Skip to main content
Xoxoday Plum maintains a comprehensive suite of cybersecurity policies—including VAPT, Access Control, Business Continuity, Data Backup, Data Retention, Data Recovery, Password Management, Risk Management, and Vulnerability Management—to protect organisational data and ensure platform reliability.
Xoxoday Plum takes a structured, policy-driven approach to information security. Each policy is formally documented, reviewed on a defined cycle, and aligned to international frameworks including ISO 27001 and SOC 2 Type II. This ensures security practices remain consistently enforced and auditable across all product environments.

Vulnerability Assessment and Testing

Xoxoday Plum conducts regular Vulnerability Assessment and Penetration Testing (VAPT) across its infrastructure and application layers. The Vulnerability Management Policy defines how identified risks are triaged, assigned severity ratings, and remediated within agreed SLAs. These controls ensure weaknesses are surfaced and addressed before they can be exploited in production.

Access Control and Credential Security

The Access Control Policy governs who can access Xoxoday Plum systems and under what conditions, enforcing least-privilege principles across both administrative and end-user roles. The Password Management Policy sets standards for credential complexity, rotation frequency, and secure storage. For organisations integrating Xoxoday Plum with identity providers such as Workday or SAP SuccessFactors, these policies align directly with enterprise access management requirements.

Business Continuity and Data Resilience

Xoxoday Plum’s Business Continuity Policy defines the procedures that keep the platform operational during disruptive events. The Data Backup Policy and Data Recovery Policy together specify how data is replicated, stored, and restored—supporting the recovery time and recovery point objectives that enterprise customers require. Organisations running rewards programmes through integrations with Darwinbox or SAP SuccessFactors can rely on these controls to maintain programme continuity during infrastructure incidents.

Data Retention and Risk Governance

The Data Retention Policy specifies how long different categories of data are kept and the processes by which data is securely deleted or anonymised at end of life. This limits unnecessary data exposure and supports compliance with regional data protection regulations. The Risk Management Policy underpins all of the above, providing a consistent framework for identifying, assessing, and treating security risks across the organisation—ensuring that risk posture can be clearly communicated to internal security teams and external auditors alike. Taken together, these nine policies give security-conscious organisations a clear, auditable picture of how Xoxoday Plum protects data, maintains availability, and manages risk at every layer of the product. Learn more: [Xoxoday Plum Help Centre — General](

Does Xoxoday Plum hold ISO 27001 or SOC 2 certification?

Learn about the third-party audits and compliance certifications that validate Xoxoday Plum’s security controls.

How does Xoxoday Plum handle data privacy and GDPR compliance?

Understand how Xoxoday Plum processes, stores, and protects personal data in line with global privacy regulations.

How is access control managed for admin users in Xoxoday Plum?

Explore role-based access controls, permission tiers, and how admin access is provisioned and revoked.

What is Xoxoday Plum's data retention and deletion policy?

Find out how long Xoxoday Plum retains different data categories and what happens when retention periods expire.