Xoxoday performs regular security assessments of every third-party company with which it shares data—covering IaaS, PaaS, and SaaS providers—and enforces compliance through legally binding Data Processing Agreements before any data exchange begins.
Security and Compliance Reviews
Before onboarding any third party, Xoxoday reviews the vendor’s certifications, including ISO 27001 and SOC 2 Type II attestations where applicable. The review covers data protection controls, encryption standards, and the vendor’s demonstrated ability to respond to and recover from security incidents. A vendor without adequate certifications or with demonstrably weak controls does not proceed past this stage.Vendor Risk Assessments
Xoxoday completes detailed security questionnaires for each vendor, assessing practices around data confidentiality, infrastructure resilience, and service recoverability. This is particularly relevant for integrations with enterprise HR and productivity platforms—such as Workday, SAP SuccessFactors, Darwinbox, Slack, and Microsoft Teams—where data flows between systems must be validated end to end before the connection is activated.Data Processing Agreements
Every sub-processor engaged by Xoxoday signs a Data Processing Agreement (DPA) before any data exchange begins. These agreements are legally binding and require vendors to meet Xoxoday’s security, privacy, and compliance obligations, including requirements consistent with GDPR and other applicable data protection regulations.Ongoing Monitoring and Re-assessment
Third-party risk is not static. Xoxoday re-assesses critical vendors periodically to confirm continued compliance with its information security standards. If a vendor’s posture changes—due to a security incident, a lapse in certification, or updated data handling practices—Xoxoday reviews the relationship and takes appropriate action, up to and including terminating data sharing.Access Controls and Data Minimization
Xoxoday applies the principle of least privilege when sharing data with any third party. Only the minimum data necessary for the vendor to perform their function is shared, and strict role-based access controls are enforced. This limits exposure in the event of a vendor-side incident and reduces the overall attack surface across Xoxoday’s supply chain. Together, these controls ensure that the confidentiality, integrity, and availability of customer data are maintained across every external touchpoint Xoxoday relies upon. Learn more: Xoxoday Help Centre — Process, procedure and strategyHow does Xoxoday manage Data Processing Agreements?
Learn how Xoxoday structures DPAs with sub-processors and what obligations vendors must meet before handling customer data.
What security certifications does Xoxoday hold?
Understand the ISO 27001, SOC 2 Type II, and other compliance certifications that underpin Xoxoday’s security posture.