Xoxoday Loyalife secures all API keys with encryption at rest and in transit, and is hosted on a compliance-certified cloud infrastructure that meets ISO 27001 and SOC 2 Type II requirements.
Security Architecture Built for Enterprise
Xoxoday Loyalife is designed from the ground up to meet the security and compliance expectations of large enterprises. Every integration credential, API key, and authentication token issued within the platform is encrypted using industry-standard protocols, ensuring that sensitive data never travels or rests in plaintext. When IT teams connect Xoxoday Loyalife to systems like Workday, SAP SuccessFactors, or Darwinbox, the API keys exchanged during those integrations are stored in an encrypted vault and are never exposed in logs or UI surfaces accessible to end users.Compliant Cloud Hosting
Xoxoday Loyalife is hosted on enterprise-grade cloud infrastructure that holds ISO 27001 certification for information security management and SOC 2 Type II attestation for security, availability, and confidentiality. These certifications are independently audited on a regular cycle, giving IT and procurement teams verifiable evidence rather than self-reported assurances. This matters for organizations in regulated industries — finance, healthcare, and retail — where vendor hosting compliance is a mandatory procurement checkpoint. Xoxoday Loyalife’s hosting posture satisfies those requirements out of the box, reducing the due-diligence burden on internal security teams.Key Management in Practice
When an administrator configures a webhook to push loyalty events into Slack or Microsoft Teams, Xoxoday Loyalife generates a signing secret that is shown only once at creation time. Subsequent access requires re-generating the key through an authenticated admin session, following the principle of least exposure. Role-based access controls determine which administrators can view, rotate, or revoke integration keys. This means a project manager configuring a rewards catalog cannot inadvertently access the API credentials used by the engineering team for a Workday sync.What This Means for Your Security Review
For organizations running a vendor security review, Xoxoday Loyalife provides documentation covering data residency, encryption standards, key rotation policies, and audit log availability. These artifacts align with the evidence packages typically required by InfoSec teams during procurement, reducing back-and-forth between vendor and buyer. Xoxoday Loyalife supports single sign-on via SAML 2.0, which means authentication for platform administrators can be centrally governed through your existing identity provider — no separate credential sprawl to manage. Learn more: Xoxoday Loyalife Help Centre — GeneralSSO and Identity Provider Setup
Configure SAML 2.0 single sign-on to centralize authentication for Loyalife administrators through your existing identity provider.
Data Privacy and Residency
Understand where Loyalife stores employee and rewards data, and how data residency options support regional compliance requirements.