IT Service Agreement (Nigeria)
IT SERVICE AGREEMENT
Companies and Allied Matters Act 2020 | Nigeria Data Protection Act 2023 | Copyright Act 2022 | Cybercrimes Act 2015
This IT Service Agreement is made on [Effective Date] BETWEEN [Provider Name] (RC [Provider RC Number]) of [Provider Address] ("Service Provider") AND [Client Name] (RC [Client RC Number]) of [Client Address] ("Client").
1. SERVICES AND DELIVERABLES
1.1 The Service Provider agrees to provide the following IT services to the Client: [Service Description]
1.2 Key deliverables and milestones: [Deliverables]
1.3 Contract term: [Contract Term].
2. SERVICE LEVEL AGREEMENT (SLA)
2.1 Uptime commitment: [Uptime Commitment].
2.2 Incident response and resolution times: [Incident Response Time].
2.3 Service credits for SLA breach: [Service Credit].
2.4 The Service Provider shall provide monthly SLA performance reports to the Client within 5 business days of month-end.
3. FEES AND PAYMENT
3.1 Total service fee: [Service Fee].
3.2 Payment schedule: [Payment Schedule].
3.3 Tax treatment: [VAT Treatment]. The Client shall deduct withholding tax at 10% on technical service fees and remit the same to the Federal Inland Revenue Service (FIRS) as required under Section 78 of the Companies Income Tax Act (Cap C21, LFN 2004).
3.4 Invoices unpaid within 30 days of due date shall attract interest at the CBN monetary policy rate plus 5% per annum.
4. INTELLECTUAL PROPERTY
4.1 IP ownership arrangement: [IP Ownership].
4.2 Each party retains ownership of its pre-existing intellectual property. The Service Provider grants the Client a non-exclusive licence to use pre-existing IP embedded in the deliverables for the Client's internal business purposes.
4.3 Any express assignment of copyright must be in writing signed by the Service Provider to be effective under the Copyright Act 2022.
5. DATA PROTECTION (NDPA 2023)
5.1 Data processing obligation: [Data Processing Obligation]. Where the services involve processing personal data of Nigerian residents, the parties acknowledge that the Client is the data controller and the Service Provider is the data processor under the Nigeria Data Protection Act 2023.
5.2 The Service Provider shall: (a) process personal data only on the Client's documented instructions; (b) implement appropriate technical and organisational security measures under NDPA 2023, Section 38; (c) notify the Client within 72 hours of becoming aware of a personal data breach; (d) assist the Client in responding to data subject rights requests; and (e) upon termination, delete or return all personal data as directed by the Client.
5.3 The Service Provider shall not engage sub-processors without the Client's prior written consent.
6. LIABILITY AND INDEMNITY
6.1 The Service Provider's aggregate liability to the Client under or in connection with this Agreement shall not exceed: [Liability Cap].
6.2 Neither party shall be liable for indirect, consequential, punitive, or loss-of-profit damages, except in the case of fraud, wilful misconduct, or NDPA breaches.
7. TERMINATION
7.1 Either party may terminate this Agreement for material breach upon 30 days' written notice, if the breach remains unremedied at the end of the notice period.
7.2 Either party may terminate for convenience upon 60 days' written notice to the other party.
7.3 Upon termination, the Service Provider shall return or delete all Client data and confidential information within 14 days, and the Client shall pay all undisputed outstanding fees.
8. GOVERNING LAW
This Agreement is governed by the laws of Nigeria. Disputes shall be resolved first by negotiation, and if unresolved within 30 days, by arbitration under the Arbitration and Mediation Act 2023 (AMA 2023), with the seat of arbitration in Lagos, Nigeria.
Service Provider
________________
Signature
Client
________________
Signature
What Is a IT Service Agreement (Nigeria)?
An IT Service Agreement in Nigeria records the obligations, timelines and payment owed between the client and the service provider.
The primary statutory framework governing IT Service Agreements in Nigeria includes the Nigeria Data Protection Act 2023 (NDPA) — which replaced the Nigeria Data Protection Regulation (NDPR) 2019 and is administered by the Nigeria Data Protection Commission (NDPC) — the Cybercrimes (Prohibition, Prevention, etc.) Act 2015 enacted under the National Information Technology Development Agency Act (Cap N156, LFN 2004), and the Nigerian Communications Commission (NCC) framework applicable to telecommunications-adjacent IT services. The Finance Act 2023 and the Companies Income Tax Act (Cap C21, LFN 2004) govern tax treatment of IT service fees, including the 10% withholding tax applicable to technical service fees under the Taxes and Levies (Approved List for Collection) Act.
