Trust Center

Privacy Statement

Last Updated: April 9, 2025 1:32 pm MDT

At Zayo, we know how important data and privacy protection is to our Customers and individuals. Zayo Group and its subsidiaries and Zayo Europe and its subsidiaries (“The Organization”) are committed to protecting your information. Please read the Privacy Policy (“Policy”) carefully as it sets out the information related to how we collect and handle your personal information. We have created this privacy statement to explain our approach to the collection, use, and disclosure of customer information while using our services or as you interact with our website and customer portals. This Statement aligns with the transparency requirements of the data privacy regulations in the United States, EU, and Canada. United States FCC regulations further obligate the Organization with respect to Customer Proprietary Network Information (CPNI).

In the course of doing business with the Organization, you may share personal, business, and financial information with us. We treat this information as confidential and recognize the importance of protecting access to it. You should note, however, that it is impossible to guarantee that such information is or will be completely safe from unauthorized access or use.

You may provide information when communicating or transacting with us in writing, electronically, or by telephone. For instance, information may come from requests for forms or literature, contracts, and your transactions and account positions with us. On occasion, such information may come from outside agencies or communications providers, and others that provide services to us. In addition, Zayo may collect information during visits to our websites, usually in the form of cookies, registration forms, and log files. See the Zayo Cookie Notice for more specific details on data collection, use, and ability to block cookies.

Zayo does not sell information about current or former customers to any unrelated third parties, and we do not disclose it to third parties unless necessary to process a transaction or service an account to:

  • Protect the security and integrity of this website and our services and network
  • Protect our rights and property and the rights and property of others
  • Respond to claims that submitted information violates the rights or interest of third parties
  • Take precautions against liability
  • Correct technical problems and malfunctions in how this website operates and in our systems and services, pursuant to a Customer’s specific direction, or as otherwise permitted or required by law or legal process

In the event we or any of our affiliates or subsidiaries are acquired by another entity or merge with a third party, information you provide to us may be transferred to that entity or one or more of its affiliates. We will take steps to inform the entity or any successor entity that it will be bound to respect the provisions of this Policy with regard to any personal information in its possession prior to the acquisition or merger. In the event of bankruptcy, both this policy and the provisions of applicable law will apply.

Zayo may use information you provide to inform you about additional services and products offered by the Zayo family of companies and authorized agents whose offerings might be of interest to you, unless you instruct otherwise, and in accordance with applicable laws and regulations.

Zayo.com may contain links to third party websites. While we try to link only to sites that share our standards and respect for privacy, we are not responsible for the content or the privacy practice of any third party websites. For this reason, we encourage you to review the privacy policies of these websites before disclosing any personal information to or through them.

If you have any questions or concerns about this Privacy Statement, the Privacy Policy, or the privacy practices of Zayo, please contact our Privacy Office, in writing, at privacy.office@zayo.com or write to one of the following physical addresses:

Head office
Zayo Group LLC
1401 Wynkoop St #500
Denver, Colorado 80202		European office
Zayo Group UK Limited
4th Floor, The Relay Building
114 Whitechapel High Street
London E1 7PT UK

If you suspect a data breach incident, immediately contact our Privacy Office at privacy.office@zayo.com.

To manage the receipt of marketing and non-transactional communications from Zayo, click the Manage preference link located on the bottom of Zayo marketing emails.

For information about or to opt out of promotional communications from Zayo and CPNI, please visit https://www.zayo.com/optout/.

FAQs

Select a topic to view FAQs by category.

  • Data Privacy

    Does Zayo host customer data?

    No. Zayo acts as a processor, not a controller of customer data. Customer personal data retained by the Organization is limited to billing information and service provisioning, and is stored separately from our solutions environment. Any processing or storage of personal data is primarily limited to customer contact information necessary for service provisions. The Organization conducts comprehensive reviews of its data processing activities, including internal data transfer assessments and resulting Data Processing Addendums (DPAs) to ensure compliance.

    How does Zayo interact with customer data?

