Complementary User Entity Controls

Zayo implements security controls on its internal environment, systems, and applications. Customers must implement their own security controls to protect their own environments.

Does Zayo protect all sensitive information at rest?

Data at rest is encrypted, including all removable media (USB sticks, CDs, etc.), and there is a tool in place to prevent and monitor data loss.

Does Zayo protect sensitive information data in transit?

Data in transit encrypted and there is a tool in place to prevent and monitor data loss.

What customer data is collected or processed by Zayo?

Please refer to the Privacy Policy.

Is customer data hosted by Zayo?

No. While Zayo has protections in place to protect all data, Zayo does not host customer data. Processing and/or storage of personal data transferred by customers is limited to contact information (e.g., names, addresses, contact details, IP addresses) of customer employees, representatives, contractors or agents who are involved or interact with Zayo in the provision of services by Zayo to the customer under the agreement.  Zayo is not the controller of customer data. 

Will Zayo affiliates, subsidiaries, or parent companies have access to customer data?

Please refer to the Privacy Policy.  

Will data be shared with any third parties at any point?

Please refer to the Privacy Policy.

Is the organization PCI-DSS certified as its defined Merchant level?

With regards to PCI, Zayo is both a Merchant and a Service Provider. In both instances, the scope of responsibilities the Organization shares in protecting PCI is limited, as Zayo does not store, transmit, process, or dispose of cardholder data or maintain a Cardholder Data Environment (CDE).

• Merchant: Zayo accepts credit card payments from Customers through customer account management portals and an Integrated Voice Response (IVR) system. These mechanisms provide a branded interface (wrapper) and coded redirects where Customers engage directly with third party payment processors. Third party payment processors use tokenized authorization methods to confirm identity and access before accepting, storing, or processing cardholder data on behalf of Zayo. Zayo complies with its PCI requirements and completes an SAQ-A-ER on an annual basis.
• Service Provider: Zayo provides services that may impact the security of Customers who store, transmit, process, or dispose of cardholder data. As a Service Provider, Zayo and its Customers have shared PCI responsibilities. Customers are responsible for protecting its cardholder data and CDE, and Zayo is responsible for protecting the network and service components of the Customer CDE. Zayo complies with its PCI requirements completes Attestations of Compliance (AOCs) for its relevant service provider services annually. For more information about shared PCI responsibilities, refer to the PCI-DSS v4.0 Service Provider Responsibility Matrix.

What are your employees able to access when working remotely?

Virtual applications and desktop solutions, with full access to corporate data, internal and external systems.

Does Zayo classify its data to identify additional controls to safeguard information? (e.g. personally identifiable information, intellectual property, health data)

Data is classified regularly, during significant changes, and includes all use cases.

Does Zayo have a Data Classification Policy?

To ensure appropriate protection and handling of data, the Organization uses two classification criteria: Sensitivity and Criticality. Information owners, data custodians, and the Security Manager are responsible for ensuring that relevant information and systems are classified appropriately. For information on how to label physical assets, reach out to the appropriate team manager for documentation on the procedure. The labels must be easily recognizable and the labeling must be consistent with the classifications defined herein. If an asset or a document is not labeled, it must be considered as “Internal Use”.

The following sensitivity categories shall be used:

• Restricted – This is the highest classification. It applies to information that is highly sensitive and critical to the business. Unauthorized disclosure of this information could result in the inability to conduct business, severely impact the financial stability of the company, attract significant legal liability or place the company at a serious competitive disadvantage. Sensitive personal information of Users, which includes but is not limited to Social Insurance Number (SIN), Social Security Number (SSN) or Government- issued number, date of birth (DOB) and credit card numbers, etc. is also classified as restricted.
• Confidential – Confidential information is shared on a need-to-know basis only, and it must only be shared with those on the distribution list for that information. 
• Internal Use – This classification relates to all Organization business information. Access to this information must be restricted to Users in the Organization, and is not for general distribution outside of the organization. Examples include but are not limited to: general benefits program information, employee wellness descriptions, and other employee content.
• Public – This is information that can be presented to users outside of the Organization. This is data where its disclosure would not adversely affect the company, its Users, its Suppliers, or its customers. Examples include content for public-facing web properties, job postings, and public corporate contact information (e.g., mailing address, monitored phone numbers, and customer service contact information).