The Nigeria Data Protection Act 2023, Section 25, requires that any contract for data processing services — which most IT service agreements involve — must contain specific data processing terms addressing the processor's obligations, security measures, sub-processing authorisation, data breach notification timelines (72 hours to the NDPC under Section 40), and data return or deletion at contract termination. Failure to include mandatory NDPA provisions in an IT service agreement exposes the client (as data controller) and the service provider (as data processor) to administrative fines of up to NGN 10 million or 2% of annual gross revenue under the NDPA.
Intellectual property ownership is a critical issue in Nigerian IT service agreements. Under the Copyright Act 2022 (which replaced the Copyright Act 1988), works created by an employee in the course of employment vest in the employer. Works commissioned from an independent contractor vest in the contractor by default unless there is an express written assignment. An IT Service Agreement should therefore contain a clear intellectual property assignment clause if the client requires ownership of custom-developed software, databases, and documentation.
The legal framework governing the IT Service Agreement (Nigeria) in Nigeria draws on several key statutes and regulatory bodies. Under Nigerian law, the Companies and Allied Matters Act 2020 (CAMA) regulates corporate entities through the Corporate Affairs Commission (CAC). The Labour Act (Cap L1 LFN 2004) and the National Industrial Court of Nigeria (NICN) govern employment disputes. The Nigeria Data Protection Regulation (NDPR) 2019 and the Nigeria Data Protection Commission (NDPC) protect personal data. The Federal Inland Revenue Service (FIRS) administers tax obligations under the Companies Income Tax Act. The Federal High Court and state High Courts have jurisdiction over civil matters. Parties executing a IT Service Agreement (Nigeria) in Nigeria should confirm the document reflects current law, including any amendments enacted since the original drafting date. The Companies and Allied Matters Act (CAMA) 2020 sets the foundational requirements.
When Do You Need a IT Service Agreement (Nigeria)?
An IT Service Agreement is needed in Nigeria whenever a business, government agency, or individual engages a technology company or IT consultant to provide technology services of more than a transactional nature.
An IT Service Agreement is required when a Nigerian bank regulated by the Central Bank of Nigeria (CBN) engages a fintech company or IT vendor to develop or integrate a digital payment platform, mobile banking application, or core banking system — the CBN's Risk-Based Cybersecurity Framework for Banks and Other Financial Institutions (2022) requires formal contractual arrangements with all technology vendors.
An IT Service Agreement is needed when a company subject to the Nigeria Data Protection Act 2023 outsources its data processing operations — including customer database management, CRM systems, or cloud storage — to an IT service provider. The NDPC requires a documented data processing agreement as part of the NDPA compliance framework.
An IT Service Agreement is required when a Nigerian business engages a managed service provider (MSP) for ongoing IT infrastructure support, covering service level agreements (SLAs) for uptime, response times, and escalation procedures — without a written SLA, the client has no contractual basis to claim compensation for service failures.
An IT Service Agreement is needed when a government ministry, department, or agency (MDA) engages a technology company under the Bureau of Public Procurement (BPP) procurement framework — the Public Procurement Act 2007 requires formal contracts for all IT procurements above the thresholds specified in the Monetary and Procurement Thresholds Regulations.
An IT Service Agreement is required when a Nigerian startup engages a software development firm to build a custom application — the agreement must address IP ownership, source code escrow, warranty periods, and post-launch support to protect the startup's investment.
Parties in Nigeria should prepare a IT Service Agreement (Nigeria) proactively rather than waiting for a dispute to arise. Courts interpret agreements based on the written terms rather than oral representations. Under Nigerian law, the Companies and Allied Matters Act 2020 (CAMA) regulates corporate entities through the Corporate Affairs Commission (CAC). The Labour Act (Cap L1 LFN 2004) and the National Industrial Court of Nigeria (NICN) govern employment disputes. The Nigeria Data Protection Regulation (NDPR) 2019 and the Nigeria Data Protection Commission (NDPC) protect personal data. The Federal Inland Revenue Service (FIRS) administers tax obligations under the Companies Income Tax Act. The Federal High Court and state High Courts have jurisdiction over civil matters. Where the transaction involves regulated activities, prior approval from the relevant authority may be required before execution.
