Subject matter of Processing: Provision of employee reference and background checking services to the Customer as further set out in the Master Agreement.
Duration of Processing: For the term of the Master Agreement and thereafter for any periods permitted under the Master Agreement.
Nature and Purpose of Processing: Zinc will Process the Personal Data set out below in order to arrange employment background checks and referencing for the Customer’s candidates.
Personal Data Categories: Identity data (which may include the following Special Categories of PersonalData: biometric data for the purpose of uniquely identifying a natural person)), contact data, background check status data, qualification data, employment history data, sanctions data (which may include CriminalOffence Data), financial data and usage data.
Data Subject Types:
- Employees and contractors of the Customer;
candidates seeking employment by the Customer; - Referees providing employment references for the applicable candidate;
- Other third parties where requested to do so by the Customer or the applicable candidate.
Approved Subcontractors
1. Checking third parties
Location of data processing
Legal basis for transferring personal data outside the UK or EEA
16/18 rue Gaillon, 75002 Paris, France.
Supporting international criminal record checks. Identify if an individual holds criminal records in a given country.
First Floor,Chiltern House, Sigford Rd, Marsh Barton, Exeter EX2 8NL
Supporting different levels of criminal record check inEngland and Wales. Identify if an individual holds criminal records in a given country.
3 Finsbury Ave, London EC2M 2PA
Identity verification services
Red Lion Buildings, 12 CockLn, London EC1A9BU
Location of data processing
Legal basis for transferring personal data outside the UK or EEA
Building TwoNumber One Ballsbridge Dublin 4 Ireland
Distributed cloud database to store contact data and check statuses
County Hall/The, Belvedere Rd, London SE1 7PB
CDN and edge computing infrastructure.
101 6th Ave, NewYork, NY 10013, United States
Cloud servers to process the application.
15 Bonhill Street, LONDON, EC2A4DN
API driven Communication service.
112 E Pecan St.#1135 SanAntonio, TX 78205
Email communication service.
Standard contractual clauses.
Limited One Park Place, Upper Hatch Street Dublin 2 Ireland
9th Floor 107Cheapside, United Kingdom.
Invoicing and card payment rails.
Location of data processing
Legal basis for transferring personal data outside the UK or EEA
125 Mission Street San Francisco, CA94103
EU & US Service chosen by client
Receiving contact data to trigger checks and returning report links.
95-97 Kifisias Ave.15125, Marousi
EU & US Service chosen by client
Receiving contact data to trigger checks and returning report links.
New York City 18 West 18th Street, 11th Floor NewYork, NY 10011
EU & US Service chosen by client
Receiving contact data to trigger checks and returning report links.
4th Floor, NationalHouse, 60-66 Wardour St, London W1F 0TA
Receiving contact data to trigger checks and returning report links.
225 Bush Street,Suite 300. San Francisco, CA 94104
Receiving contact data to trigger checks and returning report links.
109 South 5th Street, Brooklyn, New York
EU & US Service chosen by client
Receiving contact data to trigger checks and returning report links.
Subject matter of Processing: Provision of employee reference and background checking services to the Customer as further set out in the Master Agreement.
Duration of Processing: For the term of the Master Agreement and thereafter for any periods permitted under the Master Agreement.
Nature and Purpose of Processing: Zinc will Process the Shared Personal Data set out below in order to arrange employment background checks and referencing for the Customer’s candidates.
Shared Personal Data Categories: name, account email, employment reference, education record, nationality and document expiry date.
Data Subject Types:
- Employees and contractors of the Customer;
- Candidates seeking employment by the Customer;
- Referees providing employment references for the applicable candidate;
- Other third parties where requested to do so by the Customer or the applicable candidate.
Physical Access Control. Zinc takes measures to prevent unauthorized persons from entering thepremises in which data processing systems are stored and with which personal data are processed.
Technical Access Control. Zinc takes technical measures to prevent data processing systems from being used by unauthorized persons. These include authentication when accessing computers /systems using a user ID and password, as well as setting up firewalls.
Personnel Access Control. Zinc ensures that only authorized Personnel can access contents and that personal data cannot be copied, changed or deleted without authorization during processing and use and after saving. When granting access rights to Zinc Personnel working on the Customer’s project,Zinc follows the principle of least privilege to ensure that Customer data are accessed only byPersonnel that need the access in order to provide the Services as ordered by the Customer.
Vulnerability & Penetration testing. In order to prevent any unauthorised attacks to our platform, Zinc maintains relationships with vulnerability and penetration testing service providers. Through penetration testing Zinc can identify and resolve foreseeable attacks and possible abuse scenarios and thus prevent them.
(B) Organisational Measures
DPO. Zinc has a designated Data Protection Officer (DPO) as well legal and IT professionals, to monitor and ensure compliance with GDPR and local laws.
Personnel training. Zinc organizes regular and obligatory company Security training. During the onboarding process, the Personnel are required to execute Non-disclosure agreements. During the course of engagement with Zinc, all Personnel follow guidelines to ensure confidentiality, professional and ethical standards necessary to guarantee effective Customer Data protection.
Remote Working Policy. Zinc Personnel must act in compliance with further measures such as the Remote working policy, device secure setup and security awareness, strong passwords policy, two factor authentication process, etc.
Transfer Control. Zinc prevents personal data from being read, copied, changed or deleted in an unauthorized way during electronic transmission, transport or storage on data media through firewalls and encryption.
Input control. Zinc ensures that it can be subsequently checked whether and by whom personal data have been entered, changed or deleted. This includes logging, user identification.
Availability control. Zinc ensures that personal data are protected against accidental destruction or loss. This includes the usual fire protection measures and over voltage protection, backup concept, virus protection, clean coding.
Separation control. Zinc ensures that personal data collected for different purposes are to be processed separately. This includes separate accounts and encryption methods.
Data Encryption. Reference data is encrypted in transit and at rest. All data is encrypted in transit.Authentication is added to every candidate background check report, single sign on login and two factor authentication is available.
TLS. Transport Layer Security (TLS) security protocol is used for communication within the app and web tracking.
Additional Technical Measures. Firewalls, logging, malware protection, vulnerability scans and other control mechanisms are in place to provide further technical security.
(D) Security Development practices
Zinc has the further following practices in place to ensure the security of the application:
1. Clean coding and least privilege access granting for Zinc IT developers.
2. Monitoring traffic – Internal network traffic is systematically checked for any suspicious behaviour.
3. Vulnerability Management – Zinc conducts web scans and scans for potential threats.
4. Incident Management - Zinc has a well-defined incident management process for security events, including reporting, prioritization based on urgency, escalation and mitigation.
5. Business Continuity – Zinc reviews all business-critical functions.
6. Quality assurance – Zinc tests all new features before implementing them to the application.
(E) Further measures to protect Customer Data
Infrastructure. Zinc relies upon acknowledged hosting providers in the field, that (i) enable a multi-tenant, geographically distributed environment and a high availability infrastructure, (ii) comply with all data protection obligations as stipulated in applicable Data Protection Legislation.
Control of Processors. Zinc ensures that personal data processed by Processors are processed in accordance with the instructions of Zinc. This includes control rights and data processing contracts according to the GDPR.
External review. Zinc is subject to external reviews to test, evaluate and confirm that the security measures are up-to-date, effective and functional.
Zinc currently maintains the following certifications:
Tier 1 with the Independent commissioners office.
Cyber Essentials and GDPR readiness certificate.
Zinc reserves the right to replace any security measures with an equivalent or enhanced alternative at any time during the term of the Agreement that ensure equal data security and measures in compliance with state of the art security standards applicable in the field.