@tantainnovative/ndpr-recipes 0.1.0 → 0.2.0

package/README.md

@@ -1,6 +1,6 @@
 # @tantainnovative/ndpr-recipes
 
-Backend recipes for NDPA compliance with [@tantainnovative/ndpr-toolkit](https://github.com/tantainnovative/ndpr-toolkit).
+Backend recipes for Nigeria NDPA 2023 / NDPC GAID 2025 compliance with [@tantainnovative/ndpr-toolkit](https://github.com/mr-tanta/ndpr-toolkit).
 
 ## What is this?
 
@@ -23,9 +23,11 @@ This package is a **reference implementation** — not a library to install. Cop
 | DSR request persistence | Prisma adapter, Drizzle adapter |
 | Breach report persistence | Prisma adapter |
 | ROPA persistence | Prisma adapter |
-| Next.js App Router | Consent, DSR, Breach, ROPA, Compliance route handlers |
-| Express | Full NDPR router with consent, DSR, breach, ROPA, compliance routes |
+| Next.js App Router | Consent, DSR, Breach, ROPA, Compliance, Registration route handlers |
+| Express | Full NDPR router with consent, DSR, breach, ROPA, compliance, registration routes |
 | Consent middleware | Next.js edge middleware + Express middleware |
+| GAID 2025 (DCPMI + CAR) | `/registration` route — tier classification + Compliance Audit Return schedule |
+| Breach Article-33 readiness | Breach detail routes return which NDPC notification fields are still missing |
 
 ---
 
@@ -41,19 +43,27 @@ This package is a **reference implementation** — not a library to install. Cop
 | `src/adapters/prisma-ropa.ts` | Prisma `StorageAdapter<RecordOfProcessingActivities>` |
 | `src/adapters/drizzle-consent.ts` | Drizzle `StorageAdapter<ConsentSettings>` |
 | `src/adapters/drizzle-dsr.ts` | Drizzle `StorageAdapter<DSRRequest[]>` |
+| `src/adapters/drizzle-breach.ts` | Drizzle `StorageAdapter<BreachState>` |
+| `src/adapters/drizzle-ropa.ts` | Drizzle `StorageAdapter<RecordOfProcessingActivities>` |
+| `src/adapters/drizzle-dpia.ts` | Drizzle `StorageAdapter<DPIAResult[]>` |
+| `src/adapters/drizzle-lawful-basis.ts` | Drizzle `StorageAdapter<ProcessingActivity[]>` |
+| `src/adapters/drizzle-cross-border.ts` | Drizzle `StorageAdapter<CrossBorderTransfer[]>` |
 | `src/nextjs/app-router/api/consent/route.ts` | Next.js consent API route |
 | `src/nextjs/app-router/api/dsr/route.ts` | Next.js DSR API route |
 | `src/nextjs/app-router/api/breach/route.ts` | Next.js breach API route |
+| `src/nextjs/app-router/api/breach/[id]/route.ts` | Next.js breach detail route — returns GAID 2025 Art. 33 readiness |
 | `src/nextjs/app-router/api/ropa/route.ts` | Next.js ROPA API route |
 | `src/nextjs/app-router/api/compliance/route.ts` | Next.js compliance score API route |
+| `src/nextjs/app-router/api/registration/route.ts` | Next.js DCPMI tier + CAR schedule route (GAID 2025) |
 | `src/nextjs/app-router/middleware.ts` | Next.js consent gate middleware |
 | `src/nextjs/app-router/layout-example.tsx` | Full wiring example for App Router |
 | `src/express/index.ts` | Express router factory — mounts all routes |
 | `src/express/routes/consent.ts` | Express consent router |
 | `src/express/routes/dsr.ts` | Express DSR router |
-| `src/express/routes/breach.ts` | Express breach router |
+| `src/express/routes/breach.ts` | Express breach router — `GET /:id` returns GAID 2025 Art. 33 readiness |
 | `src/express/routes/ropa.ts` | Express ROPA router |
 | `src/express/routes/compliance.ts` | Express compliance score router |
+| `src/express/routes/registration.ts` | Express DCPMI tier + CAR schedule router (GAID 2025) |
 | `src/express/middleware/consent-check.ts` | Express consent gate middleware |
 
