Zinc data processing addendum

Parties

  1. Zinc Work Limited a company incorporated and registered in England and Wales (company number is 10961635) with a registered address at Eastcastle House, 27-28 Eastcastle Street, London, United Kingdom, W1W 8DH on behalf of itself and any affiliates (Provider); and
  2. The counterparty on behalf of itself and any affiliates, whose registered country, address and signature are set out in the Order Form (You, Your, Yours or Company)

Background

  1. This Personal Data Processing Addendum (DPA) sets out the terms, requirements and conditions on which the Provider will process Personal Data when providing services under the Agreement. This DPA contains the mandatory clauses required by Article 28(3) of the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) for contracts between Controllers and Processors [and the General Data Protection Regulation ((EU) 2016/679)].

Agreed terms

  1. Definitions and Interpretation

    Definitions and Interpretation

    The following definitions and rules of interpretation apply in the Agreement

    1. Definitions:

      1. Agreement: means this DPA, the Terms and Conditions, and the relevant Order Form signed by You which together govern the agreement between the parties subject to which the Zinc Service is provided.
      2. Business Purposes: means the services to be provided by the Provider to You as described in the Terms and Conditions and any other purpose specifically identified in the Agreement.
      3. Commissioner: means the Information Commissioner (see Article 4(A3), UK GDPR and section 114, DPA 2018).
      4. Controller: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data; where the purposes and means of such Processing are determined by Union or Member State law, the Controller or the specific criteria for its nomination may be provided for by Union or Member State law. 
      5. Data Protection Legislation: means all applicable data protection and privacy legislation in force from time to time in the UK including without limitation the UK GDPR; the Data Protection Act 2018 (and regulations made thereunder) (DPA 2018); and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended; and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data (including, without limitation, the privacy of electronic communications); and the guidance and codes of practice issued by the Commissioner or other relevant regulatory authority and which are applicable to a party.
      6. Data Subject: means an identified or identifiable natural person. 
      7. EEA: means the European Economic Area.
      8. Order Form: means the relevant order form supplied to You by the Provider. 
      9. Personal Data: means any information relating to an identified or identifiable living individual that is processed by the Provider on behalf of You as a result of, or in connection with, the provision of the services under the Agreement; an identifiable living individual is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.
      10. Personal Data Breach: means a breach of security leading to the accidental, unauthorised or unlawful destruction, loss, alteration, disclosure of, or access to, the Personal Data.
      11. Processing: means any activity that involves the use of the Personal Data. It includes, but is not limited to, any operation or set of operations which is performed on the Personal Data or on sets of the Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Processing also includes transferring the Personal Data to third-parties.
      12. Processor: means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller
      13. Records: has the meaning given to it in Clause 12.

    2. This DPA is hereby incorporated into the Agreement.

    3. The Annexes form part of this DPA and will have effect as if set out in full in the body of this DPA. Any reference to this DPA includes the Annexes.

    4. A reference to writing or written communication includes email

    5. In the case of conflict or ambiguity between:

      1. any provision contained in the body of this DPA and any provision contained in the Annexes, the provision in the body of this DPA will prevail;

      2. the terms of any accompanying invoice or other documents annexed to this DPA and any provision contained in the Annexes, the provision contained in the Annexes will prevail; and

      3. any of the provisions of this DPA and the provisions of the Terms and Conditions, the provisions of this DPA will prevail.

  2. Personal data types and processing purposes

    1. You and the Provider agree and acknowledge that for the purpose of the Data Protection Legislation:

      1. You are the Controller and Provider is the Processor.
      2. You retain control of the Personal Data and remain responsible for its compliance obligations under the Data Protection Legislation, including but not limited to, providing any required notices and obtaining any required consents, and for the written Processing instructions it gives to the Provider.