    Fiber & Transport and Network Connectivity: Zayo provides infrastructure and bandwidth services that permit customers to transport data in accordance with customer contractual requirements. The customer is responsible for ensuring the data transmitted through these services is appropriately protected and compliant with current privacy legislation. Although the information moving through company infrastructure may include customer information, Zayo is not acting in the role of processor of customer data, and Zayo does not possess any direct or administrative access to any customer content that is transmitted through our communication infrastructure. This separation is maintained through both technological and security controls implemented on our service architecture.

    Cloud services (Object Based Storage Services): Zayo provides and operates cloud based capabilities and infrastructure that permit storage and lifecycle management activities for customer content. Zayo only permits access by a limited number of employees to customer-stored content at the request of the authorized customer party requesting Zayo to access such content, and such access by Zayo employees is limited to certain administrative functions, such as resetting passwords to provide the authorized customer party access to customer content. Zayo requires these employees to read, understand, and acknowledge compliance with Zayo’s policies governing such access. Through the Cloud Services Offering, Zayo is acting in the role of a processor on behalf of the customer (the controller). Zayo has prepared a Data Processor Addendum (“DPA”) in accordance with GDPR Article 28. Customers may make a request through their designated Zayo contact to initiate the process for executing a DPA.

    Voice services: Zayo provides cloud-based voice and collaboration solutions that deliver voice and PBX features, video meetings and messaging, and contact management features through an intuitive cloud interface. Customers may access a dashboard of reports, and may subscribe to a call recording feature. To access the customer dashboard, a new user receives a system-generated password in a separate email from the application setup instructions. The user is instructed to change the password and neither the customer administrator nor Zayo have access to user passwords. Zayo has an application management password for all applications, including our call recording solutions. Zayo only permits access by a limited number of employees for the purpose of providing customer assistance and troubleshooting. Access to Zayo’s highest level master portal is limited to a select few employees.

    Customer portals for programming phones may be accessed only by select Zayo employees upon request of the customer. These portals are limited to phone systems and do not provide access to applications such as meetings or call recordings.

    Zayo provides telecommunications and infrastructure offerings to customers globally. As part of providing those offerings, Zayo may act as a processor. Zayo collects and stores Personal Data for purposes of providing its offerings, informing Customers of additional offerings, tracking use activity on its websites, and marketing efforts related to its offerings.

    How does Zayo use customer data?

    Zayo uses customer data for the following purposes:

    • Contract Administration: Zayo processes personal data contact information as necessary for the performance of offerings pursuant to a contract between Zayo and its Customer. Contact information is needed for ongoing contract administration, to provide Customer notices and service announcements, to assist with service incident resolution, to install and maintain services on Customer premises and to address billing and payment inquiries.
    • Physical Security Controls: Zayo processes identity information as necessary for the performance of a contract between Zayo and the Customer. Customer contracts require that physical security controls be implemented to prevent unauthorized access to colocation facilities and Customer equipment. Identity information is collected to authenticate individuals based on Customer approvals.
    • Traffic Data: Zayo monitors and processes network traffic data consistent with its legitimate interests to support the offerings provided pursuant to a contract between Zayo and its Customer, to ensure the integrity of services and to support security incident and event management functions.
    • Website: Zayo processes website visitor information and contact information with our legitimate interest to offer and provide products and services, send promotional materials and marketing communications regarding programs, offers and surveys, deliver targeted online advertising, communicate with returning visitors and auto fill web-based forms, respond to inquiries and to operate, evaluate and improve our business. Zayo processes website application information with our legitimate interest to create and maintain user credentials to allow authenticated user access to self-serve functions related to telecommunication services or to submit recruitment information for consideration of employment.

    In what instances is customer personal data processed?

