DAST / Pentest Environment Requirement — Production vs Staging for Apps Pending Approval

Hi Zoom Marketplace team and community,

I'm preparing a Marketplace submission for our app and need clarification on the DAST documentation requirement, specifically around which environment the OWASP ZAP scan should be performed in.

Our situation:

Our app integrates with Zoom to join meetings for recording and transcription purposes. Since the app has not yet been approved by Zoom, the Zoom integration feature is currently only functional within our development Zoom account and has not been released to our production environment for general users. Running the ZAP scan against production would require us to release a feature that isn't yet approved.

My questions:

1. Does the DAST scan need to be performed against the production environment specifically, or is a staging/pre-production environment that closely mirrors production acceptable?
2. For apps in this pre-approval state, what is the recommended approach — scan a production-equivalent staging environment, or wait until some other milestone?
3. Are there any official guidelines or documentation pages that clarify the environment requirement? I've searched the developer docs and FAQ but couldn't find an explicit statement.

Action already taken:

I have also emailed marketplace.security@zoom.us directly with the same questions, since I understand environment-specific or app-specific guidance may not be answerable on the public forum. Posting here as well in case the community has faced a similar situation, or in case a Zoom representative can point us in the right direction while we wait for the security team's reply.

Any guidance, shared experiences, or pointers to official documentation would be greatly appreciated. Thank you!