Zinc Data Processing Addendum

  1. This Data Processing Addendum is between: 
  1. Zinc Work Limited a company incorporated and registered in England and Wales (company number is 10961635) with a registered address at Eastcastle House, 27-28 Eastcastle Street, London, United Kingdom, W1W 8DH on behalf of itself and any affiliates (“Zinc”); and
  2. The counterparty (“You”, “Your”, “Yours”, “Yourselves” or “Company”) on behalf of itself and any affiliates, whose registered country, address and signature are set out in the Order Form.
  1. (each a “Party” and together the “Parties”)
  2. Zinc may update this DPA from time to time. If this DPA is updated You will be notified in writing by email using the latest contact information You have provided to Zinc. Such updates will take effect 30 days after the date of delivery of notification and Your continued usage of the Zinc Service will be deemed to constitute acceptance of the updated DPA. 

1. Definitions

  • “Agreement” means this DPA, the Zinc Terms and Conditions and the relevant Order Form signed by You which together govern the agreement between the parties subject to which the Zinc Service is provided. 
  • “Candidate” means any Data Subject whose Personal Data You enter into the Zinc Service. 
  • “Candidate Data” means Personal Data in regards to Candidate(s) inputted by You into the Zinc Service. 
  • “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed by Zinc. 
  • “Data Protection Laws” means applicable laws or regulations relating to the privacy of Data Subjects within the scope of this DPA, including but not limited to the UK GDPR and GDPR. 
  • “Data Subject” means an identified or identifiable natural person.
  • “Data Subject Request” has the meaning given to it in Clause 8.1.
  • “Objection” has the meaning given to it in clause 6.5.
  • “Processing” means the gathering, processing or use of Personal Data by Zinc in accordance with the instructions provided by You. 
  • “Personal Data” means any information which is related to an identified or identifiable natural person.
  • “Redacted Candidate” has the meaning given to it in Clause 3.2.
  • “Relevant Candidate” has the meaning given to it in Clause 3.1.
  • “Subprocessor” means any Processor engaged by Zinc in connection with the Agreement (where Processor has the meaning as set out in the GDPR). 
  • “Zinc Service” means the website www.zincwork.com owned and operated by Zinc, the Zinc API, the Zinc Service web based application with which You interact, and any other related services which Zinc may, from time to time, offer (“Service” as context requires).

2. Background

  • 2.1 This DPA reflects the Parties agreement with respect to the Processing of Personal Data. This DPA is supplemental to the Zinc Service Terms and Conditions and the relevant Order Form and it forms a material part of the Agreement between You and Zinc. 
  • 2.2 In the event of a conflict between any of the Terms and Conditions, the Order Form and the DPA, the following order of precedence shall apply in descending order: DPA, Order Form, Terms and Conditions.

3. Scope of this DPA

  • 3.1  This DPA applies only to the Personal Data of Candidates who: 
  • (a). undergo a Check through the Zinc Service directly as a result of You inputting their information into the Zinc Service; and
  • (b). enter into work with Yourselves (whether such work is paid, voluntary, or otherwise); and 
  • (c). remain in work with Yourselves (a “Relevant Candidate”). 
  • 3.2 If You enter a Candidate’s information into the Zinc Service but, for any reason, they: 
  • (a). do not enter into work with Yourselves; or 
  • (b). they enter into work with Yourselves but are subsequently terminated, made redundant, resign, or otherwise cease to work with You (whether such work is paid, voluntary, or otherwise), then that Candidate will not fall under the scope of this DPA (a “Redacted Candidate”). 
  • 3.3 In some cases Zinc may provide the Zinc Service to You in respect of a Data Subject whose Personal Data has, independently of You, been previously inputted into the Zinc Service. So long as that Data Subject meets the requirements set out in Clause 3.1, Your inputting of their Personal Data into the Zinc Service will render them a Relevant Candidate for the purposes of this DPA. 
  • 3.4 If a Data Subject is rendered a Relevant Candidate who subsequently meets the criteria set out in Clause 3.2, this will immediately render them a Redacted Candidate for the purposes of this DPA.

