Zinc is ISO 27001 certified, with annual penetration tests, rolling vulnerability scans, and regular internal auditing overseen by an ISMS Governance Council. Sensitive candidate data (including ID documents, date of birth, address history, and qualification certificates) is deleted after 120 days once a request is complete, or 180 days if it was never finished. If your organisation requires a shorter window, we’ll follow your lead.
On control and access: Zinc acts as Data Processor. Your organisation is the Data Controller, meaning consent collection and lawful basis decisions rest with you. User groups let you restrict which team members can see which candidate checks, assigned at the package level, so a hiring manager in one region only sees candidates relevant to them. Compliance documentation, including our ISO 27001 certificate, DPA, T&Cs, and Privacy Policy, is available at https://trust.zincwork.com/.