 ---
@@ -307,6 +317,7 @@ This mounts:
 | `GET/POST/PATCH  /api/ndpr/breach` | Breach notification |
 | `GET/POST/PATCH  /api/ndpr/ropa` | Record of Processing Activities |
 | `GET             /api/ndpr/compliance` | Compliance score |
+| `GET             /api/ndpr/registration` | DCPMI tier + CAR schedule (GAID 2025) |
 
 ### Consent middleware (route protection)
 
@@ -373,6 +384,46 @@ The `apiAdapter` hits your `/api/consent` route handler (from `src/nextjs/app-ro
 
 ---
 
+## GAID 2025 — DCPMI registration & breach readiness
+
+The NDPC's General Application and Implementation Directive (GAID) 2025 added
+obligations the original recipes predate. Two recipes cover them, both built on
+the toolkit's React-free `/server` utilities (no extra database tables needed).
+
+### DCPMI tier + Compliance Audit Return (`/registration`)
+
+`classifyDCPMI` derives your registration tier and annual fee from the number of
+data subjects you process in a six-month window; `generateComplianceAuditReturn`
+derives the filing schedule for those that must file:
+
+- **UHL** (> 5,000 subjects) — ₦250,000/yr, files a **CAR annually**
+- **EHL** (1,000–5,000) — ₦100,000/yr, files a **CAR annually**
+- **OHL** (200–999) — ₦10,000/yr, **renews registration** (no CAR)
+
+```ts
+// GET /api/registration?dataSubjects=6200&commencementDate=2025-01-15
+import { classifyDCPMI, generateComplianceAuditReturn } from '@tantainnovative/ndpr-toolkit/server';
+
+const classification = classifyDCPMI({ dataSubjectsInSixMonths: 6200 });
+const auditReturn = generateComplianceAuditReturn({
+  commencementDate: '2025-01-15',
+  tier: classification.tier, // CAR applies to UHL/EHL only
+});
+```
+
+> Thresholds, fees, and deadlines follow the NDPC GAID 2025 baseline and can
+> change — verify against current NDPC guidance before relying on them.
+
+### Breach Article-33 readiness
+
+The breach detail routes (`GET /api/breach/[id]` in Next.js, `GET /breach/:id`
+in Express) now return an `ndpcReadiness` object via `assessBreachNotification` —
+which GAID 2025 Article 33(5) notification fields are still missing and how many
+hours remain on the 72-hour clock — so you know what to collect before filing.
+Set `NDPR_DPO_NAME` / `NDPR_DPO_EMAIL` to record the contact point.
+
+---
+
 ## Database Schema
 
 ### Tables
@@ -380,7 +431,7 @@ The `apiAdapter` hits your `/api/consent` route handler (from `src/nextjs/app-ro
 | Table | Description | NDPA reference |
 |---|---|---|
 | `ndpr_consent_records` | Immutable consent audit trail. `revokedAt` marks withdrawal — rows are never deleted. | §25–26 |
-| `ndpr_dsr_requests` | Data subject rights requests. Tracks type, status, and 30-day response deadline. | Part IV §29–36 |
+| `ndpr_dsr_requests` | Data subject rights requests. Tracks type, status, and 30-day response deadline. | Part VI §34–38 |
 | `ndpr_breach_reports` | Breach incident records with 72-hour NDPC notification tracking. | §40 |
 | `ndpr_processing_records` | Record of Processing Activities (ROPA). | Accountability principle |
 | `ndpr_audit_log` | Append-only compliance event log. | §44 |
@@ -396,7 +447,7 @@ The consent table follows an immutable-audit pattern: when a subject updates or
 | Module | NDPA provision |
 |---|---|
 | Consent | Sections 25–26 (lawful basis, consent withdrawal) |
-| Data Subject Rights | Part IV, Sections 29–36 (access, erasure, portability, etc.) |
+| Data Subject Rights | Part VI, Sections 34–38 (access, erasure, portability, etc.) |
 | Breach Notification | Section 40 (72-hour notification to NDPC) |
 | ROPA | Accountability principle; Schedule 1, Part 1 |
 | Audit Log | Section 44 (accountability and record-keeping) |