4. Zinc's processor obligations

  • 4.1 Zinc will only Process Personal Data in line with Your lawful instructions unless it is required to Process said Personal Data by any applicable law. 
  • 4.2 If Zinc becomes aware that it cannot Process Personal Data in line with Your instructions due to a conflict with any applicable law, Zinc shall notify You of said conflict to the extent permitted. 
  • 4.3 In the event that Zinc issues notification to You in accordance with Clause 4.2 it may cease all Processing of Personal Data (other than merely storing and maintaining the security of the affected Personal Data) until such time as You provide Zinc with new lawful instructions with which it is able to comply.  
  • 4.4 In the event that Zinc issues notification to You in accordance with Clause 4.2 it may cease the provision of the Zinc Service until such time as You provide Zinc with new lawful instructions with which it is able to comply. In the case of such an event Zinc shall in no way be liable to You under the Agreement for its inability to provide the Zinc Service to You. 
  • 4.5 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Zinc shall implement appropriate technical and organisational measures to protect Personal Data against Data Breaches. This includes but is not limited to the measures set out in Annex III
  • 4.6 In the event that Zinc becomes aware of a Data Breach Zinc shall:
  • (a). Notify You of the Data Breach without undue delay.
  • (b). Provide You with reasonable assistance to notify the relevant authorities about said Data Breach as required.
  • (c). Provide You with reasonable assistance to notify any affected Data Subjects of said Data Breach as required.
  • (d). Investigate said Data Breach independently and provide reasonable assistance with any investigation You or a relevant authority may choose to carry out.
  • (e). Take steps as required to remedy any non-compliance with this DPA. 
  • 4.7 Zinc will ensure that access to Candidate Data is restricted only to employees who strictly need such access in order to carry out the core function of their role and shall ensure that said employees are informed of the confidential nature of Candidate Data.

5. Your controller obligations

  • 5.1 You agree that You will be responsible for complying with all applicable Data Protection Laws that apply to You under the Agreement and with respect to the lawful instructions You provide Zinc with. 
  • 5.2 You agree that You will be responsible for:
  • (a). the accuracy and legitimacy of the Candidate Data You provide; and
  • (b). the legality of the Candidate Data You provide and in particular the means by which You acquired said Candidate Data; and
  • (c). complying with all necessary transparency and lawfulness requirements under applicable Data Protection Laws for the collection and use of Personal Data, in particular, obtaining consent from Candidate’s to provide their data to Zinc; and
  • (d). informing us without undue delay if for any reason You are unable to comply with Your obligations under this Clause 5.2.

6. Subprocessors

  • 6.1 You grant Zinc the general authority to appoint Subprocessors from the list of service providers in Annex II.
  • 6.2 Zinc shall enter into a written agreement with each Subprocessor which contains terms that are substantially the same as those set out in this DPA. 
  • 6.3 The use of Subprocessors shall not relieve Zinc of its obligations under this DPA. Zinc shall remain liable to You under this DPA for the acts and omissions of any Subprocessors used in connection with this Agreement as if they were Zinc’s own acts and omissions. 
  • 6.4 You agree that Zinc may from time to time modify the list of approved Subprocessors. If Zinc chooses to do so, You shall be provided with at least 30 days written notice of its intention.
  • 6.5 You may object to the appointment of any new Subprocessor within 10 working days of their appointment (an “Objection”). If You choose to make an Objection, You must provide full written details documenting Your reasons for doing so. 
  • 6.6 In the event of an Objection, Zinc shall make reasonable efforts to prevent the Subprocessor from processing Candidate Data.

7. International transfers

  • 7.1 Zinc and any of its Subprocessors shall not transfer Personal Data outside the UK or the EEA without Your prior written consent.
  • 7.2 Where such consent is granted, Zinc shall only Process or permit the Processing of Personal Data outside the UK or EEA under the following conditions:
  • (a). Zinc is Processing Personal Data in a territory which is subject to adequate laws or regulations which provide protection for the privacy rights of individuals which are at least equivalent to the protection provided under the Data Protection Laws.
  • (b). The transfer is lawful under GDPR through any mechanism, including but not limited to, the use of relevant Standard Contractual Clauses (as amended and approved by the ICO for use in respect of transfers subject to UK GDPR); or
  • (c). The transfer is otherwise based on a mechanism authorised by the ICO. 

