Compliance & buyer-geography requirements.
Everything your legal, procurement, and risk teams need to confirm that Zedtreeo can serve buyers in your jurisdiction. We anchor on real certifications and honest case-by-case framework alignment — no aspirational claims.
TL;DR for procurement teams.
What buyer-side legal teams typically ask, and where Zedtreeo currently stands. For specific contractual frameworks (DPA · SCCs · BAA) contact hr@legelp.com.
| Buyer requirement | Zedtreeo's position | Evidence / next step |
|---|---|---|
| ● ISO 27001 | Certified to the 2022 revision. Newer than the still-common 2013 revision used by many peers. | Cert SCC/2509LU/2933 · valid 2025-09-03 → 2028-09-02 |
| ● GDPR (EU + UK) | Aligned data-processing practices. DPA + Standard Contractual Clauses (SCCs) reviewed case-by-case. | Privacy Policy · contact hr@legelp.com for DPA discussion |
| ● HIPAA (US healthcare) | Restricted-access workflows for PHI-adjacent work. BAA reviewed case-by-case based on scope. | Contact hr@legelp.com to discuss BAA scope |
| ● Australian Privacy Act 1988 | Australian Privacy Principles (APP)-aligned data handling. Notifiable Data Breaches scheme awareness. | Privacy Policy · contact hr@legelp.com for jurisdictional restrictions |
| ● CCPA / CPRA (California) | Privacy Policy covers consumer rights. Global Privacy Control (Sec-GPC) honored sitewide on first request. | See Privacy Policy |
● Green = currently certified · ● Yellow = framework alignment, case-by-case contractual review
ISO/IEC 27001:2022 — current revision.
Certificate
SCC/2509LU/2933
Issued 03 September 2025 · Valid through 02 September 2028 · Issuer: QFS Management Systems LLP (SCC/IAF-accredited)
Certified entity
LegelpTech Outsourcing Pvt Ltd
Zedtreeo's operating company. Issues all client contracts globally. CIN U82990DL2025PTC446352. Full entity disclosure on /legal-compliance.
Scope
Information security applied to staff augmentation services — recruitment, onboarding, deployment, and management of technical and non-technical personnel for client projects.
Where your buyers are. Where we stand.
Five buyer jurisdictions we currently serve, with the specific compliance posture each one requires.
United States
US-presence: Legelp Services LLC, Cheyenne WY. US buyers benefit from same-time-zone management touchpoints and US-day contract administration.
- →HIPAA-adjacent: restricted-access workflows for PHI; BAA review is case-by-case based on actual scope.
- →California: CCPA/CPRA covered via the Privacy Policy. Global Privacy Control (Sec-GPC) honored sitewide on the first request.
- →Sector-specific: financial-services workflows align with confidentiality requirements; specific framework compliance reviewed case-by-case.
- →Tax: US clients invoiced via the contracting operating entity. W-8BEN/W-8BEN-E provided on request.
United Kingdom
UK GDPR + Data Protection Act 2018 alignment. ICO disclosure principles applied to data subject requests.
- →Data Processing Agreement (DPA) reviewed and signed case-by-case.
- →International Data Transfer Agreement (IDTA) or UK-specific SCC addendum reviewed on request.
- →Financial services: confidentiality and access controls aligned with FCA expectations for outsourced operations.
- →Notifiable breach response: documented internal incident-response process — contact hr@legelp.com for full disclosure.
European Union
GDPR-aligned data-processing practices. Standard Contractual Clauses (SCCs) for international transfers reviewed case-by-case.
- →DPA aligned with Article 28 GDPR processor obligations.
- →EU-US Data Privacy Framework awareness: sub-processors evaluated against adequacy decisions where applicable.
- →Right-to-erasure and data portability commitments enforced through documented retention controls.
- →Sub-processor list available under NDA — contact hr@legelp.com.
Australia
Australian Privacy Act 1988 alignment with the 13 Australian Privacy Principles (APPs).
