Privacy Policy

Last review: 14 April 2023
Last update: 14 April 2023

This Privacy Notice describes how and why Zepko Limited collects and uses personal data in the course of our business. It applies to personal data provided directly to us by the individuals concerned and to personal data provided to us by companies and other organisations.

The reasons we need to store and process personal data are one or more of the following:

  • To fulfil a contract we have with you;
  • When it’s our legal duty or obligation;
  • When it’s in our legitimate interest;
  • When you consent to it.

Personal data is data relating to an identified or identifiable individual, and can include:

  • Name;
  • Work address, email address and/or phone number;
  • Job title;
  • Payment and delivery details, including billing and delivery addresses;
  • Information related to the browser or device you use to access our website;
  • Internet browser and operating system;
  • And any other information you provide through contacting us via phone or our website contacts us form.

We are committed to the protection of personal data and to fair and transparent processing. If you have any questions about this Privacy Statement, you can contact our Data Protection Officer via email at data-privacy@zepko.com

To find out more about how and why we process personal data, please refer to the relevant section of this Privacy Statement.

Our relationship with personal data is twofold:

  • As a Data Controller – we hold personal data of employees, job applicants, people who contact us through our website, website cookies, partners and clients.
  • As a Data Processor – we store and process security log data as part of our Managed Security Services on behalf of our clients (who are in turn Data Controllers themselves).

Data Controller details

Company Name: Zepko Limited
Company registration number: 5058229 (registered in England)
ICO registration number: Z9102613
Registered Address: 2nd Floor, 31 Chertsey Street Guildford, Surrey GU1 4HD

Security of personal data

We have policies, procedures and training in place to apply best practice for data protection, confidentiality and information security. We regularly review such measures with the objective of ensuring their continuing effectiveness.

Our Managed Security Service operates under an Information Security Management System certified to ISO/IEC 27001:2013 (certificate number: IS 657546).
The service is also certified to Cyber Essentials Plus (certificate number: 96e12386-d35e-4396-8de3-3b93dbf2ca28).

International transfers of personal data

Through normal business operation and providing services to clients we may transfer personal data to third parties located in other countries, including countries outside the EEA. Where we transfer personal data to a country not determined by the European Commission to provide an adequate level of protection for personal data, we will employ adequate data protection controls within our End User License Agreement (EULA).

Provision of personal data to third parties

We will only share personal data with third parties where we are legally permitted to do so or by customer consent. We do not provide information to third parties for their own marketing purposes and we do not undertake mailing for third parties. Where we transfer personal data to third parties, we will put in place appropriate confidentiality arrangements and seek to ensure those third parties have appropriate technical and organisational measures in place to protect personal data.

We may provide personal data to:

  • Third parties involved in the performance of services – we may also share personal data to third party organisations who assist us in providing services to clients or are otherwise involved in the services we provide to clients.
  • Auditors and advisers – we may transfer personal data to our auditors and advisers as required by law or as reasonably required in the management of our business.
  • Third parties where required by applicable law and regulation – we may be requested or compelled to disclose personal data to third parties such as regulators and law enforcement agencies. We will only provide personal data to such parties where there is a legal requirement or permission to do so.

Your Rights

You have rights in relation to your personal data held by us as a Data Controller. Should you wish to exercise your rights, please contact our Data Protection Officer via email at data-privacy@zepko.com. We will respond within 30 days to your request.

You also have a right to update your personal data that we hold. To do so, please either contact your account manager or our Data Protection Officer via email at data-privacy@zepko.com

Where we process your personal data based on your consent (GDPR Article 6(1)(a)), you have a right to withdraw consent at any time. Should you wish to do so, please contact our Data Protection Officer via email at data-privacy@zepko.com

In addition to the rights above, you may also have other rights in relation to personal data, including a right to access, a right to erasure/deletion, the right to data portability and the right to restrict and/or object to our processing of personal data.

Depending on your request, we may ask for proof of identity. Being cyber security specialists, we are mindful of risks associated with social engineering, and therefore may request additional validation before providing access to stored records or changing them.

We will fairly process your request and review against any overriding legal, regulatory or contractual requirements that we have to abide by.

Complaints

Should you wish to complain about our use of your personal data, please contact our Data Protection Officer via email at data-privacy@zepko.com. We will investigate all complaints received and will endeavour to respond to complaints promptly.

Should you not be satisfied by our response, you have the right to contact the Information Commissioner’s Office. For further information on your rights and the complaints process, please visit the Information Commissioner’s Office website.

Data Retention

We will only keep personal data for as long as necessary for the purposes for which it was collected, or as required by applicable law or regulation.

Unless there are any overriding legal, statutory, regulatory or contractual requirements, we will retain records of services provided (which may include personal data) in accordance with our retention scheme.

 

Corporate Clients

For our clients, as a minimum we need the following contact information to support the performance of our contract as per GDPR Article 6(1)(b):

  • Account management – we require contact details for senior stakeholders.
  • Invoicing and billing – we require contact details from your procurement, purchasing.
  • Security reporting – we require contact details for appropriate information officers.
  • Security monitoring/investigation – we require contact details of suitable technical teams covering infrastructure, networks, applications and security systems.

Where your business employs third parties, for example to manage your IT infrastructure, their contact details will be required also.

We provide the following types of security services which inherently require certain types of personal data to be processed. We are the Data Processor for our security services; our clients maintain the role of Data Controller.

Managed Security Service

To provide our managed security service we need to monitor the behaviour of IT systems, network and users. This is essential to help our clients protect themselves against external attack, insider threat and the leakage of sensitive data.

The security data we collect, store and process may include:

  • Source IP addresses;
  • Usernames;
  • GeoIP locations;
  • Email addresses.

The log data we collect is securely transported over TLS to our UK based data centres where it is securely stored for the data retention period agreed by the client. On termination of the contract we will securely purge the client data from our system, and if required by the client, securely transfer the log data to the client.

The lawful basis for our data collection and processing is based on “legitimate interest” as covered by GDPR Article 6(1)(f).

Our log store provides a secure audit trail which is inherently immutable in nature and therefore we cannot offer the “right to erasure”, “right to rectification”. If you wish to exercise your rights under GDPR then please contact your Data Controller and they will issue appropriate instruction to us the Data Processor.

Professional Services

Professional services include penetration testing, vulnerability assessment, security consultancy, cyber incident response and digital forensics.

We aim to collect personal data only to the extent necessary for us to provide our services to our clients and for other agreed legitimate purposes. Where personal data is required for us to perform services for our clients, we request that our clients provide all necessary information to relevant individuals (known as data subjects) about our use of personal data. Our clients may therefore refer data subjects to this Privacy Notice. We generally collect personal data directly from our clients or from third parties acting on their instructions.

All personal data is stored and shared securely only through report deliverables to our end client and only when instructed by our client with their third-party suppliers or partners.

 

Prospective Client Enquiries

We will store the personal details of individuals who contact us through our website or phone.

  • Name;
  • Email address and/or phone number;
  • Job title;
  • Company name.

We will retain this data based on our legitimate business interests for as long as commercial conversations prevail. You may exercise your data privacy rights by contacting data-privacy@zepko.com.

 

Job Applicants

We will store the personal details of individuals who contact us through our website, directly or through a recruitment agency.

If you apply for a role as a cyber security analyst and take our online challenge we will only record your IP address and the completion hash we provide on successful completion of the challenge.

If you were unsuccessful in your job application, your CV will be retained for 6 months after the completion of the recruitment process.