Which tools are used to protect data?

• Mobile Device Management, including remote wipe capability and password management, is in place to safeguard against data leakage
• Email monitoring tools to recognize, block, and limit potentially unsafe attachments, links, executables, etc.
• Web, phishing, document isolation through cloud-based virtualization
• Heuristic-based scanning to detect and prevent file encryption

Does Zayo host customer data?

No. Zayo acts as a processor, not a controller of customer data. Customer personal data retained by the Organization is limited to billing information and service provisioning, and is stored separately from our solutions environment. Any processing or storage of personal data is primarily limited to customer contact information necessary for service provisions. The Organization conducts comprehensive reviews of its data processing activities, including internal data transfer assessments and resulting Data Processing Addendums (DPAs) to ensure compliance.

How does Zayo interact with customer data?

Fiber & Transport and Network Connectivity: Zayo provides infrastructure and bandwidth services that permit customers to transport data in accordance with customer contractual requirements. The customer is responsible for ensuring the data transmitted through these services is appropriately protected and compliant with current privacy legislation. Although the information moving through company infrastructure may include customer information, Zayo is not acting in the role of processor of customer data, and Zayo does not possess any direct or administrative access to any customer content that is transmitted through our communication infrastructure. This separation is maintained through both technological and security controls implemented on our service architecture.

Cloud services (Object Based Storage Services): Zayo provides and operates cloud based capabilities and infrastructure that permit storage and lifecycle management activities for customer content. Zayo only permits access by a limited number of employees to customer-stored content at the request of the authorized customer party requesting Zayo to access such content, and such access by Zayo employees is limited to certain administrative functions, such as resetting passwords to provide the authorized customer party access to customer content. Zayo requires these employees to read, understand, and acknowledge compliance with Zayo’s policies governing such access. Through the Cloud Services Offering, Zayo is acting in the role of a processor on behalf of the customer (the controller). Zayo has prepared a Data Processor Addendum (“DPA”) in accordance with GDPR Article 28. Customers may make a request through their designated Zayo contact to initiate the process for executing a DPA.

Voice services: Zayo provides cloud-based voice and collaboration solutions that deliver voice and PBX features, video meetings and messaging, and contact management features through an intuitive cloud interface. Customers may access a dashboard of reports, and may subscribe to a call recording feature. To access the customer dashboard, a new user receives a system-generated password in a separate email from the application setup instructions. The user is instructed to change the password and neither the customer administrator nor Zayo have access to user passwords. Zayo has an application management password for all applications, including our call recording solutions. Zayo only permits access by a limited number of employees for the purpose of providing customer assistance and troubleshooting. Access to Zayo’s highest level master portal is limited to a select few employees.

Customer portals for programming phones may be accessed only by select Zayo employees upon request of the customer. These portals are limited to phone systems and do not provide access to applications such as meetings or call recordings.

Zayo provides telecommunications and infrastructure offerings to customers globally. As part of providing those offerings, Zayo may act as a processor. Zayo collects and stores Personal Data for purposes of providing its offerings, informing Customers of additional offerings, tracking use activity on its websites, and marketing efforts related to its offerings.

How does Zayo use customer data?

Zayo uses customer data for the following purposes:

• Contract Administration: Zayo processes personal data contact information as necessary for the performance of offerings pursuant to a contract between Zayo and its Customer. Contact information is needed for ongoing contract administration, to provide Customer notices and service announcements, to assist with service incident resolution, to install and maintain services on Customer premises and to address billing and payment inquiries.
• Physical Security Controls: Zayo processes identity information as necessary for the performance of a contract between Zayo and the Customer. Customer contracts require that physical security controls be implemented to prevent unauthorized access to colocation facilities and Customer equipment. Identity information is collected to authenticate individuals based on Customer approvals.
• Traffic Data: Zayo monitors and processes network traffic data consistent with its legitimate interests to support the offerings provided pursuant to a contract between Zayo and its Customer, to ensure the integrity of services and to support security incident and event management functions.
• Website: Zayo processes website visitor information and contact information with our legitimate interest to offer and provide products and services, send promotional materials and marketing communications regarding programs, offers and surveys, deliver targeted online advertising, communicate with returning visitors and auto fill web-based forms, respond to inquiries and to operate, evaluate and improve our business. Zayo processes website application information with our legitimate interest to create and maintain user credentials to allow authenticated user access to self-serve functions related to telecommunication services or to submit recruitment information for consideration of employment.

