Xoxoday Loyalife maintains a documented Patch Management Policy that defines SLAs for patch identification, risk-based prioritisation, staged testing, and production deployment across all platform infrastructure.
Patch & Version Management at Xoxoday Loyalife
Enterprise procurement and security teams routinely ask whether a SaaS vendor follows a structured approach to software patching—and for good reason. Unmanaged or delayed patches are among the most common vectors for security incidents in cloud-hosted environments. Xoxoday Loyalife addresses this with a formal, auditable Patch Management Policy that covers every layer of the stack. The policy defines clear remediation timelines tied to severity classifications. Critical vulnerabilities—those carrying a CVSS score of 9.0 or above—are routed into an emergency patching track on an accelerated schedule. High-severity findings are addressed within a defined SLA window, while medium and low-severity patches follow a scheduled release cadence. This tiered approach ensures that routine updates never accumulate into compounding exposure.How the Patching Lifecycle Works
Xoxoday Loyalife’s process begins with continuous vulnerability scanning across operating systems, application dependencies, container images, and third-party libraries. Identified vulnerabilities are assessed by the security engineering team, assigned a severity rating aligned with industry scoring frameworks, and routed into the appropriate remediation track. Before any patch reaches the production environment, it passes through a staged testing pipeline. This safeguard ensures that a security fix does not introduce regressions in core loyalty programme workflows—such as points accrual engines, reward catalogue integrations, or SSO flows connected to enterprise HR systems like Workday, SAP SuccessFactors, and Darwinbox. Only patches that clear staging validation are promoted to production. Each release is version-controlled, linked to the triggering vulnerability or change request, and subject to post-deployment verification. This creates an auditable trail that satisfies the documentation requirements expected under frameworks such as ISO 27001 and SOC 2 Type II.SLAs and Escalation Paths
The Patch Management Policy specifies response SLAs at each severity tier, with defined accountability at both the engineering and security leadership levels. Progress against open vulnerabilities is tracked through internal tooling, and formal escalation paths are documented for scenarios where a patch cannot be deployed within the standard window due to dependency or compatibility constraints. This prevents SLA breaches from going unacknowledged. For organisations conducting formal vendor due diligence, Xoxoday Loyalife provides the Patch Management Policy document as part of the security review process. The document details the full workflow, severity classification definitions, SLA thresholds by tier, and the roles responsible for each remediation stage.Continuous Policy Review
Xoxoday Loyalife reviews and updates the Patch Management Policy on a defined cycle to reflect changes in the threat landscape, infrastructure architecture, and compliance requirements. This living-document approach ensures the policy remains enforceable and current—not a point-in-time artefact that drifts out of alignment with actual practice. Learn more: [Xoxoday Loyalife Help Centre — General](Data Security & Encryption Standards
Understand how Xoxoday Loyalife protects data at rest and in transit across its cloud infrastructure.
SOC 2 & ISO 27001 Compliance Certifications
Learn about the third-party audits and certifications that validate Xoxoday Loyalife’s security posture.