Landing zone. Deploy pipeline. Audit trail. Built once, runs on AWS, GCP, and Azure. Your team gets push-to-deploy speed without the six-month internal-platform project.
Workloads run on your cloud. We never host them.
ZopDay is a control plane over the cloud account you already own. If you leave, the workloads stay where they are — standard Helm releases on your clusters.
AWS · GCP · AZURE
AWS Secrets Manager, Google Secret Manager, Azure Key Vault.
Sensitive values are masked in the UI and land in your cloud-native secret manager, never ours. ZopDay reads from them at deploy time.
SECRETS · YOUR VAULT
Your application traffic never hits our infra.
Helm rollouts, Live K8s view, audit events — everything ZopDay does is orchestration on your cluster. Application requests stay between your users and your services.
CONTROL PLANE · NOT A PROXY
Annually re-audited.
Independent third-party audit, end-to-end. Letter of attestation on request.
CERTIFIED · ANNUAL
India regulatory mapping, ready for review.
IRDAI Information & Cyber Security controls mapped end-to-end. DPDP Act 2023 DPA available on request — signed before kickoff.
IRDAI ICS · DPDP DPA
Empaneled across AWS, Azure, GCP, OCI.
India-resident data plane for regulated workloads. Sovereign providers buildable on customer contract.
MEITY · INDIA-RESIDENT
21.5k+ stars on GitHub.
ZopDay’s control plane is built on GoFr, the open-source Go framework created by our CTO. The same framework McAfee, FairPrice, and Fortune 500 retail teams run in production.
GOFR · APACHE 2.0
Provision, datastores, clusters, deployment spaces, projects, audit logs, all on the same surface.
Day 0 to landing zone. Every day to deploys. Every minute to live state.
Production-grade compute, datastores, networks. 30 minutes, every cloud. GKE · EKS · AKS via wizard. MySQL · Postgres · Redis with HA, backups, deletion protection. RBAC and secrets from minute zero. IRDAI controls applied by default.
Production-ready clusters in minutes.
Hardened K8s clusters across AWS, GCP, and Azure, RBAC, Network Policies, Pod Security Standards, observability, and autoscaler all wired in on provision. Day 1 looks like day 100.
EKS on AWS, GKE on GCP, AKS on Azure, one wizard, three clouds, identical hardening defaults. Region selectable per cluster; multi-region rollout from a single click. New VPC or bring your own. IRDAI controls applied by default for India workloads.
RBAC roles, Network Policies, Pod Security Standards, audit-log forwarding, log / metric pipes, all applied at provision time. The platform discipline survives day three, day thirty, day three hundred, because the controls were applied on day one, not bolted on later.
HPA and Cluster Autoscaler pre-configured. Define min and max once; cooldowns and target utilisation tune to the workload’s actual traffic shape rather than a textbook default. Integrates with ZopNight’s autoscaling engine downstream.
MySQL, Postgres, Redis, provisioned with HA, backups, and deletion protection from minute zero. The same hardening discipline that runs on the cluster runs on the datastore. Connection secrets land in the cluster's native secret store.
See datastore provisioning →ZopDay either stands up a fresh VPC with the right subnet topology, or wires into an existing one without your network team rewriting their plan. VPC peering, security-group hubs, subnet swimlanes, auto-derived from the cluster's actual placement.
See network setup →kubectl get nodes.The wizard hands off to a provisioning job that runs in parallel where the cloud allows it. Per-step pre-flight checks fire before any expensive call, credentials valid, region quota available, IAM permissions sufficient, so a failure surfaces in seconds rather than fifteen minutes in.
See the provisioning timeline →“12 AWS accounts. 48 Kubernetes clusters. Same wizard. Same hardening defaults. Same audit trail across every cluster.”McAfee, ZopDay deployment
Push code → production via Helm. No Dockerfile required, ZopDay auto-builds from your repo. Security scans on every build. DORA-grade visibility. One-click rollback. Sensitive env vars masked, stored in your cloud-native secret manager, never ours.
From git push to live, in minutes.
ZopDay watches your branches and ships through the strategy you pick, rolling, canary, or blue/green. Manifests, build, push, gate, rollback, all one pipeline. No Dockerfile required. Audit trail on every deploy.
Git push, branch deploy, webhook, or manual via UI / API, each trigger tied to an environment policy. Rolling for stable services. Canary (5% → 25% → 100%). Blue / green when an instant cutover matters more than gradual exposure. Switch strategy in the UI; ZopDay rewrites the Helm manifests beneath.
Each phase ends in a gate that checks pod health, the SLO contract registered with the service, and any custom probes. If the next phase would breach the SLO, the pipeline halts and reverts to the prior wave. PodDisruptionBudgets and configured maintenance windows are honoured.
ZopDay builds from the repo directly. The runner detects language, framework, and dependency graph from the repo structure, Node, Go, Python, Java first-class, and produces a hardened image with security scans complete before push to the registry. DORA-lite metrics emerge from your deploy history automatically.
ZopDay builds from the repo directly. Your team doesn't write a Dockerfile, doesn't maintain a build-pipeline YAML, doesn't tune cache layers. The runner detects language, framework, and dependency graph from the repo structure, Node, Go, Python, Java first-class.
