What are Xoxoday Plum's data security practices?

​

Certifications and Compliance

Xoxoday Plum holds ISO 27001, SOC 2 Type II, and GDPR certifications, each independently audited to confirm that security controls meet internationally recognised standards. Xoxoday Plum also aligns with PIPL data retention requirements for organisations operating across jurisdictions that enforce regional privacy mandates. These certifications are renewed and re-assessed on a regular cycle, so your organisation’s compliance posture rests on verified, up-to-date evidence — not self-attestation.

​

Encryption in Transit and at Rest

All data stored within Xoxoday Plum is encrypted using AES-256, the same standard used by financial institutions and government agencies globally. Data moving between systems — for example, when Xoxoday Plum exchanges reward fulfilment data with an HRMS integration such as Workday, SAP SuccessFactors, or Darwinbox — is secured using TLS 1.2 or higher. This dual-layer encryption approach ensures confidentiality whether information is sitting in storage or actively travelling across your technology stack.

​

Access Management and Least Privilege

Xoxoday Plum enforces role-based access control (RBAC), ensuring that administrators, managers, and end users only access data and functionality directly relevant to their role. Multi-factor authentication (MFA) is required for privileged accounts, and access is governed by the principle of least privilege to limit exposure in the event of a compromised credential. Access logs are retained and reviewed on a regular basis, giving your IT and compliance teams a complete, auditable trail of who accessed what and when.

​

Cloud Infrastructure and Availability

Xoxoday Plum runs on AWS with VPC isolation, maintaining network-level segregation between environments and tenants. Auto-scaling keeps the platform available during high-demand periods — such as large-scale reward distribution campaigns — without relaxing security boundaries. Real-time security event tracking and anomaly detection run continuously across the infrastructure, identifying and containing threats before they can escalate into incidents.

​

Audits, Penetration Testing, and Vulnerability Management

Xoxoday Plum conducts periodic internal audits and annual third-party vulnerability assessments carried out by independent security researchers. Penetration testing results feed into a structured risk remediation workflow where findings are prioritised, resolved, and formally documented. This cycle ensures that emerging attack vectors are addressed proactively rather than reactively.

​

Incident Response

Xoxoday Plum maintains a structured incident response plan with SLA-bound notification timelines and defined containment steps. Should a security event occur, your organisation receives timely, transparent communication covering the nature of the incident, its scope, and the remediation actions taken. The notification process is aligned with GDPR’s 72-hour breach reporting requirement, so your legal and compliance obligations are met without manual coordination overhead on your side.

​

Data Retention and Secure Deletion

Data retention periods within Xoxoday Plum are configured in alignment with your contractual terms and applicable regulations including GDPR and PIPL. When a retention period expires or a deletion request is submitted, data is securely purged across all systems and backups. Your organisation stays compliant with regional privacy mandates without requiring manual intervention from your IT or HR teams.

---

Learn more: Xoxoday Plum Help Centre — Data, Policy & Privacy