  3. Provider's obligations

    1. The Provider will only process the Personal Data to the extent, and in such a manner, that is necessary for the Business Purposes and in accordance with Your written instructions. The Provider will not process the Personal Data for any other purpose or in a way that does not comply with this DPA or the Data Protection Legislation. The Provider must promptly notify You if, in its opinion, Your instructions do not comply with the Data Protection Legislation.

    2. Subject to Clause 3.1, the Provider must comply promptly with any of Your written instructions requiring the Provider to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorised Processing.

    3. The Provider will maintain the confidentiality of the Personal Data and will not disclose the Personal Data to third-parties unless You or this DPA specifically authorises the disclosure or as required by domestic or EU law, court or regulator (including the Commissioner). If a domestic or EU law, court or regulator (including the Commissioner) requires the Provider to process or disclose the Personal Data to a third-party, the Provider must first inform You of such legal or regulatory requirement and give You an opportunity to object or challenge the requirement, unless the domestic or EU law prohibits the giving of such notice.

    4. The Provider will reasonably assist You with meeting Your compliance obligations under the Data Protection Legislation, taking into account the nature of the Provider's Processing and the information available to the Provider, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with the Commissioner or other relevant regulator under the Data Protection Legislation.

    5. The Provider must notify You promptly of any changes to the Data Protection Legislation that may reasonably be interpreted as materially affecting the Provider's performance of the Agreement or this DPA.

  4. Provider's employees

    1. The Provider will ensure that all of its employees:

      1. are informed of the confidential nature of the Personal Data and are bound by written confidentiality obligation in respect of the Personal Data; and
      2. have undertaken training on the Data Protection Legislation and how it relates to their handling of the Personal Data and how it applies to their particular duties; and
      3. have undertaken training on the Data Protection Legislation and how it relates to their handling of the Personal Data and how it applies to their particular duties; and

  5. Security

    1. The Provider must at all times implement appropriate technical and organisational measures against accidental, unauthorised or unlawful Processing, access, copying, modification, reproduction, display or distribution of the Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data including, but not limited to, the security measures set out in Annex III.

    2. The Provider must implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate:

      1. the pseudonymisation and encryption of Personal Data; and
      2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services; and
      3. the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
      4. a process for regularly testing, assessing and evaluating the effectiveness of the security measures.

  6. Personal data breach

    1. The Provider will immediately, and in any event no later than 24 hours after and incident, notify You if it becomes aware of:

      1. the loss, unintended destruction or damage, corruption, or unusability of part or all of the Personal Data. Where possible, the Provider will restore such Personal Data at its own expense as soon as possible; or
      2. any accidental, unauthorised or unlawful Processing of the Personal Data; or
      3. any Personal Data Breach.

    2. Where the Provider becomes aware of any or all of: (a), (b) or (c) above, it will, without undue delay, also provide You with the following written information:

      1. description of the nature of (a), (b) and/or (c), including the categories of in-scope Personal Data and approximate number of both Data Subjects and the Records concerned; and
      2. the likely consequences; and
      3. a description of the measures taken or proposed to be taken to address any or all of (a), (b) or (c), including measures to mitigate its possible adverse effects.

    3. Immediately following any accidental, unauthorised or unlawful Personal Data Processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. Further, the Provider will reasonably co-operate with You at no additional cost to You, in Your handling of the matter, including but not limited to:

      1. assisting with any investigation; or
      2. providing You with physical access to any facilities and operations affected; or
      3. facilitating interviews with the Provider's employees, former employees and other individuals involved in the matter including, but not limited to, its officers and directors; or
      4. a description of the measures taken or proposed to be taken to address any or all of (a), (b) or (c), including measures to mitigate its possible adverse effects.
      5. taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or accidental, unauthorised or unlawful Personal Data Processing.
    4. The Provider will not inform any third-party of any accidental, unauthorised or unlawful Processing of all or part of the Personal Data and/or a Personal Data Breach without first obtaining Your written consent, except when required to do so by domestic or EU law.

