Data Center Hosting Agreement (Nigeria)
DATA CENTER HOSTING AGREEMENT
Nigeria Data Protection Act 2023 | Cybercrimes (Prohibition, Prevention, Etc.) Act 2015 | Nigerian Communications Act 2003 | Companies and Allied Matters Act 2020
This Data Center Hosting Agreement is made on [Agreement Date] between:
HOST: [Host Name] (RC: [Host RC]), of [Host Address] ("Host"); and
CLIENT: [Client Name] (RC: [Client RC]), of [Client Address] ("Client").
1. SERVICES
1.1 Colocation space: [Colo Space].
1.2 Data center Tier classification: [Tier Classification] (Uptime Institute standard).
1.3 Power allocation: [Power Allocation].
1.4 Network connectivity: [Connectivity].
2. SERVICE LEVEL AGREEMENT
2.1 Uptime guarantee: [Uptime Guarantee].
2.2 Service credits for SLA breach: [Service Credits].
2.3 Planned maintenance: [Maintenance Window].
3. DATA PROTECTION AND DATA SOVEREIGNTY
3.1 Data localisation and sovereignty: [Data Localisation].
3.2 The Host acts as a data processor under the Nigeria Data Protection Act 2023 (NDPA) in respect of any personal data contained within Client systems. The Host shall: (a) process personal data only on the documented instructions of the Client; (b) implement appropriate technical and organisational security measures per NDPA Section 24; (c) not engage sub-processors without the Client's prior written consent; and (d) support the Client in meeting its NDPA obligations including data subject rights and NDPC audit requirements.
3.3 Security breach notification: [Breach Notification].
3.4 Audit rights: [Audit Rights].
4. TERM AND FEES
4.1 Initial term: [Initial Term].
4.2 Monthly hosting fee: [Monthly Fee]. Invoiced monthly in advance. Payment due within 30 days of invoice.
4.3 Notice for termination after initial term: [Notice Period].
5. TERMINATION AND DATA RETURN
5.1 Data and equipment on termination: [Data Return].
5.2 Insolvency: in the event the Host becomes insolvent or a receiver or liquidator is appointed, the Client retains title to all equipment placed in the data center and may remove such equipment immediately. Client data on Host infrastructure will be preserved pending Client's written data return or deletion instructions.
6. GOVERNING LAW AND DISPUTE RESOLUTION
6.1 This Agreement is governed by the laws of the Federal Republic of Nigeria.
6.2 Dispute resolution: [Governing Law].
EXECUTION
IN WITNESS WHEREOF the parties have executed this Agreement on [Agreement Date].
Host (Authorised Signatory)
________________
Signature
Client (Authorised Signatory)
________________
Signature
What Is a Data Center Hosting Agreement (Nigeria)?
A Data Center Hosting Agreement in Nigeria governs the relationship between the parties by fixing what each must do.
Data center hosting in Nigeria operates within a multi-regulatory framework. The Nigerian Communications Commission (NCC) licenses internet exchange points, internet service providers, and infrastructure providers under the Nigerian Communications Act 2003 and NCC Regulations. The National Information Technology Development Agency (NITDA), which administered the Nigeria Data Protection Regulation (NDPR) 2019, has been succeeded by the Nigeria Data Protection Commission (NDPC) established under the Nigeria Data Protection Act 2023 (NDPA), which now has primary jurisdiction over data protection compliance for data center operators processing personal data of Nigerian residents.
Data sovereignty and localisation requirements are a critical consideration in Nigerian data center agreements. The NDPA 2023, Section 43, restricts the transfer of personal data to countries outside Nigeria to those countries with adequate data protection laws, or where the data controller has implemented appropriate safeguards. The Central Bank of Nigeria (CBN) Consumer Data Protection Regulations and CBN IT Standards impose data localisation requirements on financial sector data — requiring that transaction data and customer data of Nigerian financial institutions be stored primarily within Nigeria. The National Health Act 2014 imposes similar data localisation requirements for health records under the National Health Information System.
Nigeria's data center market includes operators such as MainOne (now Equinix), Rack Centre, MTN Data Centers, CSquared Nigeria, and Medallion Communications, operating tier-certified facilities in Lagos, Abuja, and Port Harcourt. The Telecommunications and Digital Infrastructure Sharing Framework regulates shared infrastructure and colocation services among operators.
The Cybercrimes (Prohibition, Prevention, Etc.) Act 2015 imposes obligations on Critical National Information Infrastructure operators and applies to data centers designated as CNII. Data center operators and their clients must comply with the Cybercrime Act's requirements for security, incident reporting, and lawful access to stored data by authorised agencies.