8. Complaints, Subject Access Requests and Third Party Rights

  • 8.1 Zinc shall notify You within 10 days if it receives a request from a Data Subject to exercise any of their applicable rights under Data Protection Laws (a “Data Subject Request”) and and Zinc shall reasonably assist You in complying with any such Data Subject Request. 
  • 8.2 Zinc shall notify You immediately if it receives any complaint that relates to the Processing of Personal Data or to either Party’s compliance with Data Protection Laws under this DPA and Zinc shall give You its full co-operation and assistance in responding to such a complaint. 
  • 8.3 Unless otherwise prohibited by law or a legally binding order, Zinc shall notify You immediately of any notice or communication arising in connection with this DPA from a governmental body, regulatory body, data protection authority or law enforcement agency and Zinc shall give You its full co-operation and assistance in responding to such a notice or communication.

9. Audits

  • 9.1 Zinc shall permit You and an appropriate third party representative to audit its compliance with this DPA once per calendar year so long as You provide at least thirty (30) days written notice. Zinc shall provide its full co-operation in enabling such an audit. 
  • 9.2 A reduced written notice period of at least seven (7) days shall apply if You reasonably believe that a Personal Data Breach has or shall imminently occur, or if Zinc is in breach of any of its obligations under this DPA.

10. Term and Termination

  • 10.1 This DPA will remain in full force and effect so long as the Agreement remains in effect. 
  • 10.2 Any provision of this DPA that, expressly or by implication, should come into, or continue in force, on or after termination of the Agreement in order to protect Personal Data, shall remain in full force and effect. 
  • 10.3 A Party’s failure to comply with the terms of this DPA shall be a material breach of the Agreement. In such an event, the non-breaching Party may terminate the Agreement with immediate effect on written notice to the breaching Party without further liability or obligation to the non-breaching Party. 
  • 10.4 If a change in any Data Protection Law prevents either Party from fulfilling all or part of its obligations under the Agreement, the Parties may agree to suspend the Processing of the Personal Data until such Processing complies with the relevant Data Protection Law. If the Parties are unable to bring the Processing into compliance with Data Protection Law within 30 days, either Party may terminate the Agreement with immediate effect on written notice to the other Party without further liability or obligation to the other Party.
  • 10.5 Upon termination or expiry of the Agreement Zinc shall, except otherwise required under the Data Protection Laws, delete or return to You (as you may elect) all outstanding Candidate Data.

11. Notices

  • 11.1 Any notice given to Zinc under or in connection with the Agreement must be in writing and delivered to: hamraj@zincwork.com.
  • 11.2 Any notice given to You under or in connection with the Agreement must be in writing and delivered to the email address specified in the relevant Order Form.

Annex I: Purpose and Details of Personal Data Processing

Subject matter of processing: The provision of employee reference and background checking services to You as further set out in the Terms and Conditions.

Duration of processing: For the term of the Agreement and thereafter for any periods permitted under the Agreement. 

Nature and Purpose of Processing: Zinc will Process the types Personal Data set out below in order to arrange background and reference checks for Your Candidates.

Personal Data Categories: Identity data (which may include the following Special Categories of Personal Data: biometric data for the purpose of uniquely identifying a natural person)), contact data, background check status data, qualification data, employment history data, sanctions data (which may include criminal offence data), financial data and usage data.

Data Subject Types:

  • Your employees, contractors or workers.
  • Candidates seeking to work with You (whether that work is paid, voluntary or otherwise).
  • Referees providing employment references for applicable Candidates.
  • Other third parties upon Your or applicable Candidate’s requests.