  7. Cross-border transfers of personal data

    1. The Provider (and any subprocessor) must not transfer or otherwise process the Personal Data outside the UK, EEA or USA without obtaining the Your prior written consent.

  8. Sub-processors

    1. Other than those sub-processors set out in Annex II, the Provider may not authorise any other third-party or subcontractor to process the Personal Data.

    2. The Provider will enter into a written agreement with each of its subprocessors that contains terms substantially similar to those set out in this DPA.

    3. Where the sub-processor fails to fulfil its obligations under that written agreement with the Provider, the Provider remains fully liable to You for the sub-processor’s performance of its agreement obligations.

    4. Where Provider seeks to appoint a new sub-processor, You will be provided with at least 30 days written notice prior to their appointment.

    5. Upon the appointment of a new sub-processor by the Provider, You may object to said appointment within 10 working days (an “Objection”).

    6. In the event of an Objection, the Provider shall ensure that Your data is not processed by the new sub-processor until such time as the Objection can be resolved.

  9. Complaints, data subject requests and third-party rights

    1. The Provider must, at no additional cost to You, take such technical and organisational measures as may be appropriate and promptly provide such information to You as You may reasonably require to enable the You to comply with:

      1. the rights of Data Subjects under the Data Protection Legislation, including, but not limited to: subject access rights, the rights to rectify, port and erase Personal Data, object to the Processing and automated Processing of Personal Data, and restrict the Processing of Personal Data; or
      2. information or assessment notices served on You by the Commissioner, or other relevant regulator, under the Data Protection Legislation.
    2. The Provider must notify You immediately in writing if it receives any complaint, notice or communication that relates directly or indirectly to the Processing of the Personal Data or to either party's compliance with the Data Protection Legislation.
    3. The Provider must notify You within 24 hours if it receives a request from a Data Subject for access to their Personal Data or to exercise any of their other rights under the Data Protection Legislation.
    4. The Provider will give You, at no additional cost to You, its full cooperation and assistance in responding to any complaint, notice, communication or Data Subject request.

  10. Term and termination

    1. This DPA will remain in full force and effect so long as the Agreement remains in effect.

    2. Any provision of this DPA that, whether expressly or by implication, should come into or continue in force on or after termination of the Agreement in order to protect the Personal Data will remain in full force and effect.

    3. The Provider's failure to comply with the terms of this DPA is a material breach of the Agreement. In such an event, You may terminate the Agreement effective immediately on written notice to the Provider without further liability or obligation being placed on You.

    4. If a change in any Data Protection Legislation prevents either party from fulfilling all or part of its agreement obligations, the parties may agree to suspend the Processing of the Personal Data until that Processing complies with the new requirements. If the parties are unable to bring the Personal Data Processing into compliance with the Data Protection Legislation within 30 days, either party may terminate the Agreement with immediate effect on written notice to the other party. For the avoidance of doubt, if You terminate the Agreement in accordance with this Clause 10.4, it will owe no further payment obligations to Provider under the Agreement.

  11. Data return and destruction

    1. At Your request, the Provider will give the You, or a third-party nominated in writing by You, a copy of or access to all or part of the Personal Data in its possession or control in the format and media form reasonably specified by You.

    2. On termination of the Agreement for any reason,expiry of its term or upon Your written request, the Provider will securely delete, destroy or return and not retain, all or any of the Personal Data related to this DPA in its possession or control.

    3. If any law, regulation, or government or regulatory body requires the Provider to retain any documents, materials or Personal Data that the Provider would otherwise be required to return or destroy, it will notify You in writing of that retention requirement, giving details of the documents, materials or Personal Data that it must retain, the legal basis for such retention, and establishing a specific timeline for deletion or destruction once the retention requirement ends.

    4. The Provider will certify in writing to You that it has deleted or destroyed the Personal Data within 7 days after it completes any deletion or destruction.

