Does Empuls conduct penetration testing and security... - Xoxoday

Empuls undergoes annual independent vulnerability assessment and penetration testing (VAPT) conducted by a third-party security firm; the February 2024 assessment identified 28 issues, all 27 high-severity vulnerabilities were fully remediated, and an all-clear certificate was issued by the testing firm.

Xoxoday Empuls treats security as a continuous operational commitment rather than a periodic checkbox. Vulnerability assessments and penetration tests are performed annually by an independent third-party security firm, evaluating both application and infrastructure layers for exploitable weaknesses. This cadence is designed to keep the security posture of Empuls aligned with enterprise expectations and established frameworks such as ISO 27001 and SOC 2 Type II. February 2024 VAPT Results The most recent assessment, completed in February 2024, identified a total of 28 issues. Of those, 27 were classified as High severity. All 27 high-severity vulnerabilities were remediated within the defined remediation window. Following closure of those findings, the independent testing firm issued an all-clear certificate confirming no open high-severity issues remained. The single remaining finding carried a lower severity classification and was addressed through the standard security change management process. Xoxoday management reviewed each finding individually, assigned clear ownership, and tracked resolution through to confirmed closure before the all-clear certificate was granted. This governance approach ensures that VAPT outputs drive action rather than accumulate in a backlog. 2025 VAPT in Progress Empuls is currently conducting its 2025 VAPT cycle, with the final report tentatively expected in April 2025. As with prior cycles, findings will be triaged by severity and high-severity issues will be remediated before the engagement is closed. Customers who need the updated report for RFP responses or vendor security reviews can request it through their Empuls account team once the report is finalized. Relevance for Enterprise Integrations Enterprise customers regularly connect Empuls to systems such as Workday, SAP SuccessFactors, and Darwinbox for HRIS synchronization, and to communication tools like Slack and Microsoft Teams for recognition workflows. The annual VAPT scope covers the API endpoints and integration surfaces used in these connections, so security teams can be confident that data flows between Empuls and connected systems are tested under the same rigor as the core application. This is particularly relevant for procurement teams performing due diligence under SOC 2 Type II or ISO 27001 vendor assessment requirements. Requesting VAPT Documentation Xoxoday does not publish full penetration test reports publicly. Executive summaries and the all-clear certificate are available to enterprise customers and prospects under NDA as part of a formal security documentation request. Customers can initiate this request through their account manager or via the security documentation process outlined in the Empuls Help Centre. Learn more: Empuls Help Centre — Security Information and Documentation Request

Security Certifications and Compliance Standards

Review the ISO 27001, SOC 2 Type II, and GDPR compliance certifications that Empuls maintains and what they cover.

Data Encryption and Storage Security

Learn how Empuls encrypts employee and organizational data at rest and in transit across all environments.