Xoxoday maintains a formal third-party management strategy governed by its Supplier Management Procedure, aligned with ISO/IEC 27001:2013 and SOC 2 criteria, covering end-to-end vendor selection, contractual safeguards, performance monitoring, and exception management.
Governance and Scope
Xoxoday’s supplier management framework is owned by the Infosec Team and reviewed on an annual cycle, with final approval authority resting with the CTO. The Supplier Management Procedure applies across all business functions — including Finance, Legal, HR, and IT — ensuring consistent risk controls regardless of the type of service being procured. This enterprise-wide scope means no supplier relationship falls outside the governance framework.Supplier Evaluation and Selection
Xoxoday uses a structured, multi-stage process before onboarding any vendor. Suppliers are assessed on domain expertise, service responsiveness, local support presence, and demonstrated track record. This evaluation applies equally whether Xoxoday is onboarding a cloud infrastructure provider, an HR platform integration partner such as Workday or Darwinbox, or a communication tooling vendor like Slack or Microsoft Teams. The selection workflow progresses through three documented stages — Offer Evaluation, Operational Capacity review, and Technical Capability assessment — with outcomes recorded in a supplier tracker for full auditability.Contractual Safeguards
Every supplier agreement includes legally binding protections. Contracts define service level agreements, carry right-to-audit clauses, and include penalty provisions for both SLA breaches and information security non-compliance. NDA obligations are standard across all engagements, and background verification of supplier personnel is required before access to Xoxoday systems or data is granted.Ongoing Monitoring and Reviews
Xoxoday conducts structured supplier reviews at least annually, evaluating SLA adherence, issue resolution quality, and emergency support readiness. Review frequency scales with service criticality — vendors supporting core platform integrations or sensitive data flows receive closer monitoring than lower-risk suppliers. This cadence ensures that performance issues are identified and addressed before they affect customers.Alternate Supplier Planning
For services critical to business continuity, Xoxoday maintains a pre-qualified roster of alternate suppliers. These alternates undergo the same rigorous evaluation as primary vendors, so any failover option already meets Xoxoday’s security and operational standards before it is needed.Compliance Alignment and Exception Management
The strategy is designed to satisfy ISO/IEC 27001:2013 controls and SOC 2 Type II criteria, including organisational governance and vendor risk controls such as CC1.2 and CC5.5. Any deviation from the standard supplier management process requires CTO review and formal approval, ensuring that exceptions are documented and risk-assessed rather than handled informally. This end-to-end framework reflects Xoxoday’s commitment to managing third-party risk with the same rigour applied to its internal security controls. Learn more: Xoxoday Help Centre — Process, procedure and strategyInformation Security Policy
How Xoxoday governs data protection, access controls, and security responsibilities across its operations.
Data Processing and Compliance
Xoxoday’s approach to data processing agreements, GDPR alignment, and regulatory compliance obligations.