  12. Records

    1. The Provider will keep detailed, accurate and up-to-date written records regarding any Processing of the Personal Data, including but not limited to, the access, control and security of the Personal Data, approved sub-processors, the Processing purposes, categories of Processing, and a general description of the technical and organisational security measures referred to in Clause 5.1 (Records).

    2. The Provider will ensure that the Records are sufficient to enable You to verify the Provider's compliance with its obligations under this DPA and the Data Protection Legislation, and the Provider will provide You with copies of the Records upon request.

  13. Audit

    1. The Provider will permit You and its third-party representatives to audit the Provider's compliance with its agreement obligations, on at least 7 days' notice, during the term of the Agreement. The Provider will give You and its third-party representatives all necessary assistance to conduct such audits at no additional cost to You. The assistance may include, but is not limited to:

      1. physical, remote or electronic access to, and copies of the Records and any other information held at the Provider's premises or on systems storing the Personal Data; and
      2. access to and meetings with any of the Provider's personnel reasonably necessary to provide all explanations and perform the audit effectively; and
      3. inspection of all Records and the infrastructure, electronic data or systems, facilities, equipment or application software used to process the Personal Data.

    2. The notice requirements in Clause 13.1 will not apply if You reasonably believe that a Personal Data Breach has occurred or is occurring, or the Provider is in material breach of any of its obligations under this DPA or any of the Data Protection Legislation.

    3. If a Personal Data Breach occurs or is occurring, or the Provider becomes aware of a breach of any of its obligations under the Agreement or any of the Data Protection Legislation, the Provider will:

      1. promptly conduct its own audit to determine the cause; and
      2. proproduce a written report that includes detailed plans to remedy any deficiencies identified by the audit; andviding You with physical access to any facilities and operations affected; or
      3. provide You with a copy of the written audit report; and
      4. remedy any deficiencies identified by the audit within 10 days.
    4. At least once a year, the Provider will conduct site audits of its Personal Data Processing practices and the information technology and information security controls for all facilities and systems used in complying with its obligations under this DPA, including, but not limited to, obtaining a network-level vulnerability assessment performed by a recognised third-party audit firm based on recognised industry best practices.
    5. On Your written request, the Provider will make all of the relevant audit reports available to You for review, including as applicable: reports relating to its ISO/IEC 27001 certification and other audits reports as applicable. You will treat such audit reports as the Provider's confidential information under the Agreement.
    6. The Provider will promptly address any exceptions noted in the audit reports with the development and implementation of a corrective action plan by the Provider's management.

  14. Warranties

    1. The Provider warrants and represents that:

      1. its employees, agents and any other person or persons accessing the Personal Data on its behalf are reliable and trustworthy and have received the required training on the Data Protection Legislation; and
      2. it and anyone operating on its behalf will process the Personal Data in compliance with the Data Protection Legislation and other laws, enactments, regulations, orders, standards and other similar instruments; and
      3. it has no reason to believe that the Data Protection Legislation prevents it from providing any of the Agreement's contracted services at present; and

      4. considering the current technology environment and implementation costs, it will take appropriate technical and organisational measures to prevent the accidental, unauthorised or unlawful Processing of Personal Data and the loss or damage to, the Personal Data, and ensure a level of security appropriate to:

        1. the harm that might result from such accidental, unauthorised or unlawful Processing and loss or damage;
        2. the nature of the Personal Data protected; and
        3. comply with all applicable Data Protection Legislation and its information and security policies, including the security measures required in Clause 5.1.

    2. You warrant and represent that the Provider's expected use of the Personal Data for the Business Purposes and as specifically instructed by You will comply with the Data Protection Legislation.

  15. Indemnification

    1. Subject to Clause 15.2, the Provider agrees to indemnify, keep indemnified and defend You, at its own expense, against all costs, claims, damages or expenses incurred by You or for which You may become liable due to any failure by the Provider or its employees, subcontractors or agents to comply with any of its obligations under this DPA.

    2. Provider’s total liability You in connection with this DPA shall be limited to the total amount paid or payable by You, as set out in the relevant Order Form, in the previous 12 months prior to the event giving rise to a claim.