In what instances is customer personal data processed?

When personal data is processed, it is processed in the following instances:

• Contact Information: Zayo receives personal data from data subjects in their role as employees of our Customers. Information required by Zayo to enable communications with Customers, administer Customer accounts, and in accordance with contractual obligations is limited to name, business address, telephone number, job title, and email address. Zayo may also collect certain publicly available social media information to facilitate provisioning of our offerings and communications with our Customers.
• Website Application and Other Associated Service Portals: Zayo processes personal data contact information associated with the creation of application user credentials (eg. Tranzact, Workday recruitment, Zayo service portals, etc.), and collects website visitor information in the form of generic website statistics and cookies including device, operating system and browser type, country and time zone indicators and other system settings. Zayo collects this information directly from data subjects through the interaction and use of our websites. See the Zayo Cookie Notice for more specific details on data collection, use, and ability to block cookies.
• Marketing: Zayo utilizes websites for the display of corporate information as well as to market and transact Zayo Offerings. Customers and website visitors interact with various functions on these pages that may require the collection and use of Personal Data to complete those functions.
• Opt Out: If Zayo uses personal data for the purpose of sending Customers sales and marketing communications, Customers may manage the receipt of marketing and non-transactional communications from Zayo, click the Manage preference link located on the bottom of Zayo marketing emails.
• Submission of Personal Data by Customer: In cases where contact information is provided by the Customer in accordance with contractual requirements, the Customer is responsible for ensuring that any personal data submitted to Zayo has been obtained in accordance with relevant data protection requirements and that, where applicable, Customer has obtained any required consent from the data subject prior to providing personal data to Zayo.
• Identity Information: For Customers that require access to Zayo facilities, Zayo collects government issued identity information (e.g., drivers license, passport), palm or fingerprint biometric identifiers, and CCTV video image. Zayo collects this information directly from the data subject at each designated Zayo facility.
• Network Traffic Data: Zayo collects data that is captured through system logging and data flow management systems including, but not limited to, source and destination Internet Protocol (IP) addresses and domain name, date and time indicators, and other network layer protocol header information as collected based on service capabilities. Although IP addresses are collected within network traffic logs, Zayo does not possess the necessary capabilities without the involvement of the impacted Customer to identify an individual.

What privacy laws and regulations does Zayo comply with?

Zayo’s security program is based upon the Unified Compliance Framework (UCF) and structured around a set of control objective categories addressing controls from a multitude of authoritative industry standards and requirements. Authoritative privacy requirements incorporated into Zayo’s security program include, but are not limited to:

• California Consumer Protection Act (CCPA)
• Colorado Privacy Act
• General Data Protection Regulation (GDPR)
• Payment Card Information Data Security Standard (PCI-DSS)
• Personal Information Protection and Electronic Documents Act (PIPEDA)

For more information about the UCF, refer to  https://www.unifiedcompliance.com/home.

Is Zayo PCI compliant?

With regards to PCI, Zayo is both a Merchant and a Service Provider. In both instances, the scope of responsibilities the Organization shares in protecting PCI is limited, as Zayo does not store, transmit, process, or dispose of cardholder data or maintain a Cardholder Data Environment (CDE).

• Merchant: Zayo accepts credit card payments from Customers through customer account management portals and an Integrated Voice Response (IVR) system. These mechanisms provide a branded interface (wrapper) and coded redirects where Customers engage directly with third party payment processors. Third party payment processors use tokenized authorization methods to confirm identity and access before accepting, storing, or processing cardholder data on behalf of Zayo. Zayo complies with its PCI requirements and completes an SAQ-A-ER on an annual basis.
• Service Provider: Zayo provides services that may impact the security of Customers who store, transmit, process, or dispose of cardholder data. As a Service Provider, Zayo and its Customers have shared PCI responsibilities. Customers are responsible for protecting its cardholder data and CDE, and Zayo is responsible for protecting the network and service components of the Customer CDE. Zayo complies with its PCI requirements completes Attestations of Compliance (AOCs) for its relevant service provider services annually. For more information about shared PCI responsibilities, refer to the PCI-DSS v4.0 Service Provider Responsibility Matrix.