See the build pipeline →Every build runs a known-CVE scan on the image layers, a license audit on the dependency graph, and an image signing step before push. Results land in the deploy log itself, not in a separate dashboard no one opens, and a configurable severity threshold can hard-block the deploy.
See the scanning policy →Every deploy is reversible from the UI that triggered it. The deploy history carries the commit, the strategy, every gate outcome, and the rollback target. DORA metrics calculate from that history automatically, deploy frequency, lead time, change-fail rate, MTTR, without anyone building a second dashboard.
See the deploy history →“Push to deploy on GKE. Three regions. SLO-gated. Manifests we never had to write. The audit trail closes the compliance loop without a separate runbook.”Aggregated outcome, ZopDay deployment pattern
K8s state, real-time, 21 resource pages with detail drawers across every connected cluster. Cluster reachability probed every 60 seconds; transient hiccups retry silently. If a cluster goes inactive, deleted, RBAC revoked, cert expired, Sync, Connect Datastore, and Install Component gate cleanly. Audit trail captures every change.
Cluster, live. Audited, every change.
Live K8s state across every connected cluster, with reachability probed continuously. The map keeps up. The audit trail keeps the receipts.
Pods, deployments, statefulsets, daemonsets, replicasets, jobs, configmaps, secrets, autoscalers, services, ingresses, endpoints, network policies, PVCs, PVs, storage classes, service accounts, CRDs, nodes, namespaces, events. Each surface ships a detail drawer with labels, annotations, conditions, and type-specific fields.
Cluster reachability is probed on open and on a 60-second interval. Transient network hiccups retry silently, so a single blip doesn’t disable the cluster page. When the probe consistently fails, the cluster moves to inactive and the dependent surfaces gate cleanly behind a clear status, not a cryptic SDK error.
Every change captures actor, action, timestamp, and request body. Forwardable to your SIEM. The audit log is the system of record, no quiet edits, no surprise diffs at the audit window. One credential, one platform layer, across AWS, GCP, and Azure.
Seven more features you’d otherwise build internally, each one validated against the changelogs from v1.1.1 forward.
Per-service inputs — not YAML.
Port, replicas, probes, CPU and memory limits, env vars with sensitive masking. Application → Environment → Service hierarchy: the Environment carries cluster, namespace, registry; services inherit. Clone an Environment (staging → production); every service copies forward with its config. Cascade teardown on delete.
INPUTS · NOT YAML
Two-mode network setup, no chart rewrite.
The Network tab on every service drawer offers two modes: Ingress (routed through your cluster's ingress controller, with optional cert-manager TLS) or LoadBalancer (a dedicated cloud load balancer). Saves a configs.expose patch and triggers a new Helm revision, no chart rewrite, no separate manifest.
INGRESS · LOADBALANCER · TLS
Imports stay identical to provisioned clusters.
Import an EKS, GKE (zonal or regional), or AKS cluster you already have. Components install consistently, datastore connections work, database provisioning runs the same way as on a ZopDay-provisioned cluster. The wizard rejects half-filled payloads up front, no clusters stuck in “waiting for credentials.”
EKS · GKE · AKS · END-TO-END
Tier, storage, scaling, backups, all in-place.
Update tier, storage, scaling, or backup retention on RDS, ElastiCache, EKS node groups, Cloud SQL, Memorystore, GKE node pools, Azure SQL, Azure Database for MySQL/Postgres, Azure Redis, AKS, directly from ZopDay. Each change runs as its own provisioning job with a pre-flight check that confirms the resource is alive before touching it.
TIER · STORAGE · BACKUPS · SCALING
Peering + routes + scoped ingress, automatic.
When a datastore lives in a different VPC than the cluster (same region), ZopDay auto-creates the peering, the reciprocal routes, and a narrow ingress rule on the datastore's security group, scoped to your cluster's CIDR and the engine port only. Cross-region rejected upfront.
PEERING · ROUTES · SCOPED INGRESS
Typed errors humanised end-to-end.
Typed-error wrapper flows the actual cause through to the UI: IamLimitExceeded, overlapping CIDR range, Ec2SubnetInvalidConfiguration, AsgInstanceLaunchFailures, InvalidStateTransition. No generic “operation failed” toast. Step labels humanised: “Setup VPC Peering,” “Wait for Peering,” “Inject Connection Secret” instead of raw snake_case.
TYPED · HUMANISED
Same framework McAfee, FairPrice, Fortune 500 run.
