Policies

Zim Digital Limited has a zero-tolerance approach to modern slavery and human trafficking. We are committed to acting ethically and with integrity in all our business relationships, and to implementing and enforcing effective systems and controls to ensure modern slavery is not taking place anywhere in our business or supply chains.

As a small consultancy with a limited supply chain (primarily software-as-a-service vendors based in the UK, EU, and US), our exposure to high-risk sectors is low. We nevertheless take active steps to ensure the suppliers and contractors we engage adhere to comparable standards.

We do not currently meet the £36 million annual turnover threshold that triggers a statutory reporting requirement under section 54 of the Modern Slavery Act 2015. However, we publish this voluntary statement to demonstrate our commitment, and we expect the same standards from any suppliers, contractors, or partners we engage.

Any concerns about modern slavery or human trafficking in connection with Zim Digital's business should be reported to [email protected] for immediate investigation.

Zim Digital is committed to providing equal opportunities and a working environment free from discrimination, harassment, and victimisation. We comply with the Equality Act 2010 and apply its principles to every aspect of our business — recruitment, supplier engagement, client relationships, and project delivery.

We do not discriminate on the basis of age, disability, gender reassignment, marriage and civil partnership, pregnancy and maternity, race, religion or belief, sex, or sexual orientation. We actively foster an inclusive working environment where everyone is treated fairly and with respect.

When delivering software for clients, we apply the same principles to the systems we build — accessibility (WCAG 2.2 AA), inclusive design, and avoidance of bias in any AI or automated decision systems we develop.

Concerns about equal opportunities can be raised in confidence with [email protected].

Zim Digital is Cyber Essentials certified (verifiable on the Blockmark registry) and applies the same principles internally that we apply to client systems. Our information security posture is built on five pillars:

Access control. All systems are protected by strong authentication including multi-factor authentication where available. Access is granted on a least-privilege basis and reviewed regularly. Credentials are stored in encrypted password managers, never in plain text.

Endpoint protection. All workstations run modern operating systems with automatic security updates, anti-malware protection, and full-disk encryption. Lost or stolen devices can be remotely wiped.

Data residency and encryption. Client data is hosted exclusively in Microsoft Azure UK South data centres unless explicitly agreed otherwise. All data is encrypted in transit (TLS 1.2 or higher) and at rest. Backups are geo-redundant within the UK.

Patch management. Operating systems, application dependencies, and infrastructure components are kept up to date with security patches applied within 14 days of release for critical vulnerabilities.

Incident response. We maintain an incident response process for security incidents affecting client data or systems. Affected clients are notified within 24 hours of discovery, and we cooperate with the ICO and relevant authorities as required by UK GDPR.

Our information security practices align with ISO 27001 principles. While we are not currently certified to ISO 27001, our controls are designed to be compatible with the standard for clients who require it as part of their own compliance posture.

Zim Digital maintains a documented business continuity plan covering the practical risks that affect a small UK consultancy. The plan addresses three categories: supplier outages, key person unavailability, and infrastructure disruption.

Supplier outages. We use widely available, well-supported services (Microsoft Azure, GitHub, EmailJS, HostingUK) and maintain documented fallback procedures for each. Critical services are configured for high availability where the underlying provider supports it.

Key person availability. As a small consultancy, we recognise that key person availability is a real risk. We mitigate this through comprehensive documentation, code repositories accessible to the client from day one, infrastructure-as-code definitions checked into version control, and a network of trusted external engineers we can scale into projects when needed. Clients always own their code, data, and infrastructure outright, so any work we do can be picked up by another team.

Infrastructure disruption. Client systems are deployed on Microsoft Azure with the appropriate redundancy for the client's risk tolerance and budget. Standard deployments include automated daily backups with 35-day point-in-time restore, geo-redundant storage, and documented disaster recovery procedures. Recovery point objective (RPO) and recovery time objective (RTO) are agreed with the client at the architecture stage and tested where appropriate.

We test our business continuity plan annually and update it in response to lessons learned from any actual incidents.

Where Zim Digital processes personal data on behalf of a client, we operate as a Data Processor under UK GDPR. Our standard DPA covers the contractual requirements set out in Article 28, including:

Subject matter and duration of processing - tied to the engagement scope and contract term.

Nature and purpose of processing - what we do with the data and why, restricted to what's necessary for the engagement.

Categories of data subjects and personal data - explicitly listed for each engagement.

Obligations and rights of the controller (the client) - what you can ask of us and how we respond.

Sub-processors - any third-party providers we use (typically Microsoft Azure for hosting, possibly Postmark for transactional email) are listed and the client has the right to object before we engage new sub-processors.

International transfers - we do not transfer personal data outside the UK unless explicitly required by the engagement and authorised by the client. UK Azure South is our default hosting region.

Security measures - the technical and organisational measures we apply, including encryption, access control, and incident response.

Data subject rights - we assist clients in responding to data subject access requests, rectification, erasure, and portability requests within UK GDPR timeframes.

Audits and inspections - clients have the right to audit our compliance with the DPA on reasonable notice.

Return or destruction of data - at the end of the engagement, we return or securely destroy personal data as instructed by the client.

We can provide our standard DPA template on request, or work with your legal team to negotiate amendments where required.