What are my Data Subject rights as a customer?

As a customer you have:

• Right to Access: Individuals may request access to their personal data
• Right to Correction: Individuals may request to rectify inaccuracy of their data
• Right to Erasure: Individuals may request deletion of their data, subject to legal and regulatory obligations
• Right to Restriction of Processing: Individuals may request their data in a structured, commonly used format
• Right to Data Portability: Individuals may object to data processing based on legitimate interests or direct marketing
• Right to Opt Out: Individuals may opt out of the sale of their personal information
• Right to Not Be Discriminated Against: Individuals may exercise their privacy rights without discrimination

Customers may manage the receipt of marketing and non-transactional communications from Zayo by clicking the Manage preference link located on the bottom of Zayo marketing emails.

Customers may update, correct, or remove personal data or to object to the processing of their information related to website visit or web application support, by contacting privacy.office@zayo.com or by using the Support options on portals or applications.

Can Zayo transfer customer data across borders?

The Organization is not prohibited from transferring personal information to an organization in another jurisdiction for processing. However, the Organization is held accountable for the protection of personal information transfers under each individual outsourcing arrangement.

The Organization is responsible for protecting personal information under its control. Personal information may be transferred to third parties for processing but contractual or other means are required to provide a comparable level of protection while the information is being processed by the third party.

Does Zayo share customer data with third parties?

Generally, Zayo may disclose customer personal data: (i) as set forth in a Data Processor Addendum (DPA) between Zayo and a customer; (ii) as required by law or legal process; (iii) to law enforcement authorities or other government entities; and (iv) when Zayo believes disclosure is necessary or appropriate to prevent harm or financial loss, or in connection with an investigation of alleged fraudulent or illegal activity.

Zayo endeavors to limit data transfers wherever possible, however, Zayo does provide personal data, limited to name, contact information, and title, to its sub-processors to fulfill its obligations to its customers and for administrative purposes. Where such data transfers are necessary, Zayo ensures that recipients of this data have appropriate safeguards and contractual terms in place, including Standard Contractual Clauses under GDPR where applicable.

When Zayo transfers personal information for processing, it can only be used for the purposes for which the information was originally collected. “Processing” is interpreted to include any use of the information by a third party processor for a purpose for which the transferring organization can use it. 

Third party processors must provide protection that can be compared to the level of protection the personal information would receive if it had not been transferred. It does not mean that the protections must be the same across the board, but it does mean that they should be generally equivalent.

How is customer data retained and disposed of?

Zayo retains personal data contact information and website application information for as long as the customer maintains an active account and for seven (7) years after account termination in order to comply with legal and financial reporting obligations. In some cases, such as when required by law or rule, Zayo will keep personal data contact information for longer periods (e.g., E-Rate retention requirements). For all other cases, when personal data contact information is no longer required in support of a defined purpose, it is properly and securely deleted.

How does Zayo handle data breaches?

Events involving unauthorized access, release, theft, or use of sensitive, protected, or confidential customer data are treated as security incidents by the Organization. Upon incident identification and confirmation, Zayo:

• Takes immediate steps to secure systems and prevent further unauthorized access.
• Assesses what data was exposed, identifies the customers affected, and evaluates potential risks.
• Promptly notifies customers via email about the breach and informs them of any actions they should take, such as changing passwords or monitoring accounts.
• Notifies regulatory authorities as per applicable laws. 
• Offers support services as applicable to the incident.
• Provides updates on any investigation, steps to breach resolution, and inform customers about any necessary further actions.
• Reviews the incident, identifies root causes, and strengthens security measures to prevent future breaches.

How do I report a data breach?