  16. Notice

    1. Any notice given to You under or in connection with the Agreement must be in writing and delivered to the email address specified in the relevant Order Form.

    2. Any notice given to Provider under or in connection with the Agreement must be in writing and delivered to: legal@zincwork.com.

    3. Clause 16.1 does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution

Annex I: Purpose and Details of Personal Data Processing

Subject matter of Processing: The provision of employee reference and background checking services to You as further set out in the Terms and Conditions.

Duration of Processing: For the term of the Agreement and thereafter for any periods permitted under the Agreement. 

Nature of Processing: Collection of data through the Zinc portal. Storage of data in Zinc’s cloud based database. Viewing of data by relevant Zinc staff. 

Business Purpose of Processing: For the provision of the contracted services as further set out in the Terms and Conditions and any applicable Order Form.

Personal Data Categories:

For all checks

For certain checks

First name

Last name

Email address

Current and previous address

Date of birth

Criminal conviction data (including the absence of a criminal record) [criminal record checks only)

Identification documents (e.g. passport, drivers licence, birth certificate) [right to work checks]

Data Subject types: 

Your employees, contractors, workers, candidate employees, candidate contractors or candidate workers. Referees when providing employment references for Your employees or candidates

Annex II: Approved Subprocessors

Company name
Address
Location of data processing
Type of service
iCover services
16/18 rue Gaillon, 75002 Paris, France.
France
Supporting international criminal record checks
uCheck
First floor, Chiltern House, Sigford Rd, Marsh Barton, Exeter, EX2 8NL
United Kingdom
Supporting criminal record checks in England and Wales
Onfido
3 Finsbury Ave, London EC2M 2PA
United Kingdom
Identity verification
TransUnion
Red Lion Buildings, Cock Ln, London, EC1A 9BU
United Kingdom
Credit background checks
Mistho Services Limited
27 Old Gloucester Street, London, WC1N 3AX
United Kingdom
Employment verification checks
Ferretly International Inc.
16 N. Washington St., Easton, MD 21601
United States
Social media checks
MongoDB
Building Two, Number One Ballsbridge, Dublin 4, Ballsbridge, Dublin
United Kingdom
Distributed cloud database for storage or data
Digital Ocean Cloud
101 6th Ave, New York, NY 10013, United States
United Kingdom
Cloud servers to process the application
Amazon Web Services, Inc.
410 Terry Avenue North, Seattle, WA 98109-5210, U.S.A.
United Kingdom
Distributed cloud database for storage or data

