Data Protection

At Niogin, protecting personal data is fundamental to how we build and operate software. This statement describes our data protection commitments and complements our Privacy Policy. We process personal data in accordance with Sri Lanka’s Personal Data Protection Act, No. 9 of 2022 (“PDPA”) and, where applicable, the EU/UK General Data Protection Regulation (“GDPR”).

Controller and processor roles

When we collect personal data for our own purposes—such as website enquiries and marketing—Niogin acts as a controller. When we process personal data on behalf of our clients within the products and systems we build and operate for them, we act as a processor, processing data only on documented instructions under a Data Processing Addendum (“DPA”).

Our data protection principles

• Lawfulness and transparency — we process data fairly and on a valid legal basis.
• Purpose limitation — data is collected for specified, legitimate purposes.
• Data minimisation — we collect only what we need.
• Accuracy — we take reasonable steps to keep data accurate and up to date.
• Storage limitation — we retain data no longer than necessary.
• Integrity and confidentiality — we protect data with appropriate security measures.
• Accountability — we maintain records and processes to demonstrate compliance.

Security measures

We apply technical and organisational measures appropriate to the risk, including encryption of data in transit, role-based access controls, secure credential management, audit logging, regular backups, and vendor due diligence. Access to personal data is restricted to authorised personnel on a need-to-know basis.

Sub-processors

We engage trusted sub-processors (for example, cloud hosting, email, and analytics providers) to deliver our services. We require sub-processors to provide data protection commitments consistent with this statement, and a current list is available on request where we act as a processor.

International transfers

Personal data may be processed in Sri Lanka, the United States, or other jurisdictions where we or our sub-processors operate. Where data crosses borders, we rely on appropriate safeguards as required by the PDPA and the GDPR.

Data subject rights

Individuals may exercise their rights of access, correction, erasure, restriction, objection, and portability, and may withdraw consent where processing is based on consent. Where we act as a processor, we will promptly assist our client (the controller) in responding to such requests. Requests directed to us as a controller can be made using the contact details below.

Data breach notification

We maintain procedures to detect, investigate, and respond to personal data breaches. Where a breach is likely to result in a risk to individuals, we will notify the relevant authority and, where we act as a processor, the affected controller without undue delay.

Data Processing Addendum

Clients who require a Data Processing Addendum for the products and services we operate on their behalf can request one by contacting us.

Contact us

For data protection enquiries, contact us at hello@niogin.com, or write to Niogin (Pvt) Ltd, 02, 6th Lane, Colombo 03, Sri Lanka. You also have the right to lodge a complaint with the Data Protection Authority of Sri Lanka.