Data Protection Policy

Last updated: 6 July 2026

Zest Assure, a trading name of Juicy Media Ltd, provides a compliance platform that organisations use to manage ISO 9001, ISO 27001, Cyber Essentials and Cyber Essentials Plus certification — including compliance workspaces, evidence management, reviews, assessor collaboration, staff training and audit-ready exports. Because our customers trust the platform with personal data belonging to their staff, assessors and stakeholders, protecting that data is central to how we operate. This policy explains how we meet our obligations under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, supported by our own ISO 9001 and ISO 27001 certified management systems.

Data controller registration

Juicy Media Ltd is registered with the Information Commissioner's Office under registration number Z1589829. The company is registered in England & Wales under company number 05514688, with its registered office at DiSH, Heron House, 47 Lloyd Street, Manchester, M2 5LN.

Questions about this policy or our handling of personal data can be sent to [email protected] or raised by telephone on 0161 464 9252.

Purpose of data processing

We process personal data for the purpose of operating the Zest Assure platform and running our business. In practice this means:

  • creating and administering customer accounts, workspaces and user profiles;
  • storing and organising the compliance evidence, review records and training records that customers upload or generate within their workspaces;
  • enabling collaboration between customers and their external assessors;
  • producing audit-ready exports at a customer's request;
  • providing support, billing and service communications; and
  • maintaining the security, reliability and improvement of the platform itself.

All processing is carried out lawfully, fairly and transparently, and only where a valid lawful basis applies. Further detail on lawful bases and data subject rights is set out in our GDPR Policy, and our use of cookies is described in our Cookies Policy.

Roles and responsibilities

Our role depends on the data in question:

  • Controller. For the personal data we hold about our own prospects, customers' account contacts, suppliers and staff — and for data gathered through www.zestassure.com — Juicy Media Ltd decides why and how the data is processed and acts as controller.
  • Processor. For personal data contained in the content our customers place in their compliance workspaces — such as names in evidence documents, review comments or training records — the customer remains the controller. We process that data only on the customer's documented instructions and never for our own purposes.

Senior management owns this policy and is accountable for data protection across the business. Every member of staff who touches personal data is responsible for handling it in line with this policy and the procedures that sit beneath it.

Compliance with the data protection principles

We design our services and internal processes around the seven principles of the UK GDPR:

  1. Lawfulness, fairness and transparency — we identify a lawful basis before processing begins and explain our processing in plain language.
  2. Purpose limitation — personal data is collected for specified, explicit purposes and is not reused in ways incompatible with them.
  3. Data minimisation — we collect only what the platform and our business genuinely need to function.
  4. Accuracy — we keep records up to date and correct or erase inaccurate data without delay.
  5. Storage limitation — data is retained only as long as necessary for its purpose or to meet legal obligations, after which it is securely deleted.
  6. Integrity and confidentiality — appropriate technical and organisational measures protect data against unauthorised access, loss and damage.
  7. Accountability — we document our processing, maintain records and can demonstrate compliance with each of the principles above.

Data security

Security controls on the Zest Assure platform are operated under our ISO 27001 certified information security management system and include:

  • Hardened infrastructure — the platform runs on Cloudflare's global infrastructure, benefiting from its network-level protections;
  • Encryption — data is encrypted in transit and at rest;
  • Role-based access control — users see only the workspaces and records their role permits;
  • Tenant isolation — each customer's workspace and data are logically separated from every other customer's;
  • Audit logging — key actions within the platform are recorded, supporting both our customers' audit trails and our own;
  • Staff training — our people complete regular data protection and information security training, and internal access to customer data is restricted to those who need it to do their jobs.

These controls are tested through regular internal audits and the external assessments required to maintain our ISO 27001 certification.

Right to access and control

Individuals whose personal data we control may exercise the following rights by contacting [email protected]:

  • the right to access the personal data we hold about them;
  • the right to have inaccurate data corrected;
  • the right to erasure or to restrict processing, where the law allows;
  • the right to object to processing, including for direct marketing; and
  • the right to receive their data in a structured, commonly used, machine-readable format.

Where we act as processor, we will pass any request received directly from a data subject to the relevant customer and assist that customer in responding.

Breach reporting

We maintain a documented incident response procedure. Any suspected personal data breach must be escalated internally to senior management as soon as it is discovered, so that it can be contained, assessed and recorded. Where a breach is likely to result in a risk to individuals' rights and freedoms, we will notify the Information Commissioner's Office without undue delay and, where feasible, within 72 hours of becoming aware of it. Affected individuals — and, where we act as processor, the affected customer — will be informed without undue delay whenever the law requires it. Every incident, reportable or not, is logged and reviewed to prevent recurrence.

Legal compliance and governing law

This policy, and our processing of personal data, are governed by the UK GDPR, the Data Protection Act 2018 and the laws of England & Wales. Any dispute arising in connection with this policy falls under the exclusive jurisdiction of the courts of England & Wales.

Review and improvements

This policy is reviewed at least annually, and sooner if the law, our services or our processing activities change. Reviews are carried out through the same ISO 9001 and ISO 27001 management system processes that govern the rest of the business, so lessons from audits, incidents and customer feedback feed directly into improvements to how we protect personal data.