The legal framework governing the Data Center Hosting Agreement (Nigeria) in Nigeria draws on several key statutes and regulatory bodies. Under Nigerian law, the Companies and Allied Matters Act 2020 (CAMA) regulates corporate entities through the Corporate Affairs Commission (CAC). The Labour Act (Cap L1 LFN 2004) and the National Industrial Court of Nigeria (NICN) govern employment disputes. The Nigeria Data Protection Regulation (NDPR) 2019 and the Nigeria Data Protection Commission (NDPC) protect personal data. The Federal Inland Revenue Service (FIRS) administers tax obligations under the Companies Income Tax Act. The Federal High Court and state High Courts have jurisdiction over civil matters. Parties executing a Data Center Hosting Agreement (Nigeria) in Nigeria should confirm the document reflects current law, including any amendments enacted since the original drafting date. The Companies and Allied Matters Act (CAMA) 2020 sets the foundational requirements.
When Do You Need a Data Center Hosting Agreement (Nigeria)?
A Nigeria Data Center Hosting Agreement is needed whenever an organisation places its IT equipment, data, or applications in a third-party data center facility in Nigeria, or when a Nigerian data center operator provides services to a client.
Financial institutions regulated by the CBN — including banks, payment service providers, insurance companies, and FinTech companies — that outsource their IT infrastructure to a Nigerian data center require a formal hosting agreement. The CBN IT Standards and the CBN Risk-Based Cybersecurity Assessment Programme require financial institutions to maintain formal contracts with IT service providers, including SLAs, security standards, audit rights, and incident response provisions.
Government agencies and parastatals migrating to cloud or colocation data center services require a formal agreement compliant with the National Cloud Computing Policy 2019 issued by the Federal Ministry of Communications and Digital Economy, which designates government cloud as a category requiring specific data sovereignty protections.
Telecommunication operators and internet service providers that colocate network equipment — routers, servers, network appliances — at carrier-neutral data centers or internet exchange points require a colocation agreement covering physical security, power, connectivity, and access controls.
Healthtech and medtech companies storing patient health records — subject to data localisation under the National Health Act 2014 and NDPA 2023 — require a hosting agreement with a Nigeria-based data center that includes specific health data protection provisions.
E-commerce platforms, SaaS providers, and digital businesses with Nigerian user bases and NDPA 2023 obligations for Nigerian resident personal data require a hosting agreement with a Nigeria-located data center to satisfy data localisation requirements and demonstrate NDPC compliance.
Parties in Nigeria should prepare a Data Center Hosting Agreement (Nigeria) proactively rather than waiting for a dispute to arise. Courts interpret agreements based on the written terms rather than oral representations. Under Nigerian law, the Companies and Allied Matters Act 2020 (CAMA) regulates corporate entities through the Corporate Affairs Commission (CAC). The Labour Act (Cap L1 LFN 2004) and the National Industrial Court of Nigeria (NICN) govern employment disputes. The Nigeria Data Protection Regulation (NDPR) 2019 and the Nigeria Data Protection Commission (NDPC) protect personal data. The Federal Inland Revenue Service (FIRS) administers tax obligations under the Companies Income Tax Act. The Federal High Court and state High Courts have jurisdiction over civil matters. Where the transaction involves regulated activities, prior approval from the relevant authority may be required before execution.
What to Include in Your Data Center Hosting Agreement (Nigeria)
A Nigeria Data Center Hosting Agreement must contain the following provisions to protect both parties and confirm regulatory compliance.
Service description and scope: detailed specification of colocation space (rack units, cage, or suite), power supply (primary and redundant UPS, rated kVA), cooling provision, and network connectivity (bandwidth, IP addresses, and peering arrangements). The specification must align with the agreed Tier classification (Tier I through IV under the Uptime Institute standard, commonly referenced in Nigerian data center contracts).
Service Level Agreement (SLA): specific, measurable performance commitments including facility uptime guarantee (typically 99.9% to 99.999% depending on Tier level), maximum planned maintenance windows, power delivery standards (including generator backup and fuel supply obligations), and cooling standards. The SLA must specify service credits payable for downtime below the guaranteed level.
Data protection obligations: the agreement must address the Host's obligations as a data processor under NDPA 2023 (where the Host processes personal data on behalf of the Client), including processing only on documented instructions, security measures, sub-processor controls, data breach notification within 72 hours, and support for data subject rights. This section must comply with NDPA 2023 Sections 37 to 43.
Physical security standards: access control systems (biometrics, CCTV, security personnel), visitor policies, client access procedures, and security audit rights. For CBN-regulated financial institution clients, the CBN Cybersecurity Framework requires documented physical security controls at outsourced data centers.
