ZopDev Legal Appendices

Effective Date: 30 September 2025
These appendices accompany and are incorporated into the ZopDev Master Terms (Core Terms). Unless stated otherwise, these appendices are governed by the same law and dispute resolution provisions as the Core Terms and use Bengaluru, Karnataka as the arbitration seat and venue.

1) Data Processing Addendum (India‑First, Global‑Ready)

1.1 Purpose & Parties

This DPA governs how ZopDev Technology Private Limited ("ZopDev", "we", "us") Processes Personal Data on behalf of Customer when providing the Services under the Subscription Agreement.

1.2 Key Definitions

  • Applicable Data Protection Laws: all privacy/data‑protection laws that apply to the Processing of Personal Data in connection with the Services, including India’s Digital Personal Data Protection Act, 2023 (DPDP) and implementing rules, and any other laws that apply by virtue of Customer’s locations, data subjects, or usage.

  • Controller / Data Fiduciary: the party that determines the purposes and means of Processing Personal Data (here, Customer).

  • Processor / Data Processor: the party that Processes Personal Data on behalf of the Controller (here, ZopDev and its Sub‑processors).

  • Personal Data: any data about an identified or identifiable individual that is Processed by ZopDev on Customer’s behalf.

  • Processing / Process: any operation performed on Personal Data, including collecting, recording, storing, using, disclosing, transferring, deleting, or otherwise handling.

  • Sub‑processor: a third party engaged by ZopDev to Process Personal Data on ZopDev’s behalf.

  • Security Incident: an unauthorized or unlawful access to, or loss, alteration, or disclosure of, Personal Data Processed by ZopDev that compromises its confidentiality, integrity, or availability.

1.3 Roles & Instructions

  • Customer is Controller/Data Fiduciary; ZopDev is Processor/Data Processor.

  • ZopDev will Process Personal Data solely on documented instructions from Customer, including via the Services’ configuration and APIs, except where required by law.

  • If ZopDev believes an instruction violates Applicable Laws, it will promptly inform the customer.

1.4 Nature, Purpose, and Duration

  • Nature/Purpose: to provide, maintain, secure, and support the Services (including hosting, storage, transmission, display, backup, logging, and troubleshooting).

  • Duration: for the Subscription Term and any post‑termination period required to return/delete data.

1.5 Confidentiality and Security

  • ZopDev ensures that authorized personnel are bound by confidentiality obligations and receive appropriate privacy/security training.

  • ZopDev maintains administrative, technical, and physical safeguards appropriate to the risk, as summarized in Appendix 4 — Security Practices and any product documentation. ZopDev will not materially reduce the overall security of the Services during a Subscription Term.

  • Certifications & Control Frameworks. ZopDev maintains SOC 2 Type II and ISO/IEC 27001 certifications for in‑scope systems supporting the Services. Independent auditors assess controls at least annually (SOC 2) and per the ISO 27001 certification cycle (annual surveillance with triennial recertification). Upon reasonable request and under NDA, ZopDev will provide the current SOC 2 Type II report (or summary), ISO 27001 certificate and scope statement, and the Statement of Applicability (or summary).

  • Scope Changes & Notice. If certification scope materially changes or a certification lapses, ZopDev will update its Security page and, where Customer is materially impacted, provide timely notice along with any compensating controls.

1.6 Sub‑processors

  • Customer authorizes ZopDev to appoint Sub‑processors. ZopDev will maintain a public list of current Sub‑processors at /legal/subprocessors and provide advance notice of new Sub‑processors.

  • ZopDev will enter into written terms with each Sub‑processor that provides materially no less protection than this DPA and remains responsible for their performance.

1.7 Cross‑Border Transfers

  • ZopDev may Process Personal Data in India and other jurisdictions where it or its Sub‑processors operate.

  • ZopDev will implement appropriate contractual, technical, and organizational safeguards required by Applicable Laws for cross‑border transfers (for example, encryption in transit/at rest, access controls, data minimization).

  • Customer instructs ZopDev to transfer Personal Data as necessary to provide the Services, subject to these safeguards and any Customer regionalization settings or written instructions.

1.8 Assistance & Data Subject Rights

Taking into account the nature of Processing, ZopDev will assist customers with reasonable technical and organizational measures to fulfill individuals’ rights requests (access, correction, erasure, portability, objection/consent management) as required by Applicable Laws. If ZopDev receives a request directly, it will forward it to the Customer without undue delay.

1.9 Government & Third‑Party Requests

Unless prohibited by law, ZopDev will notify Customer of any legally binding request for disclosure of Personal Data. ZopDev will challenge unlawful or overbroad requests where reasonable.

1.10 Security Incidents

ZopDev will notify Customer without undue delay after becoming aware of a Security Incident involving Personal Data, provide information reasonably available for Customer to meet its obligations, and take reasonable steps to contain and remediate the incident.