package/package.json

@@ -1,24 +1,33 @@
 {
   "name": "@tantainnovative/ndpr-recipes",
-  "version": "0.1.0",
+  "version": "0.2.0",
   "private": false,
-  "description": "Backend recipes for @tantainnovative/ndpr-toolkit — Prisma schemas, API routes, and ORM adapters for NDPA compliance",
+  "description": "Backend recipes for @tantainnovative/ndpr-toolkit — Prisma schemas, API routes, and ORM adapters for Nigeria NDPA 2023 / NDPC GAID 2025 compliance",
   "license": "MIT",
   "author": {
     "name": "Abraham Esandayinze Tanta",
     "url": "https://linkedin.com/in/mr-tanta"
   },
+  "homepage": "https://ndprtoolkit.com.ng",
   "repository": {
     "type": "git",
     "url": "git+https://github.com/mr-tanta/ndpr-toolkit.git",
     "directory": "packages/ndpr-recipes"
   },
-  "keywords": ["ndpa", "ndpr", "nigeria", "data-protection", "prisma", "nextjs", "express"],
+  "keywords": ["ndpa", "ndpr", "gaid-2025", "dcpmi", "compliance-audit-return", "nigeria", "data-protection", "prisma", "nextjs", "express"],
   "files": [
     "src/**/*",
     "prisma/**/*",
     "README.md"
   ],
+  "peerDependencies": {
+    "@tantainnovative/ndpr-toolkit": "^5.5.1"
+  },
+  "peerDependenciesMeta": {
+    "@tantainnovative/ndpr-toolkit": {
+      "optional": false
+    }
+  },
   "publishConfig": {
     "access": "public"
   }

package/prisma/schema.prisma

@@ -89,16 +89,71 @@ model ProcessingRecord {
   @@map("ndpr_processing_records")
 }
 
+model DPIARecord {
+  id           String   @id @default(cuid())
+  projectName  String
+  description  String
+  dpiaData     Json
+  overallRisk  String
+  score        Int
+  status       String   @default("draft")
+  conductedBy  String
+  approvedBy   String?
+  createdAt    DateTime @default(now())
+  updatedAt    DateTime @updatedAt
+
+  @@index([status])
+  @@index([conductedBy])
+  @@map("ndpr_dpia_records")
+}
+
+model LawfulBasisRecord {
+  id               String   @id @default(cuid())
+  activityName     String
+  lawfulBasis      String
+  justification    String
+  dataCategories   Json
+  purposes         Json
+  assessedBy       String
+  assessedAt       DateTime @default(now())
+  reviewDate       DateTime?
+  createdAt        DateTime @default(now())
+  updatedAt        DateTime @updatedAt
+
+  @@index([lawfulBasis])
+  @@index([assessedBy])
+  @@map("ndpr_lawful_basis_records")
+}
+
+model CrossBorderTransferRecord {
+  id                    String   @id @default(cuid())
+  destinationCountry    String
+  recipientName         String
+  transferMechanism     String
+  safeguards            String
+  dataCategories        Json
+  adequacyStatus        String
+  ndpcApprovalRequired  Boolean  @default(false)
+  ndpcApprovalReference String?
+  riskLevel             String
+  createdAt             DateTime @default(now())
+  updatedAt             DateTime @updatedAt
+
+  @@index([destinationCountry])
+  @@index([riskLevel])
+  @@map("ndpr_cross_border_transfer_records")
+}
+
 model ComplianceAuditLog {
   id          String   @id @default(cuid())
-  module      String
   action      String
-  entityId    String
-  entityType  String
-  changes     Json?
+  module      String
+  details     Json?
   performedBy String?
+  ipAddress   String?
   createdAt   DateTime @default(now())
 
-  @@index([module, entityId])
+  @@index([module])
+  @@index([performedBy])
   @@map("ndpr_audit_log")
 }

