General Data Protection Regulation (GDPR)

On 25th May 2018, The General Data Protection Regulation (GDPR) came into effect all over the UK and Europe. It is a series of regulations and obligations that add to the current Data Protection Directive by adding a number of new requirements for businesses and determining a more comprehensive set of rights for individuals.

What is the GDPR?

The GDPR is a new comprehensive data protection law (in effect May 25, 2018) in the EU that strengthens the protection of personal data in light of rapid technological developments, increased globalisation, and more complex international flows of personal data. It updates and replaces the patchwork of national data protection laws currently in place with a single set of rules, directly enforceable in each EU member state.

What does the GDPR regulate?

The GDPR regulates the “processing” of data for EU individuals, which includes collection, storage, transfer, or use. Any organisation that processes personal data of EU individuals is within the scope of the law, regardless of whether the organisation has a physical presence in the EU. Importantly, under the GDPR, the concept of “personal data” is very broad and covers any information relating to an identified or identifiable individual (also called a “data subject”).

How does GDPR change privacy law?

The key changes are the following: Expanded data privacy rights for EU individuals, data breach notification and added security requirements for organisations, as well as customer profiling and monitoring requirements. GDPR also includes binding Corporate Rules for organisations to legalise transfers of personal data outside the EU, and a 4% global revenue fine for organisations that fail to adhere to the GDPR compliance obligations. Overall the GDPR provides a central point of enforcement by requiring companies to work with a lead supervisory authority for cross-border data protection issues.

Does the GDPR require EU personal data to stay in the EU?

No, the GDPR does not require EU personal data to stay in the EU, nor does it place any new restrictions on transfers of personal data outside the EU. Salesforce’s data processing addendum, which references our Binding Corporate Rules, Privacy Shield certification, and the European Commission’s model clauses, will continue to help our customers legalise transfers of EU personal data outside of the EU. See our FAQ on our data processing addendum for more information.

Build trust and transparency around your data with the Synapse Platform.

As data gathering and intelligence becomes more prevalent as a way for companies to understand and serve customers better along with establishing the risks and threats to better protect people, assets and locations, it is critical that companies remain accountable to every individual’s right to privacy and security.

Synapse gives companies transparency and control of personal data to accelerate compliance with regulations such as the GDPR, while still being able to harness the power of data to provide our customers with Actionable Insight.

Right to Be Forgotten

You may need to delete customer data in order to comply with data protection and privacy regulations. The Synapse Platform offers a rich set of features to help you meet your obligations under the GDPR. Synapse allows customers to delete personal data at both an organisational level and an individual level. Deletions of Synapse instances (orgs) are synced regularly.

Data Portability

You can use the Synapse Platform to help you honour your customers’ requests to export their data. Data can be extracted via both UI-driven as well as API-driven methods, including reports exportable via CSV and PDF.

Consent & Processing

The Synapse Platform helps you comply with data protection and privacy regulations with out-of-the-box support for indicating do not call and email opt-out. The Synapse Platform allows users to manage their personal data within their "My Profile" of the App including tracking preferences and notification methods they wish to use. For audit and the purpose of user safety, an activity log within the App is recorded against the users profile that includes login information, IP addresses, location data and an activity log i.e. viewing, editing information etc.

On the Synapse Platform, records can be identified, exported, and deleted upon receiving a verified request to restrict processing via the Admin247 portal by an authorised administrator.


Synapse offers customers a data policy and processing addendum containing privacy commitments. This addendum contains data transfer frameworks ensuring that our customers can lawfully transfer personal data to Synapse outside of the European Economic Area. This addendum also contains specific provisions to assist customers in their compliance with the GDPR.


Zinc's platforms have security built into every layer of the Platform. The infrastructure layer comes with replication, backup, and disaster recovery planning. Network services has encryption in transit and threat detection. Our application services implement identity, authentication, and user permissions. We also offer an additional layer of trust including Platform Encryption, Event Monitoring, and Audit Trails.

As part of our security commitment, our Service Desk team conducts monthly web vulnerability scans of our platforms with the capability to detect over 4,500 web vulnerabilities using a DeepScan crawler, grey-box vulnerabiluty testing and out-of-band vulnerability testing. To view an example index of the scanned web vulnerabilities you can access this via the Resources section below. Our latest platform cyber scans are available on request. 

Read More About Platform & Security

Shared Responsibility Model

At Zinc, customer trust is our top priority. We deliver services to a wide range of active customers, including enterprises, educational institutions, and government agencies. Our customers include private businesses, financial services providers, healthcare providers, and governmental agencies, who trust us with some of their most sensitive information.

We know that customers care deeply about privacy and data security and maintaining customer trust is an ongoing commitment. We strive to inform you of our privacy and data security policies, practices, and technologies we’ve put in place. These commitments include:

Security and Compliance is a shared responsibility between Zinc and the customer. This shared model can help relieve customer’s operational burden as Zinc and its hosting partners operates, manages and controls the components from the host operating system, virtualization layer and platform application down to the physical security of the facilities in which the service operates.

The customer assumes responsibility and management of the data stored and captured within their platform. Customers should carefully consider the services they choose as their responsibilities vary depending on the services used, the integration of those services into their IT environment, and applicable laws and regulations. The nature of this shared responsibility also provides the flexibility and customer control that permits the deployment.