Annex II: Approved Subprocessors

Company name
Address
Location of data processing
Type of service
iCover services
16/18 rue Gaillon, 75002 Paris, France.
France
Supporting international criminal record checks
uCheck
First floor, Chiltern House, Sigford Rd, Marsh Barton, Exeter, EX2 8NL
United Kingdom
Supporting criminal record checks in England and Wales
Onfido
3 Finsbury Ave, London EC2M 2PA
United Kingdom
Identity verification
TransUnion
Red Lion Buildings, Cock Ln, London, EC1A 9BU
United Kingdom
Credit background checks
Mistho Services Limited
27 Old Gloucester Street, London, WC1N 3AX
United Kingdom
Employment verification checks
MongoDB
Building Two, Number One Ballsbridge, Dublin 4, Ballsbridge, Dublin
United Kingdom
Distributed cloud database for storage or data
Cloudflare
Riverside Building, 6th Floor, The County Hall, Belvedere Rd, London, SE1 7PB
United Kingdom
CDN and edge computing infrastructure
Digital OceanCloud
101 6th Ave, New York, NY 10013, United States
United Kingdom
Cloud servers to process the application
Nexmo Ltd.
15 Bonhill Street, LONDON, EC2A 4DN
United Kingdom
API driven Communication service
Mailgun
112 E Pecan St. #1135, San Antonio, TX 78205
Frankfurt
Email communication service.
Slack
Limited One Park Place, Upper Hatch Street Dublin 2 Ireland
United Kingdom
Communication service
Stripe Payments
9th Floor, 107 Cheapside, United Kingdom.
United Kingdom
Invoicing and card payment rails
Auth0
Bellevue, 10800 NE 8th St #700, Washington, United States
United Kingdom
Identity Access Management platform
Amazon Web Services, Inc.
410 Terry Avenue North, Seattle, WA 98109-5210, U.S.A.
United Kingdom
Distributed cloud database for storage or data

Zinc Integrations — only applicable if used by you

Company name
Address
Location of data processing
Type of service
HiBob Limited
5 New Street Square, London, England, EC4A 3TW
United Kingdom
Receiving contact data to trigger background checks and returning report links
Lever Inc
125 Mission Street, San Francisco, CA94103
EU or US services chosen by client
Receiving contact data to trigger background checks and returning report links
Workable
95 - 97 Kifsias Ave, 15125, Marousi
EU or US services chosen by client
Receiving contact data to trigger background checks and returning report links
Greenhouse
New York City, 18 West 18th Street, 11th Floor, New York, NY 1001
EU or US services chosen by client
Receiving contact data to trigger background checks and returning report links
Teamtailor
4th Floor, National House, 60 - 66 Wardour St, London, W1F 0TA
Ireland
Receiving contact data to trigger background checks and returning report links
SmartRecruiters
225 Bush Street, Suite 300, San Francisco, CA 94104
Frankfurt
Receiving contact data to trigger background checks and returning report links
Pinpoint limited
Ajax Way, Methil Docks, Leven, Fife, KY8 3RS
United Kingdom
Receiving contact data to trigger background checks and returning report links
Comeet
109 South 5th Street, Brooklyn, New York
EU or US services chosen by client
Receiving contact data to trigger background checks and returning report links
Talenthub
Skelbaekgade 4, 4. Tv. 1717 Copenhagen V Denmark.
Denmark
Receiving contact data to trigger background checks and returning report links
Ashby
49 Geary Street, Suite 411, San Francisco, CA 94108, United States
United States by client choice
Receiving contact data to trigger background checks and returning report links
Freshteam
3rd Floor, Johnson Building, 77 Hatton Garden, London, EC1N 89S
United Kingdom
Receiving contact data to trigger background checks and returning report links
Workday
7th Floor, 1 Finsbury Avenue, EC2M 2PF
United Kingdom
Receiving contact data to trigger background checks and returning report links
Kombo
c/o Factory Works Gmbh, Lohmühlenstraße, 65, 12435, Berlin
Germany
In support of Workday only

Annex III: Security measures

The technical and organizational measures. See an overview of security measures on Zinc’s page.