package/src/adapters/drizzle-breach.ts

@@ -0,0 +1,179 @@
+/**
+ * Drizzle adapter for the Breach Notification module.
+ *
+ * Implements StorageAdapter<BreachState> backed by the `ndpr_breach_reports`
+ * Drizzle table, where BreachState is the shape managed by the useBreach() hook:
+ *
+ *   {
+ *     reports: BreachReport[];
+ *     assessments: RiskAssessment[];
+ *     notifications: RegulatoryNotification[];
+ *   }
+ *
+ * This adapter persists and loads BreachReport records. RiskAssessments and
+ * RegulatoryNotifications are stored as JSON on the breach row — extend the
+ * schema with additional columns if you need full relational queries.
+ *
+ * Behaviour
+ * ---------
+ * - LOAD  → loads all breach reports from the database, ordered newest first.
+ * - SAVE  → upserts each report by ID using Drizzle's `onConflictDoUpdate`.
+ * - REMOVE → marks all ongoing reports as 'resolved' (no hard deletes;
+ *            NDPA Section 40 audit trail is preserved).
+ *
+ * Usage
+ * -----
+ * Copy this file into your project alongside your Drizzle client, then wire it
+ * into the toolkit hook:
+ *
+ *   import { drizzle } from 'drizzle-orm/node-postgres';
+ *   import { Pool } from 'pg';
+ *   import { useBreach } from '@tantainnovative/ndpr-toolkit';
+ *   import { drizzleBreachAdapter } from './adapters/drizzle-breach';
+ *   import * as schema from './drizzle/schema';
+ *
+ *   const pool = new Pool({ connectionString: process.env.DATABASE_URL });
+ *   const db = drizzle(pool, { schema });
+ *
+ *   function BreachPage() {
+ *     const adapter = drizzleBreachAdapter(db);
+ *     const { reports, submitReport } = useBreach({ adapter });
+ *     // ...
+ *   }
+ *
+ * Prerequisites
+ * -------------
+ * - The `ndpr_breach_reports` table must exist (run your Drizzle migration).
+ * - `drizzle-orm` must be installed in your project.
+ * - `@tantainnovative/ndpr-toolkit` must be installed in your project.
+ *
+ * @module adapters/drizzle-breach
+ */
+
+import { eq, desc } from 'drizzle-orm';
+import type { StorageAdapter } from '@tantainnovative/ndpr-toolkit';
+import type { BreachReport, RiskAssessment, RegulatoryNotification } from '@tantainnovative/ndpr-toolkit';
+import { breachReports } from '../drizzle/schema';
+
+/** The state shape managed by the useBreach() hook */
+export interface BreachState {
+  reports: BreachReport[];
+  assessments: RiskAssessment[];
+  notifications: RegulatoryNotification[];
+}
+
+/**
+ * Creates a Drizzle-backed StorageAdapter for the breach module's state.
+ *
+ * @param db - Your Drizzle database instance (any driver — pg, neon, libsql, etc.)
+ * @returns A StorageAdapter<BreachState> ready to pass to useBreach().
+ */
+export function drizzleBreachAdapter(db: any): StorageAdapter<BreachState> {
+  return {
+    /**
+     * Load all breach reports from the database, ordered newest first.
+     * Assessments and notifications are returned as empty arrays — extend
+     * the schema if you need to persist them.
+     */
+    async load(): Promise<BreachState | null> {
+      const rows = await db
+        .select()
+        .from(breachReports)
+        .orderBy(desc(breachReports.reportedAt));
+
+      if (rows.length === 0) return null;
+
+      return {
+        reports: rows.map(mapRowToBreachReport),
+        assessments: [],
+        notifications: [],
+      };
+    },
+
+    /**
+     * Persist the current breach state.
+     * Each report is upserted by ID using Drizzle's `onConflictDoUpdate`.
+     * Assessments and notifications are ignored unless you extend the schema.
+     */
+    async save(state: BreachState): Promise<void> {
+      if (state.reports.length === 0) return;
+
+      await Promise.all(
+        state.reports.map((report) => {
+          const row = mapBreachReportToRow(report);
+          return db
+            .insert(breachReports)
+            .values({ id: report.id, ...row })
+            .onConflictDoUpdate({
+              target: breachReports.id,
+              set: row,
+            });
+        }),
+      );
+    },
+
+    /**
+     * Soft-close all ongoing breach reports by setting status to 'resolved'.
+     * Hard deletes are never performed to preserve the NDPA Section 40
+     * compliance audit trail.
+     */
+    async remove(): Promise<void> {
+      await db
+        .update(breachReports)
+        .set({ status: 'resolved' })
+        .where(eq(breachReports.status, 'ongoing'));
+    },
+  };
+}
+
+// ---------------------------------------------------------------------------
+// Mapping helpers
+// ---------------------------------------------------------------------------
+
+/**
+ * Map a raw Drizzle row (from ndpr_breach_reports) to the toolkit's BreachReport type.
+ */
+function mapRowToBreachReport(row: any): BreachReport {
+  return {
+    id: row.id,
+    title: row.title,
+    description: row.description,
+    category: row.category,
+    discoveredAt: row.discoveredAt.getTime(),
+    occurredAt: row.occurredAt?.getTime(),
+    reportedAt: row.reportedAt.getTime(),
+    status: row.status as BreachReport['status'],
+    reporter: {
+      name: row.reporterName,
+      email: row.reporterEmail,
+      department: row.reporterDepartment ?? '',
+    },
+    affectedSystems: (row.affectedSystems as string[]) ?? [],
+    dataTypes: (row.dataTypes as string[]) ?? [],
+    estimatedAffectedSubjects: row.estimatedAffected ?? undefined,
+    initialActions: row.initialActions ?? undefined,
+  };
+}
+
+/**
+ * Map a toolkit BreachReport to the Drizzle insert/update row shape.
+ */
+function mapBreachReportToRow(report: BreachReport): Record<string, unknown> {
+  return {
+    title: report.title,
+    description: report.description,
+    category: report.category,
+    severity: 'medium',
+    status: report.status,
+    discoveredAt: new Date(report.discoveredAt),
+    occurredAt: report.occurredAt ? new Date(report.occurredAt) : null,
+    reportedAt: new Date(report.reportedAt),
+    reporterName: report.reporter.name,
+    reporterEmail: report.reporter.email,
+    reporterDepartment: report.reporter.department ?? null,
+    affectedSystems: report.affectedSystems,
+    dataTypes: report.dataTypes,
+    estimatedAffected: report.estimatedAffectedSubjects ?? null,
+    initialActions: report.initialActions ?? null,
+  };
+}

