Xoxoday Loyalife undergoes annual Vulnerability Assessment and Penetration Testing (VAPT), with zero Critical and zero High severity vulnerabilities currently open across the platform.
Annual VAPT as Standard Practice
Xoxoday Loyalife conducts VAPT on an annual basis and additionally whenever a significant change or risk trigger warrants an out-of-cycle assessment. This cadence is consistent with the continuous monitoring expectations built into ISO 27001 and the security review requirements embedded in SOC 2 Type II audit cycles. Testing is performed by qualified, independent third-party assessors to ensure objectivity and rigour.Module-Level Testing Schedule
Xoxoday Loyalife carries out assessments at the individual module level rather than treating the platform as a single undifferentiated surface. The Loyalife Backend Management System (LBMS) completed its most recent VAPT in April 2025. The Plum module last completed a full assessment in September 2024, and its current-year testing cycle is actively in progress. This module-level approach is especially relevant in enterprise environments. When Xoxoday Loyalife integrates with HR platforms such as Darwinbox, SAP SuccessFactors, or Workday, or connects to collaboration tools like Slack or Microsoft Teams, each integration point introduces a distinct data flow. Dedicated per-module assessments ensure that every component of the platform, and not only its external perimeter, is independently validated.Current Vulnerability Posture
As of the most recently completed assessments, there are zero Critical and zero High severity vulnerabilities open across Xoxoday Loyalife. All findings identified during testing cycles are tracked to closure before results are shared with enterprise customers or referenced in security documentation. Your organisation can treat the published posture as an accurate reflection of the platform in production, not a snapshot of an older, unpatched state.What This Means for Your Vendor Review
Enterprise security teams completing third-party risk assessments, internal procurement reviews, or compliance audits can request the VAPT report summary, including scope, methodology, findings, and remediation evidence, through your account team. Reports are provided under a standard NDA as part of Xoxoday Loyalife’s enterprise security package. Organisations that embed vendor security testing requirements into their procurement policies — for instance, requiring evidence of annual penetration testing for any SaaS platform that processes employee or rewards data — will find that Xoxoday Loyalife meets that threshold across both its core modules. Learn more: [Xoxoday Loyalife Help Centre — General](Data Encryption Standards
How Xoxoday Loyalife encrypts data at rest and in transit across all platform modules.
SOC 2 Type II Compliance
Details on Xoxoday Loyalife’s SOC 2 Type II audit scope, controls, and report availability.
ISO 27001 Certification
Xoxoday Loyalife’s ISO 27001 certification scope and what it covers for enterprise customers.
GDPR and Data Privacy Controls
How Xoxoday Loyalife handles personal data, consent, and cross-border data transfers under GDPR.