If you suspect a data breach incident, immediately contact our Privacy Office at privacy.office@zayo.com.

Does Zayo have a Business Continuity Plan (BCP) and a Disaster Recovery (DR) plan?

Zayo’s Incident Management Plan and Business Continuity Management Program program includes: Identification of a cyber security incident, investigation of the situation (including triage), taking appropriate action (e.g. containing the incident and eradicating its source), reporting to relevant stakeholders, and recovering from a cyber security incident. Zayo treats all events with equal urgency and tests during all real-time events. Outside of real-time events, the Incident Management Plan is tested on an annual basis through tabletop exercises and after incident reports.

BC/DR plans enable recovery from the following events:

• Critical technology or software failure
• Critical technology supplier or utility failure
• Loss or corruption of any critical information
• Disclosure of critically sensitive information

Have Zayo Business Continuity (BCP) and Disaster Recovery (DR) plans been assessed, developed, and tested for large scale remote working?

The Organization’s Business Impact Analysis considers resource requirements during large scale remote working arrangements. BCP and DR strategies and runbooks are developed to address large scale remote working, and tabletop exercises and simulations include large scale remote working scenarios. Zayo tests its resiliency plans on an annual basis and as real world incidents occur.

What does the BC/DR exercise program include?

• Exercises are conducted and updated on a regular, planned basis
• Exercises cover all operations required to resume business
• Each exercise has a post-exercise report with recommendations for improvement
• All key personnel participate in BCP/DR plan exercises
• BCP/DR plan exercises include critical systems recovery

Does Zayo have a disaster response plan that includes contingency plans and response protocols for potential short-term acute events (e.g., hurricane, earthquake, flooding, and etc.) and long-term climate related risks impact (e.g.; changes in precipitation, increased average temperature, and sea level rise)?

Zayo’s Incident Management Plan and Business Continuity Management Program program treats all scenarios and events with equal urgency and tests during all real-time events. Outside of real-time events, the Incident Management Plan is tested on an annual basis through tabletop exercises and after incident reports.

Does Zayo’s Disaster Recovery plan include how to manage potential increases in frequency, severity, or duration of weather events?

Zayo’s Incident Management Plan and Business Continuity Management Program program treats all scenarios and events with equal urgency and tests during all real-time events. Outside of real-time events, the Incident Management Plan is tested on an annual basis through tabletop exercises and after incident reports.

Has Zayo conducted vulnerability assessments, risk assessment, or other calculations to identify what impact physical risks associated with climate related risks (e.g., increases in precipitation-driven flooding, extreme heat events, and inundation due to sea level rise and storm surge) might have on your assets, products, and/or services?

Yes.

Does the Organization have a Disaster Recovery plan that includes contingency plans and response protocols for potential short-term acute events (e.g., hurricane, earthquake, flooding, and etc.) and long-term climate related risks impact (e.g.; changes in precipitation, increased average temperature, and sea level rise)?

Zayo’s Incident Management Plan and Business Continuity Management Program program treats all scenarios and events with equal urgency and tests during all real-time events. Outside of real-time events, the Incident Management Plan is tested on an annual basis through tabletop exercises and after incident reports.

Does Zayo’s Disaster Recovery plan include how to manage potential increases in frequency, severity, or duration of weather events?

Zayo’s Incident Management Plan and Business Continuity Management Program program treats all scenarios and events with equal urgency and tests during all real-time events. Outside of real-time events, the Incident Management Plan is tested on an annual basis through tabletop exercises and after incident reports.

Does the Disaster Recovery plan describe which assets, products, services would most significantly disrupt operations if they experienced short term acute damage (immediate failure, either temporary or catastrophic)?

Yes.

Does the disaster response plan describe which assets, products, services, would most significantly disrupt operations if they experienced gradual long-term cumulative damage (slower degradation; greater wear and tear)?

Yes.

What do Zayo backup processes cover?

• Applications
• Databases
• Endpoints
• Network Drives (including those used by individuals)
• Collaboration tools
• System configurations
• OT-related systems (if applicable)

What do Zayo backup processes include?