    When personal data is processed, it is processed in the following instances:

    • Contact Information: Zayo receives personal data from data subjects in their role as employees of our Customers. Information required by Zayo to enable communications with Customers, administer Customer accounts, and in accordance with contractual obligations is limited to name, business address, telephone number, job title, and email address. Zayo may also collect certain publicly available social media information to facilitate provisioning of our offerings and communications with our Customers.
    • Website Application and Other Associated Service Portals: Zayo processes personal data contact information associated with the creation of application user credentials (eg. Tranzact, Workday recruitment, Zayo service portals, etc.), and collects website visitor information in the form of generic website statistics and cookies including device, operating system and browser type, country and time zone indicators and other system settings. Zayo collects this information directly from data subjects through the interaction and use of our websites. See the Zayo Cookie Notice for more specific details on data collection, use, and ability to block cookies.
    • Marketing: Zayo utilizes websites for the display of corporate information as well as to market and transact Zayo Offerings. Customers and website visitors interact with various functions on these pages that may require the collection and use of Personal Data to complete those functions.
    • Opt Out: If Zayo uses personal data for the purpose of sending Customers sales and marketing communications, Customers may manage the receipt of marketing and non-transactional communications from Zayo, click the Manage preference link located on the bottom of Zayo marketing emails.
    • Submission of Personal Data by Customer: In cases where contact information is provided by the Customer in accordance with contractual requirements, the Customer is responsible for ensuring that any personal data submitted to Zayo has been obtained in accordance with relevant data protection requirements and that, where applicable, Customer has obtained any required consent from the data subject prior to providing personal data to Zayo.
    • Identity Information: For Customers that require access to Zayo facilities, Zayo collects government issued identity information (e.g., drivers license, passport), palm or fingerprint biometric identifiers, and CCTV video image. Zayo collects this information directly from the data subject at each designated Zayo facility.
    • Network Traffic Data: Zayo collects data that is captured through system logging and data flow management systems including, but not limited to, source and destination Internet Protocol (IP) addresses and domain name, date and time indicators, and other network layer protocol header information as collected based on service capabilities. Although IP addresses are collected within network traffic logs, Zayo does not possess the necessary capabilities without the involvement of the impacted Customer to identify an individual.

    What privacy laws and regulations does Zayo comply with?

    Zayo’s security program is based upon the Unified Compliance Framework (UCF) and structured around a set of control objective categories addressing controls from a multitude of authoritative industry standards and requirements. Authoritative privacy requirements incorporated into Zayo’s security program include, but are not limited to:

    • California Consumer Protection Act (CCPA)
    • Colorado Privacy Act
    • General Data Protection Regulation (GDPR)
    • Payment Card Information Data Security Standard (PCI-DSS)
    • Personal Information Protection and Electronic Documents Act (PIPEDA)

    For more information about the UCF, refer to  https://www.unifiedcompliance.com/home.

    Is Zayo PCI compliant?

    With regards to PCI, Zayo is both a Merchant and a Service Provider. In both instances, the scope of responsibilities the Organization shares in protecting PCI is limited, as Zayo does not store, transmit, process, or dispose of cardholder data or maintain a Cardholder Data Environment (CDE).

    • Merchant: Zayo accepts credit card payments from Customers through customer account management portals and an Integrated Voice Response (IVR) system. These mechanisms provide a branded interface (wrapper) and coded redirects where Customers engage directly with third party payment processors. Third party payment processors use tokenized authorization methods to confirm identity and access before accepting, storing, or processing cardholder data on behalf of Zayo. Zayo complies with its PCI requirements and completes an SAQ-A-ER on an annual basis.
    • Service Provider: Zayo provides services that may impact the security of Customers who store, transmit, process, or dispose of cardholder data. As a Service Provider, Zayo and its Customers have shared PCI responsibilities. Customers are responsible for protecting its cardholder data and CDE, and Zayo is responsible for protecting the network and service components of the Customer CDE. Zayo complies with its PCI requirements completes Attestations of Compliance (AOCs) for its relevant service provider services annually. For more information about shared PCI responsibilities, refer to the PCI-DSS v4.0 Service Provider Responsibility Matrix.

    What are my Data Subject rights as a customer?

