Xoxoday Plum enforces layered access controls spanning role-based identity management, network perimeter protection, secure API integration, and continuous audit logging to govern all system access end-to-end.
Identity and access management
Xoxoday Plum implements authentication and authorisation as core platform services, ensuring every user is verified before accessing any administrative or operational function. Role-based access control (RBAC) maps users to predefined roles—such as operations, finance, reporting, and super admin—so each person accesses only what their job requires. This least-privilege model limits the impact of any compromised credential. Multi-admin management lets organisations delegate administration across teams without losing centralised control. A central HR operations team can manage global programme settings while regional managers in individual markets handle their own reward budgets—each operating strictly within their permitted scope.Approval workflows and maker–checker controls
Sensitive actions within Xoxoday Plum require structured approval before they take effect. Maker–checker controls enforce a separation of duties: one user initiates an action—for instance, a bulk reward disbursement—and a second authorised user must approve it before execution. This prevents unilateral changes and significantly reduces both operational error and fraud risk.API and integration security
Xoxoday Plum supports OAuth-based API authentication for all system-to-system integrations, including connections with enterprise HRMS platforms such as Workday, SAP SuccessFactors, and Darwinbox. All external API traffic is transmitted over HTTPS with enforced TLS encryption. For organisations that require a dedicated data channel, site-to-site VPN tunnels are available, and SFTP is supported for secure file-based data exchanges. IP allow-listing is applied to sensitive admin and integration endpoints, restricting access to trusted network ranges and preventing any exposure to the public internet.Network perimeter and infrastructure protection
Xoxoday Plum deploys a Web Application Firewall (WAF) with bot detection at the network edge to filter malicious traffic before it reaches application services. A multi-layer network architecture separates public-facing services, application services, and data layers into segregated zones, limiting lateral movement in the event of a single-layer compromise.Monitoring, audit logging, and alerting
Real-time application performance monitoring (APM) with on-call escalation ensures infrastructure events are caught and triaged immediately. Every key action within Xoxoday Plum generates an audit log entry, and log data is retained and centralised to support forensic review, compliance audits aligned with ISO 27001 and SOC 2 Type II requirements, and day-to-day operational investigation. Security monitoring controls on host infrastructure detect malware and suspicious activity on a continuous basis. Learn more: [Xoxoday Plum Help Centre — General](SSO and authentication options
Learn how Xoxoday Plum supports single sign-on, MFA, and enterprise identity provider integrations to secure user login.
Data encryption and security certifications
Understand how Xoxoday Plum encrypts data at rest and in transit, and which compliance certifications apply.