Xoxoday Plum protects sensitive data using TLS 1.2 encryption in transit and AES-256 encryption at rest, with tenant-level encryption keys applied across its portal, APIs, and data storage layers.
Encryption in Transit
Xoxoday Plum secures all data moving between users and the platform using HTTPS with TLS 1.2. This applies to both the admin portal and the end-user rewards and redemption interface, ensuring that credentials, reward selections, and personal information are protected during every web and mobile session. All platform APIs — including those used to connect Xoxoday Plum with enterprise systems such as Workday, SAP SuccessFactors, and Darwinbox — operate over TLS-encrypted HTTPS connections. OAuth-secured REST APIs govern authentication at the integration layer, ensuring that only authorised systems can exchange data with Xoxoday Plum. For organisations that require additional transport security, Xoxoday Plum supports site-to-site VPN tunnels and SFTP for file-based data exchanges. These options are available alongside standard HTTPS and SSO-based integrations, giving your IT and security teams flexibility when designing the connection architecture.Encryption at Rest
Sensitive customer and personally identifiable data stored within Xoxoday Plum is encrypted using AES-256, the same standard adopted by financial institutions and government systems worldwide. Encryption keys are maintained at the tenant level, meaning your organisation’s data is cryptographically isolated from other clients within the shared infrastructure. This architecture applies across the platform’s core storage layers, including databases and associated storage services that power the rewards catalogue, redemption history, and programme configuration data. Organisations operating under compliance frameworks such as ISO 27001 or SOC 2 Type II can reference this encryption design directly within vendor security assessments and risk registers.Coverage Across Platform Components
Xoxoday Plum’s encryption posture spans three primary layers. The admin portal and end-user experience — accessible via web browser or mobile app — is protected by TLS-encrypted HTTPS throughout. The API and integration layer, which connects Xoxoday Plum with tools such as Slack, Microsoft Teams, and enterprise HR platforms, uses TLS over HTTPS with OAuth-based authentication and optional VPN or SFTP transport for environments that require it. At the data layer, AES-256 encryption at rest is applied to all sensitive data, with tenant-level keying providing logical separation between organisations. Even within a multi-tenant model, your programme data, user records, and catalogue configurations remain cryptographically distinct from those of any other organisation on the platform. This layered approach is designed to reduce the burden on your internal security review process and support alignment with common regulatory requirements without requiring custom configuration from your side. Learn more: [Xoxoday Plum Help Centre — General](Access control and authentication in Xoxoday Plum
Learn how Xoxoday Plum manages user authentication, role-based access control, and SSO integration across enterprise environments.
Data privacy and compliance standards on Xoxoday Plum
Understand how Xoxoday Plum aligns with ISO 27001, SOC 2 Type II, and GDPR requirements for enterprise deployments.