What to Include in Your IT Service Agreement (Nigeria)
A thorough IT Service Agreement for Nigeria must contain the following essential elements to comply with Nigerian law and protect both parties' interests.
Parties: Full legal names, RC numbers (for companies registered with the Corporate Affairs Commission (CAC) under CAMA 2020), and addresses of the service provider and client. For foreign IT companies operating in Nigeria, the agreement should reference the company's SEC or FIRS registration where applicable.
Scope of Services: A precise description of the IT services to be provided, referencing technical specifications, project deliverables, timelines, and milestones. The scope should be specific enough to serve as the basis for SLA performance measurement.
Service Level Agreement (SLA): Measurable service standards including system uptime percentage (e.g., 99.5% monthly), incident response times, resolution targets, planned maintenance windows, and the process for escalating unresolved issues. SLA breaches should trigger defined service credits.
Fees and Payment: The service fee in NGN, payment schedule, invoice procedure, and the applicable withholding tax rate (10% on technical service fees under Section 78 of CITA). VAT at 7.5% under the Value Added Tax Act (Cap V1, LFN 2004) applies to IT services.
Intellectual Property: A clear statement of who owns pre-existing IP (each party retains ownership), and whether custom deliverables are assigned to the client upon full payment. Under the Copyright Act 2022, express written assignment is required for IP to transfer from an independent contractor.
Data Protection: A data processing addendum incorporating NDPA 2023, Section 25 obligations — specifying the processor's security measures, sub-processing restrictions, 72-hour breach notification to the NDPC, data return/deletion procedure, and the client's right to audit.
Confidentiality: Mutual confidentiality obligations covering technical specifications, pricing, client data, and proprietary systems.
Limitation of Liability: A cap on the service provider's aggregate liability — typically one to twelve months' fees — and exclusion of indirect, consequential, and loss-of-profit damages, subject to Nigerian law limits on exclusion clauses.
Term and Termination: Contract duration, renewal provisions, termination for cause (material breach unremedied within 30 days), termination for convenience (with notice), and data return obligations on termination.
Additional compliance elements for a IT Service Agreement (Nigeria) used in Nigeria include: Under Nigerian law, the Companies and Allied Matters Act 2020 (CAMA) regulates corporate entities through the Corporate Affairs Commission (CAC). The Labour Act (Cap L1 LFN 2004) and the National Industrial Court of Nigeria (NICN) govern employment disputes. The Nigeria Data Protection Regulation (NDPR) 2019 and the Nigeria Data Protection Commission (NDPC) protect personal data. The Federal Inland Revenue Service (FIRS) administers tax obligations under the Companies Income Tax Act. The Federal High Court and state High Courts have jurisdiction over civil matters. Forms-legal.com provides this template as a starting point for Nigeria-compliant documentation.
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). IT Service Agreement (Nigeria) (Nigeria) [Legal document template]. Forms Legal. https://forms-legal.com/nigeria/business/contracts/it-service-agreement-nigeria
"IT Service Agreement (Nigeria) (Nigeria)." Forms Legal, 2026, https://forms-legal.com/nigeria/business/contracts/it-service-agreement-nigeria.
@misc{formslegal-it-service-agreement-nigeria,
author = {{Forms Legal}},
title = {IT Service Agreement (Nigeria) (Nigeria)},
year = {2026},
howpublished = {\url{https://forms-legal.com/nigeria/business/contracts/it-service-agreement-nigeria}},
note = {Free legal document template. Based on Companies and Allied Matters Act (CAMA) 2020}
}Frequently Asked Questions
Under the Nigeria Data Protection Act 2023 (NDPA), administered by the Nigeria Data Protection Commission (NDPC), any IT service agreement involving the processing of personal data of Nigerian residents must include a data processing agreement (DPA) as a mandatory component. Section 25 of the NDPA requires that contracts between a data controller (client) and a data processor (IT service provider) specify: the subject matter and duration of processing; the nature and purpose of processing; the type of personal data and categories of data subjects; the obligations and rights of the data controller; the processor's obligation to process data only on documented instructions; security measures under Section 38; the processor's obligation to notify the controller within 72 hours of becoming aware of a data breach; the processor's obligation to assist with data subject rights requests; and the processor's obligation to delete or return all personal data at the end of the service. Processors who engage sub-processors require the controller's prior written consent. Violations attract fines of up to NGN 10 million or 2% of annual gross revenue.
