Data Privacy Note

Last update: 24 May 2018

We take the privacy of your personal data very seriously and all personal data captured will be used and held in accordance with the requirements of the Data Protection Act 2018, which brings the EU General Data Protection Regulation into UK law.

Set out below is an explanation of how we process this information. This privacy notice is reviewed on a regular basis and updates will be posted on this page.

Introduction

This Privacy Notice describes how and why Zepko Limited collects and uses personal data in the course of our business. It applies to personal data provided directly to us by the individuals concerned and to personal data provided to us by companies and other organisations.

The reasons we need to store and process personal data are one or more of the following:

  • To fulfil a contract we have with you;
  • When it's our legal duty or obligation;
  • When it's in our legitimate interest;
  • When you consent to it.

Personal data is data relating to an identified or identifiable individual, and can include:

  • Name;
  • Work address, email address and/or phone number;
  • Job title;
  • Payment and delivery details, including billing and delivery addresses;
  • Information related to the browser or device you use to access our website;
  • Internet browser and operating system;
  • And any other information you provide through contacting us via phone or our website contacts us form.

We are committed to the protection of personal data and to fair and transparent processing. If you have any questions about this Privacy Statement, you can contact our Data Protection Officer via email at data-privacy@zepko.com

To find out more about how and why we process personal data, please refer to the relevant section of this Privacy Statement.

Our relationship with personal data is twofold:

  • As a Data Controller - we hold personal data of employees, job applicants, people who contact us through our website, website cookies, partners and clients.
  • As a Data Processor - we store and process security log data as part of our Managed Security Services on behalf of our clients (who are in turn Data Controllers themselves).

Data Controller details

Company Name: Zepko Limited
Company registration number: 5058229 (registered in England)
ICO registration number: Z9102613
Registered Address: 2nd Floor, 31 Chertsey Street Guildford, Surrey GU1 4HD

Security of personal data

We have policies, procedures and training in place to apply best practice for data protection, confidentiality and information security. We regularly review such measures with the objective of ensuring their continuing effectiveness.

Our Managed Security Service operates under an Information Security Management System certified to ISO/IEC 27001:2013 (certificate number IS 657546).

International transfers of personal data

Through normal business operation and providing services to clients we may transfer personal data to third parties located in other countries, including countries outside the EEA. Where we transfer personal data to a country not determined by the European Commission to provide an adequate level of protection for personal data, we will employ adequate data protection controls within our End User License Agreement (EULA).

Provision of personal data to third parties

We will only share personal data with third parties where we are legally permitted to do so or by customer consent. We do not provide information to third parties for their own marketing purposes and we do not undertake mailing for third parties. Where we transfer personal data to third parties, we will put in place appropriate confidentiality arrangements and seek to ensure those third parties have appropriate technical and organisational measures in place to protect personal data.

We may provide personal data to:

  • Third parties involved in the performance of services - we may also share personal data to third party organisations who assist us in providing services to clients or are otherwise involved in the services we provide to clients.
  • Auditors and advisers - we may transfer personal data to our auditors and advisers as required by law or as reasonably required in the management of our business.
  • Third parties where required by applicable law and regulation - we may be requested or compelled to disclose personal data to third parties such as regulators and law enforcement agencies. We will only provide personal data to such parties where there is a legal requirement or permission to do so.

Your Rights

You have rights in relation to your personal data held by us as a Data Controller. Should you wish to exercise your rights, please contact our Data Protection Officer via email at data-privacy@zepko.com. We will respond within 30 days to your request.

You also have a right to update your personal data that we hold. To do so, please either contact your account manager or our Data Protection Officer via email at data-privacy@zepko.com

Where we process your personal data based on your consent (GDPR Article 6(1)(a)), you have a right to withdraw consent at any time. Should you wish to do so, please contact our Data Protection Officer via email at data-privacy@zepko.com

In addition to the rights above, you may also have other rights in relation to personal data, including a right to access, a right to erasure/deletion, the right to data portability and the right to restrict and/or object to our processing of personal data.

Depending on your request, we may ask for proof of identity. Being cyber security specialists, we are mindful of risks associated with social engineering, and therefore may request additional validation before providing access to stored records or changing them.

We will fairly process your request and review against any overriding legal, regulatory or contractual requirements that we have to abide by.

Complaints

Should you wish to complain about our use of your personal data, please contact our Data Protection Officer via email at data-privacy@zepko.com. We will investigate all complaints received and will endeavour to respond to complaints promptly.

Should you not be satisfied by our response, you have the right to contact the Information Commissioner's Office. For further information on your rights and the complaints process, please visit the Information Commissioner's Office website.

Data Retention

We will only keep personal data for as long as necessary for the purposes for which it was collected, or as required by applicable law or regulation.

Unless there are any overriding legal, statutory, regulatory or contractual requirements, we will retain records of services provided (which may include personal data) in accordance with our retention scheme.