1.11 Return & Deletion

At termination/expiry, Customers may export Personal Data via the Services. Upon Customer’s written request within 30 days, ZopDev will return available Personal Data in a reasonable format and then delete it from active systems, subject to legal holds and routine backups (which are later overwritten per retention schedules).

1.12 Audits

ZopDev will make available information demonstrating compliance (e.g., security summaries or independent assessment reports). Audit rights are primarily satisfied by third‑party audits. On reasonable notice and under NDA, ZopDev will provide:

  • the current SOC 2 Type II report (or executive summary),

  • the ISO/IEC 27001 certificate and scope statement, and the Statement of Applicability (or summary), and

  • executive summaries of recent third‑party penetration tests.

If, after reviewing these materials, Customer reasonably determines they are insufficient to meet a non‑delegable regulatory obligation, Customer may request an on‑site audit once per year (unless mandated by a regulator or following a Security Incident) upon 30 days’ notice, during business hours, subject to confidentiality and reasonable cost‑recovery. The parties will agree in advance on scope, duration, and personnel.

1.13 Precedence

In case of conflict between this DPA and other documents, this DPA controls for Processing of Personal Data.

2) Support Policy (IST‑Aware)

2.1 Channels

  • Portal/Email: support.zopdev.com / support@zopdev.com

  • Phone/Chat: available on Premium & Enterprise plans.

2.2 Coverage Hours (Indian Standard Time by default)

  • Standard: 9×6 (Mon–Fri, regional public holidays excluded)

  • Premium: 24×7 for Severity 1–2; 8×5 for Severity 3–4

  • Enterprise: 24×7 for all severities, prioritized queue

2.3 Severity Definitions

  • Sev‑1 (Service Down): Production‑level outage or complete unavailability with no workaround.

  • Sev‑2 (Critical Impact): Major feature or performance degradation causing significant business impact; limited workaround exists.

  • Sev‑3 (Degraded): Functionality impaired; business impact moderate; workable workaround available.

  • Sev‑4 (Minor/How‑to): Minor defect, cosmetic issue, or guidance request.

2.4 Target Response & Work Continuity

Severity

Standard – Initial Response

Premium/Enterprise – Initial Response

Work Continuity

Sev‑1

4 hours

1 hour

24×7 until workaround/resolution

Sev‑2

6 hours

2 hours

Continuous during business hours; 24×7 on Premium/Enterprise

Sev‑3

1 business day

4 hours

Business hours until resolved

Sev‑4

2 business days

8 hours

Business hours

Note: Targets are service goals, not guarantees. Credits (if any) are governed by the Service Level Agreement in the Order.

2.5 Customer Responsibilities

Provide named technical contacts; timely logs/diagnostics; reproducible steps; and secure access to impacted environments where necessary.

2.6 Maintenance & Status

  • Scheduled maintenance windows will be announced in advance (typically ≥48 hours) on the status page; times are published in IST with local‑time equivalents.

  • Status page provides real‑time updates on availability/incidents.

  • Maintenance windows and force‑majeure events are excluded from uptime calculations.

2.7 Exclusions

Support excludes issues caused by: Customer environment or third‑party platforms; use outside scope or AUP; beta/preview features (best‑effort only); professional services or training unless purchased.

2.8 Control Alignment & Evidence

Operational processes for incident management, change management, access control, vulnerability management, and business continuity align to controls required by SOC 2 and ISO/IEC 27001. Upon reasonable request and under NDA, ZopDev will provide evidence summaries (e.g., policy excerpts, process diagrams, control mappings) sufficient for Customer assurance.

3) Service‑Specific Terms — ZopNight (Cost Optimization)

3.1 What ZopNight Does

ZopNight automates scheduling/pausing of idle or non‑production cloud resources across supported providers to reduce waste. The Customer selects target resources and defines schedules and guardrails.

3.2 Customer Permissions & Controls

  • Grant least‑privilege cloud roles/permissions as documented.

  • Review/approve the list of resources subject to scheduling; use allow/deny lists.

  • Configure business‑hours, weekend, and holiday schedules; enable ad‑hoc Snooze/Override from UI/CLI/alerts.

  • Use Production Protection: tag‑based or policy‑based exclusion to prevent shutdown of critical resources.

  • Maintain backups and validate that schedules do not affect production/SLA‑bound workloads.

3.3 Savings & Disclaimers

  • ZopDev provides estimates and reports; no guarantee of specific savings or detection of all idle resources. Actual savings vary by Customer usage and provider pricing.

  • ZopDev is not responsible for provider outages, API limits, pricing changes, or third‑party actions.

3.4 Data & Logging

ZopNight processes configuration metadata (resource IDs, tags, schedules), operational logs, and events necessary to execute schedules and provide audit trails. Action logs are retained per Security Practices.

3.5 High‑Risk Use

Do not use ZopNight to control life‑critical or safety‑of‑life systems. For regulated/mission‑critical workloads, Customer must implement additional safeguards and change‑control.

