Skip to main content
Xoxoday maintains a formally documented and actively enforced Privileged Access Management (PAM) process that governs the assignment, monitoring, and revocation of privileged accounts, aligned with ISO 27001 and SOC 2 Type II requirements.
Xoxoday manages elevated access rights through a structured Privileged Access Management process that is both documented and actively enforced across all critical systems. This is not a policy that exists only on paper — it is embedded in operational workflows and subject to independent audit. Centralized Identity and Access Management All privileged access at Xoxoday is provisioned and revoked through a centralized Identity and Access Management (IAM) system. Every administrative permission is granted through a controlled authorization workflow, and every access event is tracked from provisioning through revocation. No elevated access is granted outside of this system. Quarterly Access Reviews Xoxoday conducts a formal review of all privileged accounts every quarter. During each cycle, the access list is validated against current employment status and job role. Accounts belonging to individuals who have been terminated or moved to a non-administrative function are adjusted or removed without delay. This prevents privilege creep from accumulating silently across systems over time. For organizations running workforce data through platforms like Workday, SAP SuccessFactors, or Darwinbox, Xoxoday’s provisioning workflows can be synchronized with HR system changes to ensure access is recalibrated whenever roles shift. No Generic or Shared Administrative Accounts Xoxoday strictly prohibits default, generic, or shared accounts for administrative tasks. Every privileged action must be attributable to a named individual. This eliminates the accountability gap that shared credentials create and ensures that any anomalous activity can be traced to a specific user. Activity Monitoring and Change Logging Administrative activity is periodically audited through system logs and access reports. Any grant, modification, or revocation of privileged access is logged and retained. Xoxoday’s security teams use these logs to detect unauthorized or anomalous behavior and respond before it escalates. Alignment with ISO 27001 and SOC 2 Type II Xoxoday’s PAM practices directly address the access control requirements defined in ISO 27001 Annex A.9 and the logical access controls evaluated during SOC 2 Type II audits. During SOC 2 Type II assessments, independent auditors review Xoxoday’s access review records and IAM configurations to confirm that privileged access is managed in a controlled, auditable manner throughout the audit period. This end-to-end governance model ensures that no elevated permission exists without a documented business justification, a named owner, and a scheduled review date. Learn more: Xoxoday Help Centre — Process, procedure and strategy

ISO 27001 Certification

Learn how Xoxoday’s ISO 27001 certification validates its information security management system, including access controls and risk management practices.

SOC 2 Type II Compliance

Understand how Xoxoday’s SOC 2 Type II audit covers security, availability, and logical access controls across its infrastructure.