Security Practices – ZopDev

Effective Date: 30 September 2025
Entity: ZopDev Technologies Pvt. Ltd. (“ZopDev”)

ZopDev maintains a comprehensive, independently-assessed security and compliance program designed to safeguard customer data and ensure service reliability. The following sections summarize our core controls and governance principles.

1.1 Governance & Ownership

  • The security program is owned by a designated Security Lead and reviewed at least annually.

  • Policies cover all critical domains, including:

    • Access Control and Acceptable Use

    • Asset and Change Management

    • Incident Response and Business Continuity

    • Vendor Risk Management

    • Secure Development Lifecycle (SDLC) practices

1.2 Data Classification & Handling

  • All data is classified (e.g., Confidential, Internal, Public) and handled per defined handling standards.

  • Encryption:

    • Data in transit is protected using TLS.

    • Data at rest is encrypted using industry-standard algorithms.

    • Encryption keys are securely managed with separation of duties and regular rotation.

  • Secrets Management:

    • All secrets are managed through hardware- or service-backed Key Management Systems (KMS).

    • No plaintext credentials are stored in code repositories.


1.3 Identity & Access Management

  • Access follows least-privilege and role-based principles.

  • Multi-Factor Authentication (MFA) is mandatory for all privileged access.

  • Single Sign-On (SSO) via SAML or OIDC is available on eligible plans.

  • SCIM or just-in-time provisioning is supported where applicable.

  • Administrative and security actions are fully logged with comprehensive audit trails.

1.4 Network & Infrastructure Security

  • Segmented network architecture protected by firewalls, security groups, and DDoS / IDS / IPS controls.

  • All hosts and containers follow hardened baseline configurations.

  • Patch Management: vulnerabilities remediated within defined SLAs.

  • Dependency and Image Scanning: continuous scanning for vulnerabilities; SBOM tracking maintained for critical components.

  • Infrastructure-as-Code (IaC): all infrastructure changes undergo peer review and approval prior to deployment.

1.5 Secure Software Development Lifecycle (SDLC)

  • Threat modeling conducted for all major features.

  • Code Reviews, Static (SAST) and Dynamic (DAST) analysis integrated into pipelines.

  • Supply-chain security enforced through dependency management and update cadence.

  • Regular third-party penetration tests conducted; findings tracked to verified closure.

1.6 Monitoring, Logging & Detection

  • All infrastructure, application, and security logs are centralized and tamper-evident.

  • Automated alerting integrated with on-call rotations for real-time detection and response.

  • Security analytics and anomaly detection tools continuously monitor for unusual activity.

  • Log retention aligns with legal, contractual, and operational requirements.

1.7 Business Continuity & Disaster Recovery

  • Documented Disaster Recovery (DR) plans define RTO and RPO objectives.

  • Data backups are replicated, encrypted, and periodically restored to verify integrity.

  • ZopDev maintains a public Status Page providing incident communications and post-mortems for major events.

1.8 Vendor & Sub-processor Management

  • All new vendors undergo security and privacy reviews prior to engagement.

  • Data processing and confidentiality controls are enforced contractually.

  • Vendors receive least-privilege access and are subject to continuous risk monitoring.

  • A public Sub-processor List is maintained, with prior notification of any material changes.

1.9 Customer-Facing Security Features

ZopDev services include enterprise-grade security features such as:

  • SSO, MFA enforcement, and IP allow-listing

  • Role-based permissions and fine-grained audit logs

  • API keys with rotation and expiration support

  • Regional controls for data residency where applicable

  • Responsible Disclosure Policy and direct contact at security@zopdev.com

1.10 Certifications & Independent Assessments

  • ZopDev maintains SOC 2 Type II and ISO/IEC 27001 certifications for in-scope production environments.

  • Certifications are renewed and maintained per the applicable cadence:

    • SOC 2: annual audit period

    • ISO 27001: annual surveillance and triennial recertification

  • Scope & Boundaries:
     Each certification covers defined system components and services. A high-level summary is published on the Security page; detailed scope statements are available under NDA.

  • Evidence Access:
     Under NDA and upon reasonable request, ZopDev provides:

    • SOC 2 Type II report (or executive summary)

    • ISO 27001 certificate and Statement of Applicability (or summary)

    • Executive summaries of recent penetration tests

  • Changes & Notifications:
     Material scope changes, control lapses, or compensating measures will be reflected on this page and, where material, proactively communicated to affected customers.


Prepared by:
Talvinder Singh — CEO & CMO, ZopDev Technologies Pvt. Ltd.
Date: 30 September 2025