3.6 Beta/Preview

Preview features are provided as‑is, outside SLA, and may change or be withdrawn.

3.7 Changes

ZopDev may update ZopNight to maintain compatibility with provider APIs and to improve safety/performance. Material functionality reductions will be communicated in advance where reasonably practicable.

4) Security Practices (Public Page Copy)

4.1 Governance & Ownership

  • Security program owned by a designated security lead; reviewed at least annually.

  • Policies cover access control, acceptable use, asset management, change management, incident response, vendor risk, and secure development.

4.2 Data Classification & Handling

  • Data classified (e.g., Confidential, Internal, Public).

  • Encryption: data in transit via TLS; data at rest with strong encryption; keys managed securely with rotation and separation of duties.

  • Secrets management: hardware‑ or service‑backed KMS; no plaintext secrets in code repos.

4.3 Identity & Access Management

  • Least‑privilege, role‑based access; MFA for privileged access; SSO (SAML/OIDC) available on eligible plans.

  • SCIM or just‑in‑time provisioning supported where available.

  • Comprehensive audit logs for administrative actions.

4.4 Network & Infrastructure Security

  • Segmented networks; firewalls/security groups; IDS/IPS and DDoS protections.

  • Hardened baselines for hosts/containers; patch management with defined SLAs.

  • Dependency and image scanning; SBOM tracking for critical components.

  • Infrastructure‑as‑Code with peer review and change approvals.

4.5 Secure SDLC

  • Threat modeling for major features; code reviews; automated SAST/DAST; supply‑chain controls; dependency update cadence.

  • Regular third‑party penetration tests; remediation tracked to closure.

4.6 Monitoring, Logging & Detection

  • Centralized, tamper‑evident logs for infra/app/security events; alerting with on‑call rotations.

  • Security analytics for anomaly detection; retention consistent with legal and operational requirements.

4.7 Business Continuity & Disaster Recovery

  • Documented DR plans with defined RTO/RPO targets; replicated backups; periodic restore tests.

  • Status page with incident communications and post‑mortems for major incidents.

4.8 Vendor & Sub‑processor Management

  • Security reviews for new vendors; DP/contractual controls; least‑privilege access; continuous monitoring where feasible.

  • Public Sub‑processor list with change notifications.

4.9 Customer‑Facing Security Features

  • SSO, MFA enforcement, IP allow‑listing, role‑based permissions, audit logs, API keys with rotation, regional controls where available.

  • Responsible Disclosure policy and security contact: security@zopdev.com.

4.10 Certifications & Independent Assessments

  • ZopDev maintains SOC 2 Type II and ISO 27001 certifications for in‑scope environments supporting the Services. Certifications are renewed and maintained per the relevant standard’s cadence (annual SOC 2 audit period; ISO 27001 annual surveillance with triennial recertification).

  • Scope & Boundaries. Each certification has defined system boundaries and in‑scope services. The Security page describes scope at a high level; detailed scope statements are available under NDA.

  • Evidence Access. Under NDA and upon reasonable request, ZopDev will provide (i) SOC 2 Type II report (or executive summary), (ii) ISO 27001 certificate and Statement of Applicability (or summary), and (iii) executive summaries of recent penetration tests.

  • Changes & Notifications. Material changes to scope or lapses will be reflected on the Security page and, where materially impacting Customers, communicated with proposed compensating controls.


5) AI & Automation Terms

5.1 Inputs, Outputs & Ownership

  • The customer is responsible for prompts, data, and other AI Inputs and for reviewing AI Outputs before relying on them.

  • Subject to the Agreement, Customer owns AI Outputs generated from its Inputs; ZopDev retains all rights to underlying models and Services.

5.2 Non‑Determinism & Human Oversight

  • AI features may produce variable Outputs; Customer must apply human judgment, testing, and change‑management before production use.

5.3 Restricted Content & Sensitive Data

  • Do not use AI features for unlawful, harmful, deceptive, or discriminatory content.

  • Do not submit highly sensitive personal or regulated data unless the product explicitly supports it and you have a lawful basis.

5.4 Safety & Abuse Prevention

  • ZopDev may throttle, filter, or block Inputs/Outputs to protect the Service and others; repeated violations may result in suspension under the AUP.

5.5 Improvements & Telemetry

  • ZopDev may use de-identified, aggregated telemetry to improve model performance and safety.

  • ZopDev does not use Customer Data to train foundation models for unrelated products without explicit consent.


6) Sign‑Up Footer (Short‑Form Notice)

By continuing, you agree to the Terms and Privacy Policy. If your organization has a signed Subscription Agreement with ZopDev, that agreement governs in case of conflict.

For organization accounts, administrators may control access and data associated with your account. If you are under 18, you may use the Services only with consent and supervision of a parent or legal guardian who accepts the Terms on your behalf.