Xoxoday Plum supports enterprise-grade multi-factor authentication, role-based access control, and integration with external identity providers using SAML 2.0 and OAuth 2.0.
Identity and Access Controls on Xoxoday Plum
Xoxoday Plum is built for enterprise environments where identity governance, access control, and auditability are non-negotiable. Xoxoday Plum implements layered security controls—MFA, RBAC, and standards-based federation—so your organisation can enforce its own access policies without compromise.Multi-Factor Authentication
Xoxoday Plum supports native MFA, and administrators can enforce it across all user accounts from the admin console. Privileged and administrator accounts are further protected by MFA controls that apply specifically to elevated access and administration activities. When single sign-on (SSO) is in use, your organisation can also enforce additional authentication factors at the identity provider (IdP) level. This means MFA policies defined in your corporate directory—whether that is Okta, Azure AD, or a similar enterprise IdP—apply consistently to Xoxoday Plum access without requiring separate configuration on the Plum side.Role-Based Access Control
Xoxoday Plum implements RBAC through predefined role profiles aligned to the principles of least privilege and segregation of duties. Standard roles—such as platform administrator and end user—allow you to restrict access to sensitive functions like reward issuance, budget management, and reporting to only the team members who require it. Access profiles are centrally administered, making it straightforward to review and update permissions as your team structure changes. This directly supports common compliance requirements under frameworks such as ISO 27001 and SOC 2 Type II.SAML 2.0 and OAuth 2.0 Integration
Xoxoday Plum supports SAML 2.0 for SSO federation with enterprise identity providers. Your organisation can connect Xoxoday Plum to your existing IdP so that employees authenticate through your standard corporate login flow—no separate Plum credentials required. OAuth 2.0 is supported for secure authentication and authorisation flows, including OAuth-based API security for system-to-system integrations. For example, when connecting Xoxoday Plum to an HRIS such as Workday, SAP SuccessFactors, or Darwinbox, OAuth 2.0 governs the secure token exchange between systems. Mobile app integrations—such as surfacing rewards within a Slack or Microsoft Teams workflow—similarly use OAuth 2.0 to authenticate API calls between Xoxoday Plum and the connected application.Compliance Documentation
Xoxoday Plum holds certifications including SOC 2 Type II and ISO 27001. Relevant compliance documentation and security assessment materials are available on request through your account team. Learn more: [Xoxoday Plum Help Centre — General](Setting Up SSO with SAML 2.0
Step-by-step guide to federating Xoxoday Plum with your enterprise identity provider using SAML 2.0.
Security Certifications and Compliance
Overview of Xoxoday Plum’s SOC 2 Type II and ISO 27001 certifications and what they cover.