certification for our Phase 1 market (Nigerian banks, ministries, and regulated enterprises). It's NOT a substitute for GDPR — which we'd claim only if we were processing EU residents' data, which we're not. We'll be transparent about that scope.

CBN aligned

Migratio is aligned with the Central Bank of Nigeria's Risk-Based Cybersecurity Framework for the banks we serve. Specifically, we map our controls to:

• ●Asset Management (every record migrated is asset-tagged in our system of record)
• ●Access Control (Authentik SSO with role-based per-tenant access; MFA mandatory for admin)
• ●Logging & Monitoring (OpenTelemetry → Grafana / Loki / Tempo with 7-year retention for audit logs)
• ●Incident Response (documented playbook with 4-hour notification SLA for breach events)
• ●Third-Party Risk (annual audits of our infrastructure vendors)

"Aligned" means our controls map to CBN's framework requirements. It doesn't mean we've been individually audited by CBN — CBN doesn't audit vendors; it audits the banks that use them. Our customer banks audit us; we provide the artifacts they need for their own CBN review.

ISO 27001 in progress

ISO 27001 certification takes 12–18 months from kickoff. We started in Q3 2025; we expect to certify in Q2 2027. "In progress" means we've completed the gap analysis, written the Information Security Management System (ISMS) policies, and are operating against them — but we haven't yet completed the Stage 2 certification audit.

We'll update the badge to "ISO 27001 certified" the day the certificate is issued. Until then, "in progress" is the honest claim.

What we don't claim

SOC 2 Type II

SOC 2 is a US-market signal. We'll pursue it when we have enough North American customers to justify the audit cost (~$30K–$60K per year for ongoing attestation). For Phase 1, our customer base is Nigerian; they care about NDPA and ISO 27001, not SOC 2.

GDPR

Migratio Phase 1 doesn't process EU residents' data. If we did, GDPR would apply — and we'd claim it. When we expand into EU markets in Phase 4, we'll add the GDPR claim with appropriate Data Processing Agreement templates.

HIPAA / PCI-DSS

Healthcare and payment-card processing are out of scope for Phase 1. We'll pursue these as needed when we ship the relevant industry packs.

What we'll send your security team

On request, we share:

• ●NDPA registration certificate (Cognis Group Limited)
• ●DPCO appointment letter
• ●Record of Processing Activities (ROPA) — Migratio entry
• ●CBN framework controls matrix (per-control mapping document)
• ●ISO 27001 ISMS policy set + Stage 1 audit attestation
• ●Most recent penetration test report (annual, by third-party firm)
• ●Hetzner Frankfurt data residency attestation
• ●Standard MSA with information-security and audit-rights clauses

These aren't behind a sales gate. Email [email protected] and we'll send the relevant subset within one business day.