• Backup frequency is defined by business criticality
• Backup restores are performed at a frequency defined by business criticality
• Backup data is periodically audited for completeness and accuracy
• Backups are encrypted

Which cloud provider services are utilized by Zayo as part of the backup strategy to accelerate the recovery of data loss?

Zayo utilizes cloud solutions that offer cloud-based data storage and email.

Does Zayo have sufficient redundancies in place to ensure the availability of information processing facilities?

Redundancy is built into Zayo systems for failover events. Backups for power, operations centers, IT systems, and data are also in place. 

What kind of backup system is used for devices that connect remotely?

Backup of all data is enabled, performed locally and centrally at regularly scheduled intervals in alignment with data/security policies.

Does Zayo have a cybersecurity Incident Response Plan?

Yes. Zayo’s cybersecurity Incident Response Plan is in place and addresses the following:

• Identification of a cyber security incident
• Investigation of the situation (including triage)
• Taking appropriate action (e.g. containing the incident and eradicating its source)
• Reporting to relevant stakeholders
• Recovering from a cyber security incident

How often does Zayo review and update incident response plans?

Incident response plans are reviewed and updated at least annually.

Are tabletop exercises performed?

Yes. Tabletop exercises are performed with the following requirements:

• Tabletop exercises are based on emerging risks and threats
• Tabletop exercises involve stakeholders listed in an incident response plan
• Tabletop exercises involve senior management
• Lessons learned/improvement actions are documented after tabletop exercises

Has Zayo partnered with any incident response security vendors?

Yes. Zayo has partnered with incident response security vendors for the following purposes:

• Notification & Monitoring
• Breach Prevention

Do you have a documented incident response process and a dedicated incident response team?

Yes.

What is Zayo’s process for reviewing and exercising the resiliency plan?

Zayo continuously tests its resiliency protocols and exercises the plans annually and during real-world events that are managed and escalated appropriately.

What is Zayo’s process to ensure customers and external entities (such as government agencies) are notified of an incident when a product or service is impacted?

Customers and external entities are notified by email when an impactful incident occurs. Zayo is also implementing a system of notification in the online Trust Center.

Does Zayo have processes or procedures to recover full functionality, including integrity verification, following a major cybersecurity incident?

Yes.

Do you insure for financial harm from a major cybersecurity incident (e.g., self-insure, third party, parent company, etc.)?

Yes.

Does coverage include financial harm to Zayo customers resulting from a cybersecurity breach which has impacted your company?

Yes, to the extent of Zayo’s liability. Zayo is not the controller of customer data.

What is phishing?

Phishing is a cyberattack where attackers impersonate trusted sources to trick individuals into revealing sensitive information, such as login credentials, financial data, or personal details.

How does social engineering differ from phishing?

Social engineering is a broader tactic that manipulates individuals into divulging confidential information or performing actions that compromise security. Phishing is a specific type of social engineering that typically occurs via email, text, or fake websites.

Why is phishing a major security threat?

Phishing is one of the most common and successful attack methods because it exploits human trust rather than technical vulnerabilities. It can lead to data breaches, financial losses, and system compromises.

What are the different types of phishing attacks?

Common phishing attacks include:

• Email Phishing – Deceptive emails posing as legitimate requests.
• Spear Phishing – Targeted emails customized for specific individuals.
• Smishing – Fraudulent SMS messages leading to fake login pages.
• Vishing – Phone-based scams impersonating IT or financial institutions.
• Whaling – Targeted attacks on executives or high-level employees.
• Pretexting – Scammers create a false scenario to gain trust

What should I do if I receive a suspicious email or message?

Do not click on links, download attachments, or respond. Instead, report the email as phishing through your email client or your security team.

How can I recognize a phishing attempt?

Be cautious of emails or messages that:

• Create urgency (e.g., “Your account will be locked in 24 hours!”)
• Request sensitive information like passwords or financial data
• Have unexpected attachments or suspicious links
• Come from unusual or misspelled email addresses

What are some best practices to avoid phishing attacks?

Follow these guidelines:

• Verify the sender before responding or clicking links.
• Hover over links to check their actual destination before clicking.
• Never provide sensitive information via email, phone, or text.
• Keep your passwords secure and enable multi-factor authentication (MFA).