Xoxoday Plum conducts annual Vulnerability Assessment and Penetration Testing (VAPT) through an accredited third-party security vendor to identify and remediate vulnerabilities before they can be exploited.
How Xoxoday Plum approaches penetration testing
Security is a continuous commitment at Xoxoday Plum, not a checkbox exercise. As part of its annual security programme, Xoxoday Plum engages an independent, accredited third-party vendor to perform comprehensive Vulnerability Assessment and Penetration Testing (VAPT). Using an external vendor ensures the assessment is objective, free from internal bias, and aligned with industry-recognised testing methodologies. VAPT combines two complementary activities. The vulnerability assessment systematically scans the infrastructure, applications, and network for known weaknesses — misconfigured services, outdated dependencies, exposed endpoints, and similar issues. The penetration test then goes further: a team of ethical hackers actively attempts to exploit discovered vulnerabilities in a controlled environment, simulating the techniques a real-world attacker would use. Together, these activities provide a realistic picture of where risk exists and how severe it is.What this means for your organisation
For HR leaders, IT security teams, and procurement professionals evaluating Xoxoday Plum, annual third-party VAPT is a strong indicator of mature security posture. Enterprises operating under frameworks such as ISO 27001 or SOC 2 Type II typically require evidence that vendors actively test their environments — Xoxoday Plum’s structured testing cadence satisfies that expectation. If your organisation uses Xoxoday Plum alongside enterprise tools such as Workday, SAP SuccessFactors, or Darwinbox for HR data flows, or communicates via Slack or MS Teams, you can be confident that the rewards infrastructure connecting those systems is subjected to the same rigorous security scrutiny.Findings and remediation
Penetration testing is only valuable when findings are acted upon. Following each VAPT engagement, identified vulnerabilities are triaged by severity. Critical and high-severity findings are addressed on a priority basis, with medium and low findings scheduled into the regular release and maintenance cycle. This closed-loop process means successive tests reflect genuine progress rather than recurring gaps.Requesting security documentation
Organisations that require formal evidence of VAPT — such as executive summaries or attestation letters — can request this through their account contact as part of vendor due diligence or security questionnaire processes. Xoxoday Plum’s security team works with enterprise customers to provide the documentation needed to satisfy internal procurement, legal, and compliance reviews. Learn more: [Xoxoday Plum Help Centre — General](What security certifications does Xoxoday Plum hold?
Learn about the compliance frameworks and certifications — including ISO 27001 and SOC 2 — that underpin Xoxoday Plum’s security programme.
How does Xoxoday Plum handle data encryption?
Understand how Xoxoday Plum encrypts data in transit and at rest to protect sensitive reward and employee information.