Security Documentation

Security Measures Schedule

Technical, Organizational, Administrative, and Physical Safeguards applied by Zoiko Tech Inc. to protect Customer Data processed through the ZoikoTime platform.

This Schedule is a security-control commitment document. It should be read together with the Terms of Service, Data Processing Addendum, Privacy Notice, Acceptable Use Policy, and any applicable Order Form. Where an enterprise agreement contains security terms that expressly conflict with this Schedule, the enterprise agreement controls solely for that Customer and only to the extent of the conflict.

1. Purpose, Status, and Contractual Function

This Security Measures Schedule describes the baseline technical, organizational, administrative, and physical safeguards applied by Zoiko Tech Inc. in connection with the ZoikoTime platform. It is intended to support the Terms of Service, Data Processing Addendum, Privacy Notice, Acceptable Use Policy, Sub-processor Policy, Order Forms, and any applicable enterprise or procurement agreements.

This Schedule is drafted as a security-control commitment document. It does not replace a customer-specific security addendum, negotiated enterprise agreement, regulated-industry addendum, business associate agreement, public-sector terms, or mandatory legal requirement that expressly applies to a particular customer's deployment.

Where this Schedule uses the term Provider, it means Zoiko Tech Inc. as the provider of the ZoikoTime platform. ZoikoTime refers to the software platform, services, websites, administrative consoles, APIs, applications, support channels, and related systems provided by Zoiko Tech Inc. Zoiko Group Inc. is referenced as the wider group context only.

2. Scope of Covered Systems

This Schedule applies to the systems, services, and environments used to deliver, operate, secure, monitor, support, and improve ZoikoTime, including the following covered components:

ZoikoTime production applications, web services, mobile or desktop components, APIs, and customer-facing administrative consoles
Cloud infrastructure, databases, object storage, message queues, identity systems, observability tooling, support systems, deployment tooling, and controlled operational environments
Customer Data, Customer Content, account data, worker-related operational records, audit logs, telemetry, configuration data, security logs, and support data processed through or in connection with ZoikoTime
Personnel, contractors, and authorized service providers who have approved access to covered systems or confidential information in order to perform authorized services

This Schedule does not govern systems owned or controlled by the Customer, Customer- managed integrations, Customer devices, Customer networks, third-party services independently selected by the Customer, or unsupported configurations outside ZoikoTime's documented requirements.

3. Security Governance and Accountability

Zoiko Tech Inc. maintains an internal security governance framework designed to assign ownership for security risk, data protection, incident response, access control, vendor oversight, and change management. Security responsibilities are allocated across executive ownership, product leadership, engineering, operations, legal, privacy, and support functions.

Security policies are reviewed periodically and updated when required by material changes in law, technology, threat conditions, business operations, or ZoikoTime's architecture. Material exceptions to security controls require documented approval, risk assessment, remediation ownership, and time-bound review.

ZoikoTime's control environment is designed to support enterprise due diligence, security questionnaires, audit-readiness, and future alignment with recognized standards including SOC 2, ISO/IEC 27001, ISO/IEC 27701, NIST Cybersecurity Framework, and GDPR/UK GDPR Article 32 requirements.

4. Shared Responsibility Model

Security for ZoikoTime is a shared responsibility between Provider and Customer. Provider is responsible for controls within ZoikoTime's hosted service environment including application security, infrastructure security, encryption, logging, vulnerability management, incident response, and sub-processor oversight. Customer is responsible for lawful deployment, account administration, workforce notices, endpoint configuration, integration security, user access management, and internal compliance.

5. Identity, Authentication, and Access Management

Access to production systems is restricted to authorized personnel with a legitimate business need and is granted according to least-privilege principles. Administrative access is controlled through approved identity systems and is subject to authentication, authorization, logging, and periodic review.

Multi-factor authentication is required for privileged access to production administration systems where technically supported. Access rights are reviewed periodically and removed or modified when personnel change role, leave the organization, no longer require access, or no longer satisfy access requirements.

Shared administrative accounts are prohibited unless technically unavoidable and specifically approved with compensating controls such as vaulting, logging, and restricted use. Customer administrators are responsible for maintaining their own user access, role assignments, group permissions, and offboarding processes within their ZoikoTime workspace.

6. Encryption and Key Management

Provider uses encryption in transit for supported customer-facing and administrative connections using modern transport security protocols, including TLS 1.2 or higher where supported. Provider uses encryption at rest for production databases, storage services, backups, and supported data stores containing Customer Data.

Encryption keys are managed through controlled key-management processes designed to restrict key access, separate duties, rotate keys where appropriate, and prevent unauthorized disclosure. Secrets, tokens, and credentials used by ZoikoTime systems are stored in approved secret-management systems or protected configuration stores and are not intentionally stored in source code repositories.

Customer-managed integration credentials remain the Customer's responsibility where the Customer creates, stores, rotates, or controls those credentials.

