Xoxoday Loyalife performs Vulnerability Assessments (VA) and Penetration Tests (PT) at least annually, and Static and Dynamic Application Security Testing (SAST and DAST) at least quarterly, all governed by its Information Security Management System (ISMS) and formal Secure SDLC procedures.
Vulnerability Assessment (VA)
Xoxoday Loyalife conducts Vulnerability Assessments at least once per year across both application and infrastructure layers. Automated and manual scanning covers application components, APIs, servers, databases, and network devices to surface missing patches, misconfigurations, and known CVEs. Every finding is risk-rated and logged in the internal tracking system, with remediation verified through re-testing before a finding is marked closed.Penetration Testing (PT)
Penetration Testing runs alongside VA as a combined VAPT engagement, also at a minimum annual cadence. Qualified security engineers — or approved third-party testers — perform manual, scenario-based exploitation attempts on production-equivalent environments. These simulations cover network-level, API-level, and application-level attack vectors, including authentication bypass, privilege escalation, injection, and broken access control. Additional PT exercises are triggered after major architectural changes where the risk assessment warrants it.Static Application Security Testing (SAST)
SAST is integrated directly into the development pipeline and runs at least once every quarter on active codebases, with additional scans triggered for major feature releases. Automated analysis of source code and build artefacts detects insecure coding patterns before deployment — including injection risks, insecure cryptography, hard-coded secrets, and error-handling gaps. Critical and high-severity findings must be resolved or formally risk-accepted before code is promoted to a higher environment.Dynamic Application Security Testing (DAST)
DAST runs at least quarterly on running test and UAT environments, and ahead of significant releases prior to go-live. Black-box testing of live web, mobile, and API surfaces identifies runtime issues such as authentication weaknesses, session handling flaws, XSS, CSRF, input-validation gaps, and insecure redirects. Xoxoday Loyalife correlates DAST findings with SAST and VA results to prioritize remediation across the full risk picture.How It All Ties Together
All testing is performed in non-production or controlled production-equivalent environments — never directly on live production systems. Results feed into risk registers with defined owners and timelines, ensuring security findings drive accountable, traceable corrective action across each release cycle. For enterprise procurement teams evaluating Xoxoday Loyalife against vendor security questionnaires — for example, as part of an SAP SuccessFactors or Workday integration review — these cadences are documented in the platform’s ISMS-backed security policies and available upon request under NDA.Learn more: Xoxoday Loyalife Help Centre — General
ISO 27001 & SOC 2 Type II Compliance
Learn how Xoxoday Loyalife’s ISMS certification and SOC 2 Type II audit underpin its security governance framework.
Data Encryption at Rest and in Transit
Understand how Xoxoday Loyalife protects sensitive loyalty and rewards data across storage and transmission layers.