Xoxoday Empuls encrypts all data in transit using HTTPS with TLS 1.3 and all data at rest using AES-256 encryption, with client-specific keys managed through AWS Key Management Service (KMS) and AWS Secrets Manager.
Encryption in Transit
Xoxoday Empuls secures all data exchanged between users and its servers using HTTPS with TLS 1.3. TLS 1.3 is the latest iteration of the Transport Layer Security protocol and represents the current industry standard for protecting network communication. Every request — whether an employee submitting a peer recognition, a manager approving a reward, or an HR administrator viewing engagement analytics — travels over an encrypted channel that prevents interception or tampering.Encryption at Rest
Data stored within Xoxoday Empuls is protected using AES-256 encryption, the same standard adopted by financial institutions and government agencies globally. Each organisation’s data is protected using client-specific encryption keys, ensuring that the encryption applied to your organisation’s environment is uniquely scoped and isolated from other tenants.Key Management via AWS
Xoxoday Empuls manages encryption keys through AWS Key Management Service (KMS) and AWS Secrets Manager — two purpose-built AWS services that provide centralised control, automated rotation, and a full audit trail for cryptographic keys. Keys are never stored in application code or configuration files. They remain in a hardened, access-controlled vault that logs every key operation, supporting the kind of auditability required under ISO 27001 and SOC 2 Type II. Access to encryption keys is restricted to senior engineering leadership, applying the principle of least privilege to one of the most sensitive assets in the system. This limits exposure and reduces the risk of unauthorised access, even from within the organisation.What This Means in Practice
When your organisation integrates Xoxoday Empuls with HRIS platforms such as Workday, SAP SuccessFactors, or Darwinbox, employee data exchanged during synchronisation — department hierarchies, role information, and cost centre assignments — is protected by TLS 1.3 in transit and AES-256 at rest. Recognition notifications delivered through Slack or Microsoft Teams flow through these same encrypted channels, ensuring that reward programme details are never exposed in plaintext at any point in the delivery chain.Enterprise-Grade Encryption Posture
Together, these controls form a layered encryption architecture that meets the expectations of enterprise IT and security teams conducting vendor risk assessments. Xoxoday Empuls’s encryption design supports your organisation’s compliance obligations and demonstrates a commitment to handling employee data with the highest levels of care — both during movement across networks and during storage at rest. Learn more: Empuls Help Centre — DataHow does Xoxoday Empuls handle data residency and storage location?
Understand where your organisation’s data is stored, which AWS regions Xoxoday Empuls operates in, and how data sovereignty requirements are addressed.
What compliance certifications does Xoxoday Empuls hold?
Learn about Xoxoday Empuls’s ISO 27001 and SOC 2 Type II certifications and what they mean for your organisation’s vendor risk programme.