7. Network, Infrastructure, and Environment Security

Production environments are logically separated from development, testing, and staging environments unless an approved controlled exception exists. Network access to production infrastructure is restricted using security groups, firewalls, identity controls, segmentation, private connectivity, or comparable cloud-native controls.

Administrative access paths are limited, monitored, and configured to reduce unnecessary exposure to public networks. Infrastructure is hardened using baseline configuration standards, supported operating systems, patch management, restricted services, and controlled administrative interfaces. Provider monitors cloud infrastructure, application availability, security alerts, and operational health using appropriate tooling and response procedures.

8. Application Security and Secure Development Lifecycle

ZoikoTime development follows a controlled software development lifecycle designed to reduce security defects before production release. Material code changes are subject to version control, review, testing, and controlled deployment procedures.

Security-relevant changes are reviewed for risks including authentication, authorization, data exposure, logging, input validation, cryptography, privacy, tenant isolation, and integration behaviour. Provider uses vulnerability detection methods that may include dependency scanning, static analysis, dynamic testing, manual review, penetration testing, and cloud security posture checks.

Production deployments are managed through approved release processes with rollback planning, monitoring, and post-deployment validation appropriate to the risk of the change. Application secrets are not intentionally embedded in client-side code or public repositories.

9. Logging, Monitoring, and Auditability

Provider maintains logs reasonably designed to support security monitoring, system integrity, incident investigation, access review, and operational troubleshooting. Logs may include authentication events, administrative actions, service activity, infrastructure events, error events, deployment events, security alerts, and data access events where supported.

Access to logs is restricted to authorized personnel and controlled according to business need, confidentiality, and retention requirements. ZoikoTime's workforce evidence features are designed to preserve integrity, traceability, and administrative accountability for relevant workforce records, subject to Customer configuration and applicable law.

10. Tenant Isolation and Customer Data Segregation

ZoikoTime is designed as a multi-tenant platform with logical separation between customer workspaces, accounts, roles, and Customer Data. Provider applies access-control logic, authorization checks, data-scoping controls, and testing practices designed to prevent one customer from accessing another customer's data.

Customer administrators may only access data within their authorized workspace and assigned roles, subject to platform configuration. Provider personnel access to Customer Data is restricted to authorized support, engineering, security, legal, compliance, billing, or operational purposes, and only when reasonably necessary.

11. Workforce Data and Monitoring-Specific Safeguards

Because ZoikoTime may process workforce-related data — including time, activity, screenshots where enabled, device events, operational telemetry, productivity signals, policy records, and audit evidence — Provider applies additional safeguards intended to support fair, transparent, accountable, and lawful deployment:

Configurable controls: Customers configure monitoring, screenshot, retention, notification, role access, and reporting settings according to applicable law and internal policy
Transparency support: ZoikoTime may provide worker-facing notices, data views, reports, or audit features where enabled in the relevant plan or agreement
Role separation: Workforce data access should be limited to authorized administrators, managers, legal, HR, compliance, finance, or other approved roles with a legitimate business need
Purpose limitation: Customers must not use ZoikoTime to conduct covert monitoring, unlawful surveillance, discriminatory employment practices, retaliation, or decisions prohibited by applicable law
Biometric limitation: ZoikoTime does not require Customers to deploy biometric identification as a baseline condition of service. Any biometric feature must be expressly documented, legally assessed, and configured only where lawful
AI safeguards: AI-generated or algorithmic insights are intended to support human review and operational analysis. Customers remain responsible for legally required human oversight, worker notices, impact assessments, and final employment-related decisions

12. Backup, Resilience, and Disaster Recovery

Provider maintains backup and recovery procedures designed to protect against accidental loss, corruption, unauthorized destruction, and service disruption affecting covered systems. Backups containing Customer Data are protected using access controls and encryption appropriate to the underlying storage environment.

Backup retention, restoration capability, recovery time objectives, and recovery point objectives may vary by system, plan, data type, and enterprise agreement. Provider periodically reviews recovery procedures and may conduct restoration testing or tabletop exercises according to operational risk and platform maturity.

Customer remains responsible for exporting or retaining copies of Customer Data where required for Customer's independent legal, HR, payroll, tax, employment, litigation, or audit obligations.

13. Security Incident Management and Notification

For a confirmed Customer Data Incident affecting Customer Data, Provider will notify the affected Customer without undue delay and, where required by the applicable DPA or law, within 24 hours of confirmation.

Provider maintains procedures for detecting, triaging, investigating, containing, remediating, and documenting security incidents. Notification will include, to the extent known and lawfully shareable: the nature of the incident, affected systems, categories and volume of affected data, likely consequences, and mitigation steps taken or proposed.

14. AI, Analytics, and Automated Insight Security

Provider applies governance controls to AI-enabled or analytics-enabled features according to sensitivity, data type, customer configuration, and intended use. AI-generated observations, risk signals, anomaly indicators, recommendations, or classifications are intended to support human assessment and should not be treated by Customer as a sole basis for employment, disciplinary, termination, compensation, promotion, legal, or similarly significant decisions.