package/src/adapters/drizzle-cross-border.ts

@@ -0,0 +1,174 @@
+/**
+ * Drizzle adapter for the Cross-Border Data Transfer module.
+ *
+ * Implements StorageAdapter<CrossBorderTransfer[]> backed by the
+ * `ndpr_cross_border_transfer_records` Drizzle table.
+ *
+ * Under NDPA Part VIII (Sections 41-43), personal data may only be transferred
+ * outside Nigeria under specific conditions. This adapter tracks every
+ * cross-border transfer, the mechanism relied upon, and NDPC approval status.
+ *
+ * Behaviour
+ * ---------
+ * - LOAD  → returns all cross-border transfer records, ordered newest first.
+ * - SAVE  → upserts each CrossBorderTransfer by ID using Drizzle's
+ *           `onConflictDoUpdate` pattern.
+ * - REMOVE → soft-terminates all active transfers by setting their status
+ *            columns (no hard deletes; the audit trail is preserved).
+ *
+ * Usage
+ * -----
+ * Copy this file into your project alongside your Drizzle client, then wire it
+ * into the toolkit:
+ *
+ *   import { drizzle } from 'drizzle-orm/node-postgres';
+ *   import { Pool } from 'pg';
+ *   import { drizzleCrossBorderAdapter } from './adapters/drizzle-cross-border';
+ *   import * as schema from './drizzle/schema';
+ *
+ *   const pool = new Pool({ connectionString: process.env.DATABASE_URL });
+ *   const db = drizzle(pool, { schema });
+ *
+ *   function CrossBorderPage() {
+ *     const adapter = drizzleCrossBorderAdapter(db);
+ *     // pass adapter to your cross-border hook or use it directly
+ *   }
+ *
+ * Prerequisites
+ * -------------
+ * - The `ndpr_cross_border_transfer_records` table must exist (run your Drizzle migration).
+ * - `drizzle-orm` must be installed in your project.
+ * - `@tantainnovative/ndpr-toolkit` must be installed in your project.
+ *
+ * @module adapters/drizzle-cross-border
+ */
+
+import { eq, desc } from 'drizzle-orm';
+import type { StorageAdapter } from '@tantainnovative/ndpr-toolkit';
+import type { CrossBorderTransfer } from '@tantainnovative/ndpr-toolkit';
+import { crossBorderTransferRecords } from '../drizzle/schema';
+
+/**
+ * Creates a Drizzle-backed StorageAdapter for CrossBorderTransfer[].
+ *
+ * @param db - Your Drizzle database instance (any driver — pg, neon, libsql, etc.)
+ * @returns A StorageAdapter<CrossBorderTransfer[]> ready to use with the cross-border module.
+ */
+export function drizzleCrossBorderAdapter(
+  db: any,
+): StorageAdapter<CrossBorderTransfer[]> {
+  return {
+    /**
+     * Load all cross-border transfer records, ordered newest first.
+     * Returns null if no records exist.
+     */
+    async load(): Promise<CrossBorderTransfer[] | null> {
+      const rows = await db
+        .select()
+        .from(crossBorderTransferRecords)
+        .orderBy(desc(crossBorderTransferRecords.createdAt));
+
+      if (rows.length === 0) return null;
+
+      return rows.map(mapRowToCrossBorderTransfer);
+    },
+
+    /**
+     * Persist the current list of cross-border transfers.
+     * Each transfer is upserted by ID so partial updates work.
+     */
+    async save(transfers: CrossBorderTransfer[]): Promise<void> {
+      if (transfers.length === 0) return;
+
+      await Promise.all(
+        transfers.map((transfer) => {
+          const row = mapCrossBorderTransferToRow(transfer);
