Xoxoday Plum holds ISO 27001 and SOC 2 Type II certifications and is GDPR-, HIPAA-, and CCPA-compliant, supported by annual third-party VAPT, real-time WAF protection, and 99.99% uptime on Active-Active HA infrastructure.
Third-Party Certifications
Xoxoday Plum holds ISO 27001 certification for its information security management systems, confirming that controls are structured, audited, and subject to continuous improvement. Alongside this, Xoxoday Plum has completed a SOC 2 Type II audit — a critical distinction from Type I, since Type II verifies that security, availability, and confidentiality controls operated consistently over an extended observation period. For organisations integrating reward workflows with platforms like Workday or SAP SuccessFactors, SOC 2 Type II is typically a mandatory vendor requirement. For data privacy, Xoxoday Plum is GDPR-compliant for organisations operating in or serving employees within the European Union. It is CCPA-compliant for California-based users and HIPAA-ready for programmes that include health-related incentives — such as wellness rewards distributed through HRIS platforms like Darwinbox. These certifications apply to Xoxoday Plum’s core infrastructure and data handling practices, not just contractual commitments.Infrastructure and Operational Security
Xoxoday Plum runs on an Active-Active High Availability infrastructure that delivers 99.99% uptime, ensuring that reward campaigns, milestone recognitions, and real-time notifications through integrations like Slack and Microsoft Teams are never disrupted by a single point of failure. Backup and disaster recovery systems are tested annually, with a Recovery Time Objective (RTO) and Recovery Point Objective (RPO) of under 60 minutes — a concrete SLA your IT and business continuity teams can include in vendor assessments. Xoxoday Plum conducts annual Vulnerability Assessment and Penetration Testing (VAPT) performed by accredited third parties. Real-time bot detection and Web Application Firewall (WAF) filtering defend against automated threats and injection attacks at the network edge before they reach application or data layers.What This Means for Enterprise Procurement
When your organisation’s security team issues an RFP or vendor security questionnaire, certifications such as ISO 27001 and SOC 2 Type II are typically pass/fail criteria. Xoxoday Plum’s documentation package addresses these requirements directly, reducing the additional evidence-gathering rounds that slower or less-certified vendors typically require. Privacy compliance under GDPR, HIPAA, and CCPA also means Xoxoday Plum can be deployed across geographically distributed workforces without requiring separate regional data-handling agreements for most standard configurations. Security and compliance artefacts — including audit reports, certification documents, and VAPT summaries — are available to enterprise customers upon request. Learn more: Xoxoday Plum Help Centre — Data, Policy & PrivacyHow does Xoxoday Plum handle GDPR data requests?
Learn how Xoxoday Plum processes data subject access, deletion, and portability requests in line with GDPR obligations.
Does Xoxoday Plum support SSO and role-based access controls?
Xoxoday Plum supports SAML 2.0 SSO and granular role-based permissions to meet enterprise access management requirements.