ZopDay is built on GoFr, the open-source Go framework, Apache 2.0 licensed, created by our CTO. The same framework McAfee, FairPrice, and Fortune 500 retail teams run in production. Your services build cleanly on it. So do ours. ★ Star GoFr on GitHub · 21.5k →
GOFR · APACHE 2.0
main · auto-deploy on push +30s 8080 · no Dockerfile required +60s helm upgrade --install · ingress + cert-manager TLS · rollout 1/1 ready +90s 
| Hosted PaaS Render, Railway, Heroku, fly.io | Internal Platform Backstage, Spinnaker, DIY | Raw K8s + Terraform DIY | ZopDay | |
|---|---|---|---|---|
| BYOC (your cloud, your bill) | - | ✓ | ✓ | ✓ |
| Push-to-deploy UX | ✓ | depends | - | ✓ |
| Hardened K8s, multi-cloud wizard | n/a | weeks | weeks | ✓ |
| Live K8s state + reachability | - | DIY | - | ✓ |
| Multi-cloud (AWS + GCP + Azure) | partial | DIY | DIY | ✓ |
| DORA-lite + audit baked in | partial | DIY | DIY | ✓ |
| India residency · IRDAI · DPDP | - | DIY | DIY | ✓ |
| Engineer-time to maintain | - | high | very high | low |
| Free | Team | Growth | Enterprise | |
|---|---|---|---|---|
| Connect + 1 service | Up to 10 services · 1 cloud | Up to 50 services · all 3 clouds | Unlimited + SLA | |
| Playground access | ✓ | ✓ | ✓ | ✓ |
| BYOC (AWS / GCP / Azure) | 1 cloud | 1 cloud | all 3 | all 3 |
| Push-to-deploy + auto-detect | ✓ | ✓ | ✓ | ✓ |
| Helm rollouts + rollback | ✓ | ✓ | ✓ | ✓ |
| Auto-DNS + cert-manager | ✓ | ✓ | ✓ | ✓ |
| Live K8s view (21 resource pages) | ✓ | ✓ | ✓ | ✓ |
| DORA-lite metrics | - | ✓ | ✓ | ✓ |
| Audit log | - | ✓ | ✓ | ✓ |
| Add Existing clusters | - | ✓ | ✓ | ✓ |
| In-place updates + cross-VPC peering | - | - | ✓ | ✓ |
| SAML SSO, RBAC | - | - | ✓ | ✓ |
| India residency / VPC deploy | - | - | - | ✓ |
| Support | community | business hours | priority | dedicated + SLA |
| Price | $0 | $299 / mo* | $999 / mo* | Custom |
| Connect a cloud → | Start trial → | Start trial → | Talk to platform sales → |
Predictable variance. Verified against your bill.
One platform. Three clouds. Four lifecycle stages.
Ship product, not platform overhead.
Cross-cloud inventory. CDCR auto-fix.
Read-only by default. Append-only audit.
ZopDay generates Helm charts; you keep your Terraform. The deploy pipeline runs against whatever infrastructure you already have. ZopDay’s value is the build (Railpack, no Dockerfile required), the rollout (Helm with diagnostics), the rollback (one-click, build skipped), and the live K8s view on top, not in owning your IaC.
No. ZopDay configures services through structured inputs, port, replicas, probes, CPU/memory, env vars, networking. The platform discipline (audit, secrets in the cloud-native secret manager, RBAC) is what survives an eject; your existing modules slot into that discipline.
Yes. Point a service at an existing chart in your repo, or use ZopDay’s generated chart as a starting point and fork it. The deploy pipeline runs either way. Generated charts ship with structured config; manually-authored charts get a one-time validation that the resource limits are declared.
Real-time across every connected cluster, 21 resource pages cover Pods, Deployments, StatefulSets, Services, Ingresses, Network Policies, and the rest. Cluster reachability is probed every 60 seconds; if a cluster goes inactive (deleted, RBAC revoked, cert expired), Sync, Connect Datastore, and Install Component gate cleanly. Transient network hiccups retry silently.
No. Trigger ZopDay deploys from any CI, GitHub Actions, GitLab CI, Jenkins, CircleCI. ZopDay handles the build (Railpack), the Helm rollout, the rollback. Your CI orchestrates whatever it already orchestrates; ZopDay slots in as the deploy surface.
They keep running. ZopDay is BYOC and a control plane, no data-path dependency, no proprietary runtime. The services run as standard Helm releases on your clusters, backed by IaC you own. Eject the ZopDay control plane and the workloads stay where they are.
Read-only by default, no write IAM at credential connect. Write access is scoped, opt-in, and tag-conditioned: enabled per environment, narrowed to the resource types you allow, fenced to the resources tagged eligible. Every write goes through the audit middleware (actor, action, timestamp, body) and lands in the append-only log. SAML SSO, RBAC, SOC 2 controls all on the Growth and Enterprise tiers.
ZopDay deploys to it. Kubernetes View runs it. Cross-cloud topology, live workload cost, drift detection, and the autoscaler decision stream — reconciled against your cluster API every 60 seconds.
See. Provision. Deploy. Audited.
Connect your first cloud account in under five minutes. See your first deploy live in under seven. No credit card required.
| Indie devs · MVP teams | Platform engineers · Scale-ups ◀ you are here | FinOps leads · CFOs · Enterprises |
|---|---|---|
| ZopCloud | ZopDay | ZopNight |
| We host. You push. | Your cloud. Our platform layer. | Continuous governance + cost optimisation. |
| → zopcloud.com | → zopday.dev | → zopnight.com |
No re-platform when you grow. No surprise bill when you scale. No drift when it’s running. Looking at the platform? → zop.dev