Provider does not use Customer Data to train models for the benefit of other customers unless permitted by the applicable agreement, Customer instruction, or a legally compliant de-identified, aggregated, or anonymized process. Provider may use de-identified, aggregated, or telemetry- derived information to secure, operate, analyze, improve, and benchmark the platform, provided such use does not identify Customer, workers, or confidential Customer Data.

15. Customer Administrative Security Requirements

Customer must operate its ZoikoTime workspace in a secure, lawful, and administratively controlled manner. At minimum, Customer should:

Use strong authentication and multi-factor authentication for administrators where available
Maintain accurate user, worker, manager, and administrator records
Remove or disable access promptly when a user leaves, changes role, no longer requires access, or becomes unauthorized
Assign roles using least-privilege principles and avoid overbroad administrator access
Protect API keys, SSO credentials, integration secrets, export files, payroll records, screenshot records, and workforce reports
Train authorized users on lawful, respectful, and policy-compliant use of workforce monitoring, reporting, and audit functions
Maintain appropriate worker notices, policies, lawful bases, consents, consultations, and records required by applicable law
Notify Provider promptly of suspected compromise, unauthorized access, credential exposure, security vulnerability, or misuse of ZoikoTime

16. Prohibited Security Conduct

Customer and Users must not engage in any conduct that compromises or attempts to compromise ZoikoTime or related systems, including:

Unauthorized access, probing, scanning, penetration testing, scraping, credential attacks, denial-of-service activity, malware activity, or exploitation of vulnerabilities without Provider's prior written authorization
Bypassing authentication, authorization, rate limits, licensing controls, data boundaries, tenant isolation, worker privacy settings, or security controls
Uploading malicious code, unlawful surveillance content, stolen data, credentials, secrets, or data that Customer is not authorized to process
Using ZoikoTime to conduct unlawful employment monitoring, discriminatory profiling, retaliation, covert surveillance, harassment, intimidation, or unlawful decision-making
Interfering with logging, audit records, evidence integrity, incident response, platform availability, or security monitoring

17. Material Control Limitations

No security program can guarantee absolute protection against all threats, vulnerabilities, attacks, human error, third-party failures, or unlawful activity.

Provider's security obligations apply to systems within Provider's control and do not extend to Customer-controlled devices, networks, user behavior, unlawful instructions, unsupported integrations, or third-party services independently selected by Customer.

Customer is responsible for determining whether ZoikoTime's security controls satisfy Customer's legal, regulatory, procurement, insurance, employment, union, works council, cybersecurity, and internal governance requirements.

Provider may modify controls to address changes in law, technology, security threats, platform architecture, or operational requirements, provided such modifications do not materially decrease the overall security of ZoikoTime during an active subscription term.

18. Review, Update, and Governance Cycle

This Schedule should be reviewed at least annually and when material changes occur to ZoikoTime's architecture, legal requirements, security program, data processing activities, or customer risk profile. Material updates may be published through ZoikoTime's website, customer portal, notice process, updated agreement, or other reasonable communication channel.

This Schedule should be read together with the Terms of Service, Data Processing Addendum, Privacy Notice, Acceptable Use Policy, Sub-processor list, and any applicable Order Form.

App. Appendices

Appendix A — Security Incident Severity Guide

Severity 1 — Critical: Complete production service unavailability or security breach with confirmed data impact. 24/7 response, initial acknowledgement within 30 minutes, customer notification within 24 hours of confirmation.

Severity 2 — High: Major service degradation affecting production payroll or compliance use. Business-hours response, initial acknowledgement within 2 hours, customer notification as scope becomes clear.

Severity 3 — Medium: Non-critical feature impairment, integration issue, or non-urgent compliance concern. Response within 8 business hours.

Severity 4 — Low: General questions, minor functionality issues, informational requests. Response within 1–3 business days.

Appendix B — Minimum Customer Security Checklist

Enable MFA for administrators where available
Use SSO/SAML/SCIM where available and appropriate for enterprise access management
Maintain a current user roster and remove access promptly upon role change or termination
Restrict administrator, legal hold, export, screenshot, payroll, and audit-report access to approved personnel only
Review monitoring, screenshot, idle, anomaly, AI insight, and retention settings before deployment
Issue worker notices and update employment, HR, IT, privacy, and acceptable-use policies before activation
Complete required DPIAs, legitimate interest assessments, works council consultation, union consultation, or local legal review before deployment in regulated jurisdictions
Secure endpoints and browsers used to access ZoikoTime and prohibit credential sharing
Review third-party integrations and protect API keys or tokens
Maintain independent backups or exports where required for payroll, tax, wage-and-hour, litigation, audit, or statutory obligations

Contact ZoikoTime

For questions about this document or your legal rights:

1401 21st Street, Suite R, Sacramento, CA 95811, USA

European HQ: 67-69 Great Portland Street, 5th Floor, London W1W 5PF, UK