(A) Access Control
Physical Access Control: Zinc takes measures to prevent unauthorised persons from entering the premises in which data processing systems are stored and with which personal data are processed.
Technical Access Control: Zinc takes technical measures to prevent data processing systems from being used by unauthorised persons. These include authentication when accessing computers or systems using a user ID and password, as well as setting up firewalls.
Personnel Access Control: Zinc ensures that only authorised personnel can access Personal Data and that said data cannot be copied, changed or deleted without authorisation during processing and use and after saving. When granting access rights to Zinc personnel working on Your project, Zinc follows the principle of least privilege to ensure Your data are accessed only by personnel that need the access in order to provide the Zinc Services as ordered by You. 
Vulnerability & Penetration testing. In order to prevent any unauthorised attacks to our platform, Zinc maintains relationships with vulnerability and penetration testing service providers. Through penetration testing Zinc can identify and resolve foreseeable attacks and possible abuse scenarios and thus prevent them. 
(B) Organisational Measures
DPO: Zinc has a designated Data Protection Officer (DPO) as well as a Legal Counsel and IT professionals, to monitor and ensure compliance with GDPR and local laws. 
Personnel training: Zinc organises regular and obligatory company wide security training on top of our security training delivered during onboarding. Relevant personnel are required to sign NDAs where appropriate. During the course of engagement with Zinc, all personnel follow guidelines to ensure confidentiality, professional and ethical standards necessary to guarantee effective data protection. 
Remote Working Policy: Zinc personnel must act in compliance with further measures such as the remote working policy, device secure setup and security awareness, strong passwords policy, two factor authentication process, etc.
(C) Technical Measures
Transfer Control: Zinc prevents personal data from being read, copied, changed or deleted in an unauthorised way during electronic transmission, transport or storage on data media through firewalls and encryption.
Input control: Zinc ensures that it can be subsequently checked whether and by whom personal data have been entered, changed or deleted. This includes logging, user identification.
Availability control; Zinc ensures that personal data are protected against accidental destruction or loss. This includes the usual fire protection measures and overvoltage protection, backup concept, virus protection, clean coding.
Separation control: Zinc ensures that personal data collected for different purposes are to be processed separately. This includes separate accounts and encryption methods.
Data Encryption: Reference data is encrypted in transit and at rest. All data is encrypted in transit.  Authentication is added to every candidate background check report, single sign on login and two factor authentication is available.
TLS: Transport Layer Security (TLS) security protocol is used for communication within the app and web tracking.
Additional Technical Measures: Firewalls, logging, malware protection, vulnerability scans and other control mechanisms are in place to provide further technical security.
(D) Security Development practices
Zinc has the further following practices in place to ensure the security of the application: 
1. Clean coding and least privilege access granting for Zinc IT developers. 
2. Monitoring traffic – Internal network traffic is systematically checked for any suspicious behaviour. 
3. Vulnerability Management – Zinc conducts web scans and scans for potential threats. 
4. Incident Management - Zinc has a well-defined incident management process for security events, including reporting, prioritisation based on urgency, escalation and mitigation. 
5. Business Continuity – Zinc reviews all business-critical functions. 
6. Quality assurance – Zinc tests all new features before implementing them to the application.
(E) Further measures to protect Customer Data
Infrastructure. Zinc relies upon acknowledged hosting providers in the field, that (i) enable a multi-tenant, geographically distributed environment and a high availability infrastructure, (ii) comply with all data protection obligations as stipulated in applicable Data Protection Laws. 
Control of Processors: Zinc ensures that personal data processed by Processors are processed in accordance with the instructions of Zinc. This includes control rights and data processing contracts according to the GDPR. 
External review: Zinc is subject to external reviews to test, evaluate and confirm that the security measures are up-to-date, effective and functional.
(F) Certifications
Zinc currently maintains the following certifications: 
ISO 27001
Tier 1 with the Independent Commissioners Office
Cyber Essentials
UK Digital Identity Certification Scheme
Zinc reserves the right to replace any security measures with an equivalent or enhanced alternative at any time during the term of the Agreement that ensure equal data security and measures in compliance with state of the art security standards applicable in the field.