    As a customer you have:

    • Right to Access: Individuals may request access to their personal data
    • Right to Correction: Individuals may request to rectify inaccuracy of their data
    • Right to Erasure: Individuals may request deletion of their data, subject to legal and regulatory obligations
    • Right to Restriction of Processing: Individuals may request their data in a structured, commonly used format
    • Right to Data Portability: Individuals may object to data processing based on legitimate interests or direct marketing
    • Right to Opt Out: Individuals may opt out of the sale of their personal information
    • Right to Not Be Discriminated Against: Individuals may exercise their privacy rights without discrimination

    Customers may manage the receipt of marketing and non-transactional communications from Zayo by clicking the Manage preference link located on the bottom of Zayo marketing emails.

    Customers may update, correct, or remove personal data or to object to the processing of their information related to website visit or web application support, by contacting privacy.office@zayo.com or by using the Support options on portals or applications.

    Can Zayo transfer customer data across borders?

    The Organization is not prohibited from transferring personal information to an organization in another jurisdiction for processing. However, the Organization is held accountable for the protection of personal information transfers under each individual outsourcing arrangement.

    The Organization is responsible for protecting personal information under its control. Personal information may be transferred to third parties for processing but contractual or other means are required to provide a comparable level of protection while the information is being processed by the third party.

    Does Zayo share customer data with third parties?

    Generally, Zayo may disclose customer personal data: (i) as set forth in a Data Processor Addendum (DPA) between Zayo and a customer; (ii) as required by law or legal process; (iii) to law enforcement authorities or other government entities; and (iv) when Zayo believes disclosure is necessary or appropriate to prevent harm or financial loss, or in connection with an investigation of alleged fraudulent or illegal activity.

    Zayo endeavors to limit data transfers wherever possible, however, Zayo does provide personal data, limited to name, contact information, and title, to its sub-processors to fulfill its obligations to its customers and for administrative purposes. Where such data transfers are necessary, Zayo ensures that recipients of this data have appropriate safeguards and contractual terms in place, including Standard Contractual Clauses under GDPR where applicable.

    When Zayo transfers personal information for processing, it can only be used for the purposes for which the information was originally collected. “Processing” is interpreted to include any use of the information by a third party processor for a purpose for which the transferring organization can use it. 

    Third party processors must provide protection that can be compared to the level of protection the personal information would receive if it had not been transferred. It does not mean that the protections must be the same across the board, but it does mean that they should be generally equivalent.

    How is customer data retained and disposed of?

    Zayo retains personal data contact information and website application information for as long as the customer maintains an active account and for seven (7) years after account termination in order to comply with legal and financial reporting obligations. In some cases, such as when required by law or rule, Zayo will keep personal data contact information for longer periods (e.g., E-Rate retention requirements). For all other cases, when personal data contact information is no longer required in support of a defined purpose, it is properly and securely deleted.

    How does Zayo handle data breaches?

    Events involving unauthorized access, release, theft, or use of sensitive, protected, or confidential customer data are treated as security incidents by the Organization. Upon incident identification and confirmation, Zayo:

    • Takes immediate steps to secure systems and prevent further unauthorized access.
    • Assesses what data was exposed, identifies the customers affected, and evaluates potential risks.
    • Promptly notifies customers via email about the breach and informs them of any actions they should take, such as changing passwords or monitoring accounts.
    • Notifies regulatory authorities as per applicable laws. 
    • Offers support services as applicable to the incident.
    • Provides updates on any investigation, steps to breach resolution, and inform customers about any necessary further actions.
    • Reviews the incident, identifies root causes, and strengthens security measures to prevent future breaches.

    How do I report a data breach?

    If you suspect a data breach incident, immediately contact our Privacy Office at privacy.office@zayo.com.

  • Data Security

    Zayo implements security controls on its internal environment, systems, and applications. Customers must implement their own security controls to protect their own environments.

    Does Zayo protect all sensitive information at rest?

    Data at rest is encrypted, including all removable media (USB sticks, CDs, etc.), and there is a tool in place to prevent and monitor data loss.

    Does Zayo protect sensitive information data in transit?

    Data in transit encrypted and there is a tool in place to prevent and monitor data loss.

    What customer data is collected or processed by Zayo?

    Please refer to the Privacy Policy.

    Is customer data hosted by Zayo?

