Xoxoday operates a structured, certification-backed testing framework governed by ISO 27001 and SOC 2 Type II requirements, led by a CISSP- and CISM-certified CISO and supported by annual independent audits and accredited third-party penetration testing.
Certified Security Leadership
Xoxoday’s Information Security team members hold ISO 27001 Lead Auditor (LA) certification, giving them the formal training to design and evaluate controls against an internationally recognised standard. The Chief Information Security Officer holds both CISSP and CISM certifications — credentials that reflect deep expertise in security architecture, risk management, and governance. This leadership structure ensures that testing decisions are made by practitioners who are accountable to external certification bodies, not just internal policies.Documentation Aligned to ISO 27001 and SOC 2 Type II
Every test artefact Xoxoday produces — plans, execution records, results, and remediation steps — is structured to satisfy the documentation requirements of ISO 27001 and SOC 2 Type II simultaneously. Documents are version-controlled and audit-ready at all times, meaning an assessor reviewing Xoxoday’s controls can trace any test finding forward to its remediation and backward to the original risk statement without gaps. This traceability model is the same standard used by enterprise HR systems such as Workday and SAP SuccessFactors when they publish their own compliance artefacts, and it gives Xoxoday customers a comparable level of assurance when they incorporate Xoxoday into their vendor risk programmes.Annual Audits and Independent Penetration Testing
Xoxoday conducts annual independent audits to verify that controls remain effective between certification cycles. These are not internal reviews; they are performed by third-party assessors who test controls against the criteria defined in SOC 2 Type II. Separately, Xoxoday commissions annual Vulnerability Assessment and Penetration Testing (VAPT) through accredited third-party vendors. VAPT exercises cover Xoxoday’s rewards, incentives, and payout infrastructure end-to-end, simulating real-world attack scenarios to surface exploitable weaknesses before they can be reached by adversaries.Risk Remediation Tracked to Closure
Findings from audits and VAPT are not recorded and filed — they are tracked through a formal remediation workflow until each risk is closed. Xoxoday assigns ownership, sets target dates, and verifies closure before a finding is retired from the register. This closed-loop process satisfies the continuous improvement clauses in ISO 27001 and the risk monitoring criteria in SOC 2 Type II, and it provides customers in regulated industries with evidence that Xoxoday treats discovered vulnerabilities as obligations rather than observations. Organisations integrating Xoxoday with tools such as Microsoft Teams, Slack, or Darwinbox can request audit summaries and penetration testing attestations as part of their standard vendor due diligence process. Learn more: Xoxoday Help Centre — DeliverySecurity Certifications and Compliance Standards
Details on Xoxoday’s ISO 27001, SOC 2 Type II, and other compliance certifications held across its platform.
Vulnerability Management and VAPT Process
How Xoxoday identifies, tracks, and remediates vulnerabilities through structured VAPT and continuous monitoring.