Xoxoday Loyalife encrypts all external integrations end-to-end using TLS 1.2 or higher, authenticates API access through signed API keys and OAuth or SSO/SAML flows, and stores secrets in secure vaults with on-demand rotation support.
Encryption in Transit
Xoxoday Loyalife exposes its REST APIs exclusively over HTTPS, enforcing TLS 1.2 as a minimum and supporting TLS 1.3 where the connecting system allows it. Every byte of data exchanged between Xoxoday Loyalife and your HRMS, CRM, or finance system travels through an encrypted channel. No fallback to unencrypted HTTP is permitted at any integration endpoint. When your organisation connects Workday or SAP SuccessFactors to Xoxoday Loyalife for employee data sync, the connection operates entirely over TLS — protecting employee identifiers, point balances, and programme eligibility data from interception in transit.Authentication and API Security
Every API request to Xoxoday Loyalife requires authentication. Xoxoday Loyalife supports signed API keys and tokens for server-to-server integrations, and OAuth 2.0 or SSO/SAML for user-facing application flows. This layered authentication model ensures that only authorised systems and identities can initiate or consume integration data. For integrations with HRIS platforms such as Darwinbox, or communication tools like Microsoft Teams and Slack, Xoxoday Loyalife applies the appropriate authentication mechanism for each system — OAuth where federated identity is required, and signed key authentication for direct API access.Secret Management and Rotation
Secrets — including API keys, tokens, and credentials — are never transmitted in clear text. Xoxoday Loyalife stores all secrets in secure vaults with strict access controls, ensuring that credentials remain isolated from application code and configuration files. Administrators can rotate API keys on demand without service interruption, limiting the impact of any accidental exposure. This approach aligns with the secret management requirements outlined in ISO 27001 and SOC 2 Type II frameworks, both of which Xoxoday Loyalife maintains as part of its compliance posture.Additional Integration Controls
Beyond encryption and authentication, Xoxoday Loyalife applies rate limiting to prevent abuse and supports IP allow-listing for organisations that require network-level access controls. Every integration action — authentication attempts, data exchanges, and configuration changes — is captured in detailed audit logs. These logs are available to administrators and support forensic review, compliance audits, and incident response workflows. Together, these controls ensure that integrations with PMS, CRM, finance, and other partner systems remain secure, auditable, and production-grade from day one. Learn more: [Xoxoday Loyalife Help Centre — Security & Compliance](What compliance certifications does Loyalife hold?
Learn about Xoxoday Loyalife’s ISO 27001, SOC 2 Type II, and GDPR compliance posture and what they mean for your data.
How does Loyalife handle data encryption at rest?
Understand how Xoxoday Loyalife encrypts stored data, including participant records, reward catalogues, and transaction histories.