Under the Copyright Act 2022 (which replaced the Copyright Act 1988 and came into force in 2023), the default position for independently contracted software development work is that the copyright vests in the contractor (developer) who created the work. The Copyright Act 2022 provides that commissioned works vest in the commissioner only where there is an express written agreement to that effect. Therefore, a Nigerian company that pays an IT service provider to develop bespoke software does NOT automatically own the copyright — the developer owns it unless the IT Service Agreement contains an express written assignment of copyright to the client. For government IT contracts under the Public Procurement Act 2007, the NCC and NITDA typically require that all deliverables are assigned to the procuring government entity. IT service agreements should also address ownership of derivative works, modifications made by the client, and the service provider's right to use general know-how and non-client-specific code developed during the project.
IT service fees paid to Nigerian companies are subject to Companies Income Tax (CIT) at 30% for large companies (annual turnover above NGN 100 million) or 20% for medium companies under the Companies Income Tax Act (Cap C21, LFN 2004) as amended by the Finance Acts. Withholding tax (WHT) of 10% applies to technical service fees — including IT consultancy, software development, and maintenance fees — under Section 78 of CITA and is deducted by the client at source and remitted to the Federal Inland Revenue Service (FIRS). Value Added Tax (VAT) at 7.5% under the Value Added Tax Act (Cap V1, LFN 2004) as amended by the Finance Act 2020 applies to IT services. The VAT is charged on the invoice by the service provider and remitted to FIRS monthly. For foreign IT companies providing services to Nigerian clients without a Nigerian PE (permanent establishment), a 10% withholding tax is still applicable under the Finance Act 2021's introduction of significant economic presence rules.
A Service Level Agreement (SLA) in a Nigerian IT service agreement should define measurable performance standards and remedies for non-performance. The SLA should cover: uptime commitment expressed as a monthly or annual percentage (e.g., 99.5% availability, equating to no more than 3.65 hours downtime per month); incident priority levels (Critical, High, Medium, Low) with defined response and resolution times for each; planned maintenance windows communicated at least 48 hours in advance; the procedure for reporting incidents, including a helpdesk contact number and escalation matrix; service credits for SLA breaches (e.g., 5% credit for each 0.5% shortfall in uptime); and exclusions from SLA calculations (e.g., downtime caused by the client's own equipment, force majeure events, or NCC network outages beyond the provider's control). The SLA should also specify reporting obligations — monthly service reports showing SLA performance metrics — and the dispute resolution mechanism for contested SLA calculations. Nigerian courts have enforced SLA credit provisions as liquidated damages clauses where the amounts are a genuine pre-estimate of loss.
Under the Companies and Allied Matters Act 2020 (CAMA 2020), a foreign company that wishes to carry on business in Nigeria must incorporate a Nigerian subsidiary or register as a foreign company with the Corporate Affairs Commission (CAC) under Part C of CAMA 2020. A foreign IT company that operates exclusively from outside Nigeria providing digital services to Nigerian clients — without a local office, employees, or physical presence — may technically not require CAMA registration but must comply with the Finance Act 2021's significant economic presence (SEP) rules, which deem a foreign digital service provider with annual revenue from Nigeria exceeding NGN 25 million to have a deemed taxable presence in Nigeria, subjecting it to Companies Income Tax. Additionally, the NDPA 2023 applies to any entity that processes personal data of Nigerian residents regardless of where the entity is located, requiring the foreign IT company to appoint a data protection compliance organisation (DPCO) registered with the NDPC. The NCC also licenses certain IT-adjacent telecom services that foreign companies must comply with.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Consulting Agreement — Nigeria
A professional consulting agreement for Nigeria governing the engagement of an independent consultant. Covers scope of services, fees, intellectual property ownership, confidentiality, termination, and tax treatment under the Personal Income Tax Act and Companies Income Tax Act.
Data Processing Agreement (Nigeria)
A Data Processing Agreement (DPA) for Nigeria compliant with the Nigeria Data Protection Act (NDPA) 2023 and NDPC requirements. Governs the relationship between data controllers and data processors, covering processing instructions, security obligations, sub-processor controls, data breach notification, and data subject rights support.
Cybersecurity Policy (Nigeria)
A corporate cybersecurity policy for Nigerian organisations compliant with the Cybercrimes (Prohibition, Prevention, Etc.) Act 2015, CBN Cybersecurity Framework 2021, NDPC Nigeria Data Protection Act 2023, and the NCC Cybersecurity Regulations. Covers access controls, incident response, data protection, and staff obligations.