    No. While Zayo has protections in place to protect all data, Zayo does not host customer data. Processing and/or storage of personal data transferred by customers is limited to contact information (e.g., names, addresses, contact details, IP addresses) of customer employees, representatives, contractors or agents who are involved or interact with Zayo in the provision of services by Zayo to the customer under the agreement.  Zayo is not the controller of customer data. 

    Will Zayo affiliates, subsidiaries, or parent companies have access to customer data?

    Please refer to the Privacy Policy.  

    Will data be shared with any third parties at any point?

    Please refer to the Privacy Policy.

    Is the organization PCI-DSS certified as its defined Merchant level?

    With regards to PCI, Zayo is both a Merchant and a Service Provider. In both instances, the scope of responsibilities the Organization shares in protecting PCI is limited, as Zayo does not store, transmit, process, or dispose of cardholder data or maintain a Cardholder Data Environment (CDE).

    • Merchant: Zayo accepts credit card payments from Customers through customer account management portals and an Integrated Voice Response (IVR) system. These mechanisms provide a branded interface (wrapper) and coded redirects where Customers engage directly with third party payment processors. Third party payment processors use tokenized authorization methods to confirm identity and access before accepting, storing, or processing cardholder data on behalf of Zayo. Zayo complies with its PCI requirements and completes an SAQ-A-ER on an annual basis.
    • Service Provider: Zayo provides services that may impact the security of Customers who store, transmit, process, or dispose of cardholder data. As a Service Provider, Zayo and its Customers have shared PCI responsibilities. Customers are responsible for protecting its cardholder data and CDE, and Zayo is responsible for protecting the network and service components of the Customer CDE. Zayo complies with its PCI requirements completes Attestations of Compliance (AOCs) for its relevant service provider services annually. For more information about shared PCI responsibilities, refer to the PCI-DSS v4.0 Service Provider Responsibility Matrix.

    What are your employees able to access when working remotely?

    Virtual applications and desktop solutions, with full access to corporate data, internal and external systems.

    Does Zayo classify its data to identify additional controls to safeguard information? (e.g. personally identifiable information, intellectual property, health data)

    Data is classified regularly, during significant changes, and includes all use cases.

    Does Zayo have a Data Classification Policy?

    To ensure appropriate protection and handling of data, the Organization uses two classification criteria: Sensitivity and Criticality. Information owners, data custodians, and the Security Manager are responsible for ensuring that relevant information and systems are classified appropriately. For information on how to label physical assets, reach out to the appropriate team manager for documentation on the procedure. The labels must be easily recognizable and the labeling must be consistent with the classifications defined herein. If an asset or a document is not labeled, it must be considered as “Internal Use”.

    The following sensitivity categories shall be used:

    • Restricted – This is the highest classification. It applies to information that is highly sensitive and critical to the business. Unauthorized disclosure of this information could result in the inability to conduct business, severely impact the financial stability of the company, attract significant legal liability or place the company at a serious competitive disadvantage. Sensitive personal information of Users, which includes but is not limited to Social Insurance Number (SIN), Social Security Number (SSN) or Government- issued number, date of birth (DOB) and credit card numbers, etc. is also classified as restricted.
    • Confidential – Confidential information is shared on a need-to-know basis only, and it must only be shared with those on the distribution list for that information. 
    • Internal Use – This classification relates to all Organization business information. Access to this information must be restricted to Users in the Organization, and is not for general distribution outside of the organization. Examples include but are not limited to: general benefits program information, employee wellness descriptions, and other employee content.
    • Public – This is information that can be presented to users outside of the Organization. This is data where its disclosure would not adversely affect the company, its Users, its Suppliers, or its customers. Examples include content for public-facing web properties, job postings, and public corporate contact information (e.g., mailing address, monitored phone numbers, and customer service contact information).

    Which tools are used to protect data?

    • Mobile Device Management, including remote wipe capability and password management, is in place to safeguard against data leakage
    • Email monitoring tools to recognize, block, and limit potentially unsafe attachments, links, executables, etc.
    • Web, phishing, document isolation through cloud-based virtualization
    • Heuristic-based scanning to detect and prevent file encryption