Does Xoxoday Plum identify and measure AI risks? - Xoxoday

Xoxoday Plum identifies and measures AI-related risks across four domains—data security, use-case validation, bias and fairness, and human oversight—reviewed periodically by InfoSec and Product leadership teams.

Xoxoday Plum takes a structured, risk-aware approach to AI that spans four domains: data security and privacy, use-case validation, bias and fairness, and human oversight. These areas are assessed on a recurring basis by Xoxoday’s InfoSec and Product leadership teams to ensure ongoing alignment with responsible AI practices. Data Security and Privacy Xoxoday Plum does not share personally identifiable information (PII) with external AI providers. When AI-powered features surface within integrations—such as reward recommendations delivered through Slack or Microsoft Teams—the underlying calls to OpenAI’s API contain only anonymized, contextually scoped inputs. Employee names, email addresses, and HR records remain within Xoxoday Plum’s own environment and are never transmitted to third-party AI systems. Narrow, Well-Defined Use Cases Xoxoday Plum applies AI exclusively to bounded functions: recommendation engines that surface relevant rewards, catalog optimization, and automated response generation for support queries. These use cases do not involve autonomous decision-making or critical operations. For organizations running Xoxoday Plum alongside HRIS platforms such as Workday, SAP SuccessFactors, or Darwinbox, AI features operate only within reward and recognition workflows—they do not read from or write to core employee records. Bias, Fairness, and Content Moderation Xoxoday Plum conducts internal reviews to ensure AI-assisted outputs do not produce discriminatory or biased results. Content moderation principles govern all generated recommendations. Use cases that could inadvertently create unfair outcomes—such as filtering rewards by demographic criteria—are explicitly excluded from Xoxoday Plum’s AI scope. Human Oversight on Every AI Output No AI output within Xoxoday Plum acts autonomously. Suggestions, reward recommendations, and generated content are always surfaced as inputs for human review rather than executed automatically. This applies whether users access Xoxoday Plum through the web application, a Slack workspace, or an embedded widget in Microsoft Teams. Foundation Model Dependency and Policy Alignment Xoxoday Plum relies on OpenAI’s foundational models through API integration rather than training or operating proprietary large language models. Risk identification and containment practices are reviewed against OpenAI’s published usage policies and safety documentation. Xoxoday Plum’s broader security program—certified under ISO 27001 and SOC 2 Type II—extends to AI-related controls, ensuring that AI risk management is integrated into the organization’s overall information security framework rather than treated as a separate discipline. Learn more: Xoxoday Plum Help Centre — AI policy

How does Xoxoday Plum handle PII and data privacy?

Learn how Xoxoday Plum classifies, stores, and protects personally identifiable information across integrations with Workday, SAP SuccessFactors, and Darwinbox.

Is Xoxoday Plum ISO 27001 and SOC 2 certified?

Xoxoday Plum holds ISO 27001 and SOC 2 Type II certifications. See what controls are in scope and how to request audit documentation.