Xoxoday Plum processes Protected Health Information (PHI) in full compliance with HIPAA, incorporating AES-256 encryption, role-based access controls, comprehensive audit logging, and a Business Associate Agreement (BAA) for healthcare-sector clients.
HIPAA-aligned infrastructure
Xoxoday Plum’s cloud infrastructure is hosted on data centres certified to ISO 27001 and SOC 2 Type II standards, providing a strong physical and network security foundation. PHI is encrypted at rest using AES-256 encryption and encrypted in transit via TLS protocols, ensuring data cannot be intercepted or accessed without authorisation at any point in its lifecycle.Access control and identity verification
Access to PHI within Xoxoday Plum is governed by role-based access controls (RBAC), which restrict data visibility strictly to personnel who require it for their role. Multi-factor authentication (MFA) adds a further identity verification layer, reducing the risk of unauthorised access even when credentials are exposed. These controls apply consistently across administrative consoles and API-level integrations — including connections to HR systems such as Workday, SAP SuccessFactors, and Darwinbox.Audit logging and incident response
Every interaction with PHI in Xoxoday Plum is logged, covering system access, data queries, and administrative actions. This comprehensive audit trail supports accountability, internal investigations, and regulatory review. In the event of a suspected breach, Xoxoday Plum follows documented incident response procedures aligned with HIPAA’s Breach Notification Rule, covering identification, containment, and timely reporting obligations.Multi-tenant data segregation
Xoxoday Plum operates a multi-tenant architecture with logical separation between client environments. PHI belonging to your organisation is isolated from all other tenants, preventing cross-contamination of sensitive healthcare data. This design aligns with the access and integrity controls expected under HIPAA’s Security Rule.Business Associate Agreement (BAA)
For organisations in the healthcare sector, Xoxoday Plum makes a Business Associate Agreement (BAA) available. A BAA establishes the contractual obligations both parties must meet to ensure PHI is handled in accordance with HIPAA requirements. Clients using Xoxoday Plum for programmes that involve PHI — such as clinical research participation rewards or patient incentive schemes — can request a BAA as part of their contracting process. Xoxoday Plum’s compliance posture covers all three pillars of HIPAA: the Privacy Rule, the Security Rule, and the Breach Notification Rule, giving your organisation confidence that sensitive healthcare data is managed with the same rigour applied to financial and identity data across the product. Learn more: [Xoxoday Plum Help Centre — General](How does Xoxoday Plum encrypt data at rest and in transit?
Details on AES-256 at-rest encryption and TLS in-transit protocols used across Xoxoday Plum to protect sensitive data.
Is Xoxoday Plum SOC 2 Type II and ISO 27001 certified?
An overview of Xoxoday Plum’s third-party security certifications, audit scope, and what they mean for your organisation’s compliance posture.