Annex III: Security measures

(A) Access Control
Physical Access Control: Zinc takes measures to prevent unauthorised persons from entering the premises in which Personal Data Processing systems are stored and with which Personal Data are processed.
Technical Access Control: Zinc takes technical measures to prevent Personal Data Processing systems from being used by unauthorised persons. These include authentication when accessing computers or systems using a user ID and password, as well as setting up firewalls.
Personnel Access Control: Zinc ensures that only authorised personnel can access Personal Data and that said data cannot be copied, changed or deleted without authorisation during Processing and use and after saving. When granting access rights to Zinc personnel working on the Your project, Zinc follows the principle of least privilege to ensure Your data are accessed only by personnel that need the access in order to provide the Zinc Services as ordered by You.
Vulnerability & Penetration testing. In order to prevent any unauthorised attacks to our platform, Zinc maintains relationships with vulnerability and penetration testing service providers. Through penetration testing Zinc can identify and resolve foreseeable attacks and possible abuse scenarios and thus prevent them.
(B) Organisational Measures
DPO: Zinc has a designated Data Protection Officer (DPO) and IT professionals to monitor and ensure compliance with GDPR and local laws.
Personnel training: Zinc organises regular and obligatory company wide security training on top of our security training delivered during onboarding. Relevant personnel are required to sign confidentiality agreements where appropriate. During the course of engagement with Zinc, all personnel follow guidelines to ensure confidentiality, professional and ethical standards necessary to guarantee effective data protection.
Remote Working Policy: Zinc personnel must act in compliance with further measures such as the remote working policy, device secure setup and security awareness, strong passwords policy, two factor authentication process, etc.
(C) Technical Measures
Transfer Control: Zinc prevents Personal Data from being read, copied, changed or deleted in an unauthorised way during electronic transmission, transport or storage on data media through firewalls and encryption.
Input control: Zinc ensures that it can be subsequently checked whether and by whom Personal Data have been entered, changed or deleted. This includes logging, user identification.
Availability control; Zinc ensures that Personal Data are protected against accidental destruction or loss. This includes the usual fire protection measures and overvoltage protection, backup concept, virus protection, clean coding.
Separation control: Zinc ensures that Personal Data collected for different purposes are to be processed separately. This includes separate accounts and encryption methods.
Data Encryption: Reference data is encrypted in transit and at rest. All data is encrypted in transit. Authentication is added to every candidate background check report, single sign on login and two factor authentication is available.
TLS: Transport Layer Security (TLS) security protocol is used for communication within the app and web tracking.
Additional Technical Measures: Firewalls, logging, malware protection, vulnerability scans and other control mechanisms are in place to provide further technical security.
(D) Security Development practices
Zinc has the further following practices in place to ensure the security of the application: 
1. Clean coding and least privilege access granting for Zinc IT developers. 
2. Monitoring traffic – Internal network traffic is systematically checked for any suspicious behaviour. 
3. Vulnerability Management – Zinc conducts web scans and scans for potential threats. 
4. Incident Management - Zinc has a well-defined incident management process for security events, including reporting, prioritisation based on urgency, escalation and mitigation. 
5. Business Continuity – Zinc reviews all business-critical functions. 
6. Quality assurance – Zinc tests all new features before implementing them to the application.
(E) Further measures to protect Customer Data
Infrastructure. Zinc relies upon acknowledged hosting providers in the field, that (i) enable a multi-tenant, geographically distributed environment and a high availability infrastructure, (ii) comply with all data protection obligations as stipulated in applicable Data Protection Legislation.
Control of sub-processors: Zinc ensures that Personal Data processed by sub-processors are processed in accordance with the instructions of Zinc. This includes control rights and Personal Data Processing contracts according to the GDPR.
External review: Zinc is subject to external reviews to test, evaluate and confirm that the security measures are up-to-date, effective and functional.
(F) Certifications
Zinc currently maintains the following certifications: 
ISO 27001
Cyber Essentials Plus
UK Trust Framework
Zinc reserves the right to replace any security measures with an equivalent or enhanced alternative at any time during the term of the Agreement that ensure equal data security and measures in compliance with state of the art security standards applicable in the field.

Add Zinc and save weeks of team time

Simply book a demo or request more information and one of our team will be in touch.
Request more infoBook demo

Find out how Zinc can save you hours of time

Fill in the form below and we'll send you information to your inbox in the next few minutes.

zinc logo background check software
Support: contact@zincwork.com
Sales: hello@zincwork.com
Address: 1 Mark Square, London, UK, EC2A 4EG.
©Zinc Work 2025. Zinc Work Ltd is a company registered in England and Wales no.10961635.
Product
Social Media
Politically Exposed Persons
Employment verification
Self Certification
Directorship
Criminal
Right to work
Identity
Education
References
Finance
Sanctions
Address
Adverse media
Credit
Integrations
Overview
Teamtailor
Greenhouse
Comeet
HiBob
Lever
Workable
Smartrecruiters
Workday
Resources
Blog
Resources
Templates
Support
ROI
Company
Why Zinc?
Candidates
Partners
Marketplace
Careers
Legal
Cookies privacy
Security
zinc iso 271001 certified
ISO 27001 Certificate number CFE/22/25209
UK DIATF certificate number: 244518