Corporate Clients

For our clients, as a minimum we need the following contact information to support the performance of our contract as per GDPR Article 6(1)(b):

  • Account management - we require contact details for senior stakeholders.
  • Invoicing and billing - we require contact details from your procurement, purchasing.
  • Security reporting - we require contact details for appropriate information officers.
  • Security monitoring/investigation - we require contact details of suitable technical teams covering infrastructure, networks, applications and security systems.

Where your business employs third parties, for example to manage your IT infrastructure, their contact details will be required also.

We provide the following types of security services which inherently require certain types of personal data to be processed. We are the Data Processor for our security services; our clients maintain the role of Data Controller.

Managed Security Service

To provide our managed security service we need to monitor the behaviour of IT systems, network and users. This is essential to help our clients protect themselves against external attack, insider threat and the leakage of sensitive data.

The security data we collect, store and process may include:

  • Source IP addresses;
  • Usernames;
  • GeoIP locations;
  • Email addresses.

The log data we collect is securely transported over TLS to our UK based data centres where it is securely stored for the data retention period agreed by the client. On termination of the contract we will securely purge the client data from our system, and if required by the client, securely transfer the log data to the client.

The lawful basis for our data collection and processing is based on "legitimate interest" as covered by GDPR Article 6(1)(f).

Our log store provides a secure audit trail which is inherently immutable in nature and therefore we cannot offer the "right to erasure", "right to rectification". If you wish to exercise your rights under GDPR then please contact your Data Controller and they will issue appropriate instruction to us the Data Processor.

Professional Services

Professional services include penetration testing, vulnerability assessment, security consultancy, cyber incident response and digital forensics.

We aim to collect personal data only to the extent necessary for us to provide our services to our clients and for other agreed legitimate purposes. Where personal data is required for us to perform services for our clients, we request that our clients provide all necessary information to relevant individuals (known as data subjects) about our use of personal data. Our clients may therefore refer data subjects to this Privacy Notice. We generally collect personal data directly from our clients or from third parties acting on their instructions.

All personal data is stored and shared securely only through report deliverables to our end client and only when instructed by our client with their third-party suppliers or partners.

Online Services

We provide the following online services which require the registration of your details:

Domain Detect (https://www.domaindetect.io)

To register for a free 30 day trial you will need to provide the following details: name, email address, a preferred user name and password. You can consent to us notifying you of other services we provide, but we will not provide your details to third parties for marketing purposes or any other reason.

If you wish to continue with the service you will need to subscribe using PayPal (please see their privacy policy). We will hold information provided by PayPal regarding account transactions (but no card or bank details will be stored) as long as is required to meet legal and regulatory obligations.

Prospective Client Enquiries

We will store the personal details of individuals who contact us through our website or phone.

  • Name;
  • Email address and/or phone number;
  • Job title;
  • Company name.

We will retain this data based on our legitimate business interests for as long as commercial conversations prevail. You may exercise your data privacy rights by contacting data-privacy@zepko.com.

Job Applicants

We will store the personal details of individuals who contact us through our website, directly or through a recruitment agency.

If you apply for a role as a cyber security analyst and take our online challenge we will only record your IP address and the completion hash we provide on successful completion of the challenge.

If you were unsuccessful in your job application, your CV will be retained for 6 months after the completion of the recruitment process.

Website Cookies

www.zepko.com and related websites use cookies to provide you the best online experience, by continuing to use this website you are agreeing to our use of cookies.

Cookies are text files containing small amounts of information which are downloaded to your device when you visit a website. Cookies are then sent back to the originating website on each subsequent visit, or to another website that recognises that cookie. Cookies are useful because they allow a website to recognise a user's device.

We use cookies in the following ways:

Persistent Cookies

Persistent cookies remain on a user's device for the period of time specified in the cookie. They are activated each time that the user visits the website that created that particular cookie.

Session Cookies

Session cookies allow website operators to link the actions of a user during a browser session. A browser session starts when a user opens the browser window and finishes when they close the browser window. Session cookies are created temporarily. Once you close the browser, all session cookies are deleted.

Further, we only use Category 1, 2 and 3 cookies on our website (as described below) to allow us to store and access information related to the browser used and other general features defined by the user and to track and analyse their activity in order to improve our services in a more efficient and personalised way. We do not use advertising cookies on the site.

Category 1: Strictly Necessary Cookies

These cookies enable services you have specifically asked for. For those types of cookies that are strictly necessary, no consent is required.

These cookies are essential in order to enable you to move around the website and use its features, such as accessing secure areas of the website. Without these cookies services you have asked for, like an email form cannot be provided.

Category 2: Performance Cookies

These cookies collect anonymous information on the pages visited. By using the website, you agree that we can place these types of cookies on your device.

These cookies collect information about how visitors use a website, for instance which pages visitors go to most often, and if they get error messages from web pages. These cookies don't collect information that identifies a visitor. All information these cookies collect is aggregated and therefore anonymous. It is only used to improve how the website works.

Category 3: Functionality Cookies

These cookies remember choices you make to improve your experience.

These cookies allow the website to remember choices you make (such as your user name, language or the region you are in) and provide enhanced, more personal features. They may also be used to provide services you have asked for such as watching a video or commenting on a blog.