+          return db
+            .insert(crossBorderTransferRecords)
+            .values({ id: transfer.id, ...row })
+            .onConflictDoUpdate({
+              target: crossBorderTransferRecords.id,
+              set: row,
+            });
+        }),
+      );
+    },
+
+    /**
+     * Soft-terminate all active cross-border transfers by updating their
+     * timestamp. Transfers are never hard-deleted so the NDPA Part VI
+     * compliance audit trail is preserved.
+     *
+     * Note: This updates all records. If you need to scope removal to a
+     * specific status, add a `status` column to the schema and filter on it.
+     */
+    async remove(): Promise<void> {
+      await db
+        .update(crossBorderTransferRecords)
+        .set({ updatedAt: new Date() });
+    },
+  };
+}
+
+// ---------------------------------------------------------------------------
+// Mapping helpers
+// ---------------------------------------------------------------------------
+
+/**
+ * Map a raw Drizzle row (from ndpr_cross_border_transfer_records) to the
+ * toolkit's CrossBorderTransfer type. Some rich fields on the toolkit type
+ * default to placeholder values — extend the schema if you need full
+ * round-trip fidelity.
+ */
+function mapRowToCrossBorderTransfer(row: any): CrossBorderTransfer {
+  return {
+    id: row.id,
+    destinationCountry: row.destinationCountry,
+    adequacyStatus: row.adequacyStatus as CrossBorderTransfer['adequacyStatus'],
+    transferMechanism: row.transferMechanism as CrossBorderTransfer['transferMechanism'],
+    dataCategories: (row.dataCategories as string[]) ?? [],
+    includesSensitiveData: false,
+    recipientOrganization: row.recipientName,
+    recipientContact: {
+      name: row.recipientName,
+      email: '',
+    },
+    purpose: '',
+    safeguards: row.safeguards ? [row.safeguards] : [],
+    riskAssessment: '',
+    riskLevel: row.riskLevel as CrossBorderTransfer['riskLevel'],
+    ndpcApproval: row.ndpcApprovalRequired
+      ? {
+          required: row.ndpcApprovalRequired,
+          applied: !!row.ndpcApprovalReference,
+          approved: !!row.ndpcApprovalReference,
+          referenceNumber: row.ndpcApprovalReference ?? undefined,
+        }
+      : undefined,
+    tiaCompleted: false,
+    frequency: 'continuous',
+    startDate: row.createdAt.getTime(),
+    status: 'active',
+    createdAt: row.createdAt.getTime(),
+    updatedAt: row.updatedAt.getTime(),
+  };
+}
+
+/**
+ * Map a toolkit CrossBorderTransfer to the Drizzle insert/update row shape.
+ * Composite toolkit fields are flattened to match the simplified schema.
+ */
+function mapCrossBorderTransferToRow(transfer: CrossBorderTransfer): Record<string, unknown> {
+  return {
+    destinationCountry: transfer.destinationCountry,
+    recipientName: transfer.recipientOrganization,
+    transferMechanism: transfer.transferMechanism,
+    safeguards: transfer.safeguards.join('; '),
+    dataCategories: transfer.dataCategories,
+    adequacyStatus: transfer.adequacyStatus,
+    ndpcApprovalRequired: transfer.ndpcApproval?.required ?? false,
+    ndpcApprovalReference: transfer.ndpcApproval?.referenceNumber ?? null,
+    riskLevel: transfer.riskLevel,
+    updatedAt: new Date(),
+  };
+}