Data sovereignty and localisation: express confirmation that client data will be stored within Nigeria; restrictions on replication or transfer of data outside Nigeria without prior written consent; and the Host's obligations to comply with NDPA 2023 cross-border data transfer requirements.
Disaster recovery and business continuity: the Host's obligations for backup power, fire suppression, flood protection, and the availability of secondary facilities; the Client's access to run its own disaster recovery tests; and the procedures for recovery from a major facility outage.
Termination and data return: procedures for the return or secure destruction of client equipment and data on termination of the agreement, including timelines and costs, compliant with NDPA 2023 data retention and deletion obligations.
Governing law and dispute resolution: Nigerian law as governing law, jurisdiction of the Lagos State or Federal High Court, or arbitration under the Arbitration and Conciliation Act (ACA) 2023.
Additional compliance elements for a Data Center Hosting Agreement (Nigeria) used in Nigeria include: Under Nigerian law, the Companies and Allied Matters Act 2020 (CAMA) regulates corporate entities through the Corporate Affairs Commission (CAC). The Labour Act (Cap L1 LFN 2004) and the National Industrial Court of Nigeria (NICN) govern employment disputes. The Nigeria Data Protection Regulation (NDPR) 2019 and the Nigeria Data Protection Commission (NDPC) protect personal data. The Federal Inland Revenue Service (FIRS) administers tax obligations under the Companies Income Tax Act. The Federal High Court and state High Courts have jurisdiction over civil matters. Forms-legal.com provides this template as a starting point for Nigeria-compliant documentation.
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Data Center Hosting Agreement (Nigeria) (Nigeria) [Legal document template]. Forms Legal. https://forms-legal.com/nigeria/business/contracts/data-center-hosting-agreement-nigeria
"Data Center Hosting Agreement (Nigeria) (Nigeria)." Forms Legal, 2026, https://forms-legal.com/nigeria/business/contracts/data-center-hosting-agreement-nigeria.
@misc{formslegal-data-center-hosting-agreement-nigeria,
author = {{Forms Legal}},
title = {Data Center Hosting Agreement (Nigeria) (Nigeria)},
year = {2026},
howpublished = {\url{https://forms-legal.com/nigeria/business/contracts/data-center-hosting-agreement-nigeria}},
note = {Free legal document template. Based on Companies and Allied Matters Act (CAMA) 2020}
}Frequently Asked Questions
Yes, Nigerian financial sector regulations impose significant data localisation requirements. The Central Bank of Nigeria (CBN) Consumer Data Protection Regulations and the CBN IT Standards require that transaction data, customer records, and core banking data of Nigerian financial institutions be stored primarily within Nigeria. The CBN has clarified in supervisory guidance that while backup data may be stored abroad, primary transaction and customer data must be maintained on Nigeria-based servers. Separately, the NDPA 2023, Section 43, restricts transfer of personal data — including financial services customer data — outside Nigeria to countries with adequate data protection laws or where appropriate safeguards are in place, such as Standard Contractual Clauses approved by the NDPC. The Nigeria Data Protection Commission is expected to issue guidance on adequate countries and approved transfer mechanisms. Financial institutions that outsource IT infrastructure to data centers must ensure their hosting agreements include data sovereignty provisions confirming that Nigerian customer data will remain within Nigeria. Violations of CBN data localisation requirements can result in regulatory fines, directives to repatriate data, and broader supervisory actions under the Banks and Other Financial Institutions Act (BOFIA) 2020.
Uptime guarantees in Nigerian data center agreements are commonly expressed as a percentage of availability per calendar month, aligned with the Uptime Institute Tier Classification system. Tier I data centers (basic infrastructure, single path for power and cooling) offer a minimum of 99.671% uptime (approximately 28.8 hours of downtime per year). Tier II facilities (redundant capacity components) offer 99.741% uptime. Tier III data centers (concurrently maintainable, multiple active power and cooling distribution paths) offer 99.982% uptime (approximately 1.6 hours of downtime per year). Tier IV facilities (fault tolerant, all components fully redundant) offer 99.995% uptime (approximately 26 minutes per year). The major Nigerian data centers — including Rack Centre (Tier III+ certified), MainOne/Equinix (Tier III certified), and Medallion Communications — typically offer SLAs in the range of 99.9% to 99.99%. Financial institutions and other regulated entities with CBN Business Continuity Management requirements should negotiate SLAs at Tier III or above, with specific provisions for the maximum unplanned outage period, generator fuel supply obligations, and the Hosting provider's obligations to restore power within a specified recovery time objective (RTO). Service credits for SLA breaches should be commercially meaningful — typically a percentage of the monthly fee — to incentivise the data center operator to maintain standards.