As a customer, you manage access to your content and user access to services and resources. We provide an advanced set of access, encryption, and logging features to help you do this effectively. We do not access or use your content for any purpose without your consent. We never use your content or derive information from it for marketing or advertising.

We store data by default in UK data centres managed by Rackspace and AWS with a disaster recovery located in Germany (for more information view the "Infrastructure & Sub-Processors" document in the Resources section on this page. On request you can choose to host the platform in other Region(s) in which your content is stored abd will not move or replicate your content outside of your chosen Region(s) without your consent.

We do not disclose customer content unless we’re required to do so to comply with the law, or with a valid and binding order of a governmental or regulatory body. Unless we are prohibited from doing so or there is clear indication of illegal conduct in connection with the use of our products or services, Zinc notifies customers before disclosing customer content so they can seek protection from disclosure.

We have developed a security assurance program that uses best practices for privacy and data protection to help you operate securely within the platform, and to make the best use of our security control environment.

Law Enforcemnt Requests

Important Documents & Resources

Contact Us & Complaints

UK Head Office: The Old Garage, Little Houghton, Northamptonshire, NN7 1AB, UK
Telephone: +44 (0)1604 598999

Should you wish to discuss a complaint, please feel free to contact us using the details provided above.
All complaints will be treated in a confidential manner.

Should you feel unsatisfied with our handling of your data, or about any complaint that you have made to us about our handling of your data, you are entitled to escalate your complaint to a supervisory authority within the European Union. For the United Kingdom, this is the Information Commissioners Office (ICO), who is also our lead supervisory authority. Its contact information can be found at:

Visit Information Commissioners Office (ICO) Website

Internal Policies & Procedures 

Documents available on request.

Law Enforcement Requests

These guidelines are intended for use by law enforcement when seeking information.

Zinc will not release customer information without a valid and binding legal demand properly served on us. Zinc objects to over-broad or otherwise inappropriate demands as a matter of course. Zinc distinguishes between content and non-content information. We produce non-content information only in response to valid and binding subpoenas. We do not produce content information in response to subpoenas. We may produce non-content and content information in response to valid and binding search warrants.

Non-content - information means subscriber information such as name, address, email address, billing information, date of account creation, and certain purchase history and service usage information.

Content - information means the content of data files stored in a customer’s account.

Unless it is prohibited from doing so or has clear indication of illegal conduct in connection with the use of Zinc's products or services, Zinc notifies customers before disclosing content information.

Types of Requests

Subpoenas are valid and binding legal demands for information or testimony issued by courts, lawyers, law enforcement agencies, or grand juries, usually without any substantive review by a judge or magistrate. We produce non-content information only in response to valid and binding subpoenas. We do not produce content information in response to subpoenas. Zinc objects to over-broad or otherwise inappropriate subpoenas as a matter of course.

Search warrants.
Search warrants may be issued by local, state, or federal courts upon a showing of probable cause and must specifically identify the place to be searched and the items to be seized. We may produce non-content and content information in response to valid and binding search warrants. Zinc objects to over-broad or otherwise inappropriate search warrants as a matter of course.

Other court orders.
Other court orders refers to valid and binding orders issued by local, state, or federal courts, other than search warrants or court-issued subpoenas. For example, we may receive a court order, obtained by a government entity, seeking to remove user content or accounts. Such removal requests are reported separately in the statistics below. Our responses to other court orders depend on the nature of the request. Zinc objects to over-broad or otherwise inappropriate orders as a matter of course.

National security requests.
National security requests include National Security Letters ("NSLs") and court orders issued under the Foreign Intelligence Surveillance Act ("FISA"). Our responses to these requests depend on the nature of the request. Zinc objects to over-broad or otherwise inappropriate national security requests as a matter of course. Zinc is prohibited by law from reporting the exact number of NSLs and FISA orders it receives. Therefore we report the numbers of such requests only within certain ranges set by the government.

Non-U.S. requests.
Non-U.S. requests include legal demands from non-U.S. governments, including legal orders issued pursuant to the Mutual Legal Assistance Treaty process or the letters regulatory process. Our responses to these requests depend on the nature of the request. Zinc objects to over-broad or otherwise inappropriate non-U.S. requests as a matter of course.

How Zinc Responds to Requests

Full response. Full response means that Zinc responded to valid legal process by providing all of the information requested.
Partial response. Partial response means that Zinc responded to valid legal process by providing only some of the information requested.
No response. No response means that Zinc responded to valid legal process by providing none of the information requested.

Zinc reserves the right to respond immediately to urgent law enforcement requests for information in cases involving a threat to public safety or risk of harm to any person.

Zinc will seek reimbursement from the customer for costs associated with responding to law enforcement requests for information, particularly if the costs incurred are the result of responding to burdensome or unique requests.


Our business changes constantly. You should check our website frequently to see recent changes. You can see the date and version on the Resources posted. Unless stated otherwise, our current Resources applies to all personal information we have about you and your account. We stand behind the promises we make, however, and will never materially change our policies and practices to make them less protective of personal information collected in the past without informing affected customers and giving them a choice.

Your login details have been used by another user or machine. Login details can only be used once at any one time so you have therefore automatically been logged out. Please contact your sites administrator if you believe this other user or machine has unauthorised access.