- →Cross-border data transfer to India operations governed by APP 8 — disclosure provided to data subjects via Privacy Policy.
- →Notifiable Data Breaches scheme: documented internal escalation policy. Breach SLA reviewed in contract.
- →AUSTRAC-adjacent: where work touches financial-crime workflows, additional access controls applied case-by-case.
Canada
PIPEDA alignment for federally regulated work. Provincial laws (Quebec Law 25, Alberta PIPA, BC PIPA) addressed contract-by-contract.
- →Quebec Law 25: cross-border transfer assessment provided to data subjects on request.
- →Sub-processor visibility provided under NDA.
- →OPC-aligned breach notification commitments documented in DPA.
What your team will ask before signing.
Where is data stored and processed?
Day-to-day operations run from our India delivery center (Grow More Hitech Solutions Pvt. Ltd., operations partner) under LegelpTech Outsourcing Pvt Ltd's ISO 27001:2022 controls. Specific data residency requirements (e.g., EU-only storage) are reviewed case-by-case during contract scoping.
Do you sub-process? Where?
Operations are run via LegelpTech Outsourcing Pvt Ltd's certified workflows plus our operations partner Grow More Hitech Solutions Pvt. Ltd. A full sub-processor list is available under NDA — contact hr@legelp.com.
Can we restrict our work to staff in specific jurisdictions?
Yes — staff and engagement scoping can be restricted in the contract. Common asks include EU-only data access, US-citizen-only staff for ITAR-adjacent work, and India-located but India-citizen-only requirements. Discuss specific restrictions before contract signing.
What is your breach notification SLA?
Internal escalation begins within hours of detection per ISO 27001:2022 controls. Notification SLAs to specific clients are codified in the DPA and reviewed in contract.
BYOD policy — can staff work from personal devices?
BYOD is not the default. Default workflows use managed devices with documented access controls per the ISO 27001:2022 scope. BYOD exceptions for specific roles are reviewed case-by-case with the client.
Can we audit your operations?
Right-to-audit clauses are reviewed case-by-case. ISO 27001:2022 certification audits are performed annually by QFS Management Systems LLP (SCC/IAF-accredited); we provide audit reports under NDA.
How are sessions recorded and retained?
Recording and retention policies are role- and contract-specific. Default retention follows ISO 27001:2022 documented controls; specific retention windows for client-facing sessions are negotiated in the contract.
Are you ISO 27001 certified?
Yes — LegelpTech Outsourcing Pvt Ltd (Zedtreeo's operating company) is certified to ISO/IEC 27001:2022 under certificate SCC/2509LU/2933, valid from 03 September 2025 through 02 September 2028. Scope: information security applied to staff augmentation services — recruitment, onboarding, deployment, and management of technical and non-technical personnel for client projects. Issued by QFS Management Systems LLP (SCC/IAF-accredited).
Can we run our own penetration test?
Yes — client-initiated penetration tests of contracted infrastructure are reviewed and approved case-by-case. Test windows and scope are agreed in writing.
What happens to data after contract ends?
Default end-of-contract data handling: documented deletion or return per the DPA. Specific retention exemptions (e.g., legal hold) are negotiated in the contract. Disposition certificates available on request.
How long is data retained during the engagement?
Retention follows the principle of minimization. Operational data is retained only as long as needed to deliver the contracted work. Specific retention windows are documented in the DPA per role and data category.
Who has access to client data?
Access is role-scoped and need-to-know. Documented in ISO 27001:2022 access control procedures. Specific named-personnel access can be specified by the client in contract scoping. Access logs are maintained per the controls scope.
Need a specific compliance document or framework discussion?
DPA · SCCs · BAA scoping · sub-processor list · ISO certificate copy · audit reports under NDA — all reviewed case-by-case. Send a one-paragraph email with your jurisdiction, framework, and urgency.
Email hr@legelp.com →