Data center regulation in Nigeria spans multiple regulatory authorities depending on the services provided and the sectors served. The Nigerian Communications Commission (NCC) licenses internet service providers, data transmission services, and infrastructure providers under the Nigerian Communications Act 2003 and NCC Regulations, including colocation and hosting services that involve telecommunications infrastructure. The Nigeria Data Protection Commission (NDPC), established under the NDPA 2023, has oversight of data protection compliance for data centers that process personal data of Nigerian residents as data processors, including obligations for technical security, data breach notification, and cross-border data transfer restrictions. The Central Bank of Nigeria (CBN) has supervisory interest in data centers serving financial institutions, requiring compliance with CBN Cybersecurity Framework, IT Standards, and data localisation requirements. The National Information Technology Development Agency (NITDA) regulates IT service providers under the NITDA Act 2007 and the Nigerian IT Consultants and Providers Regulations, which may apply to data center service providers. Critical National Information Infrastructure (CNII) operators designated under the Cybercrimes Act 2015 are subject to ONSA and ngCERT oversight. The Federal Ministry of Communications and Digital Economy oversees the National Cloud Computing Policy, which applies to data centers providing cloud services to government entities.
The insolvency of a data center operator creates significant risks for clients regarding access to their equipment, data, and systems. Under Nigerian insolvency law — governed by CAMA 2020, the Bankruptcy Act (Cap. B2), and the Federal Competition and Consumer Protection Act (FCCPA) 2018 — an insolvency practitioner (receiver/manager or liquidator) takes control of the insolvent company's assets. Client IT equipment lawfully owned by the client and clearly identified should be treated as the client's property and excluded from the insolvent estate, but the practical process of retrieving equipment during a contested insolvency can be protracted and contentious. A well-drafted hosting agreement should include: express retention of title provisions confirming client ownership of all equipment placed in the facility; specific data return and destruction obligations triggered by insolvency or appointment of a receiver; provision for direct equipment removal by the client without the operator's consent in insolvency scenarios; and escrow arrangements for critical data where possible. The NDPA 2023 imposes ongoing data protection obligations on data processors (including their successors and insolvency practitioners) and requires that data be returned or securely destroyed on termination of the data processing relationship. Clients should also maintain off-site backups at a second location independent of the primary data center to ensure business continuity regardless of the primary operator's financial position.
A Data Center Hosting Agreement (Nigeria) does not legally require a lawyer in Nigeria, though legal advice is recommended. Under Nigerian law, the Companies and Allied Matters Act 2020 (CAMA) governs corporate documents through the Corporate Affairs Commission (CAC). The National Industrial Court of Nigeria (NICN) adjudicates employment disputes. The Nigeria Data Protection Regulation (NDPR) and NDPC impose data protection obligations. The Federal Inland Revenue Service (FIRS) requires tax compliance. Forms-legal.com provides this template as a starting point — always review with a qualified Nigerian lawyer for significant transactions. Under Nigeria law, Companies and Allied Matters Act (CAMA) 2020, parties should seek independent legal advice from a qualified lawyer to confirm compliance with all applicable requirements. Under Nigerian law, the Companies and Allied Matters Act 2020 (CAMA) regulates corporate entities through the Corporate Affairs Commission (CAC). The Labour Act (Cap L1 LFN 2004) and the National Industrial Court of Nigeria (NICN) govern employment disputes. Forms-legal.com provides this template as a starting point for Nigeria-compliant documentation.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Data Processing Agreement (Nigeria)
A Data Processing Agreement (DPA) for Nigeria compliant with the Nigeria Data Protection Act (NDPA) 2023 and NDPC requirements. Governs the relationship between data controllers and data processors, covering processing instructions, security obligations, sub-processor controls, data breach notification, and data subject rights support.
Cybersecurity Policy (Nigeria)
A corporate cybersecurity policy for Nigerian organisations compliant with the Cybercrimes (Prohibition, Prevention, Etc.) Act 2015, CBN Cybersecurity Framework 2021, NDPC Nigeria Data Protection Act 2023, and the NCC Cybersecurity Regulations. Covers access controls, incident response, data protection, and staff obligations.
Data Privacy Impact Assessment (Nigeria)
A Data Privacy Impact Assessment (DPIA) template for Nigerian organisations compliant with the Nigeria Data Protection Act (NDPA) 2023 and NDPC guidance. Covers risk identification, mitigation measures, consultation obligations, and documentation requirements for high-risk data processing activities.