Skip to main content
Xoxoday secures all sensitive data with TLS 1.2+ encryption for data in transit and AES-256 encryption for data at rest, a framework validated through ISO/IEC 27001:2022 certification, SOC 2 Type II attestation, and GDPR compliance.
Xoxoday applies a layered encryption framework across its rewards, incentives, and payout products to protect sensitive data at every stage of its lifecycle. This is not a partial or optional control—encryption is enforced end-to-end across all Xoxoday infrastructure, from API calls to backup storage.

Data in Transit

All communication between client devices, APIs, and Xoxoday servers is encrypted using Transport Layer Security (TLS) 1.2 or higher. HTTPS is enforced across every web and API endpoint using strong cipher suites, including AES-256-GCM and ECDHE-RSA, with Perfect Forward Secrecy (PFS) ensuring that past sessions cannot be decrypted even if a future key is compromised. HTTP Strict Transport Security (HSTS) prevents protocol downgrade attacks and cookie hijacking. API requests are authenticated via OAuth 2.0 tokens and secured with encrypted headers, while certificate validation from trusted Certificate Authorities guards against man-in-the-middle (MITM) attacks. For organizations connecting Xoxoday to systems like Workday, SAP SuccessFactors, or Darwinbox, all data exchanged over these integrations travels through the same TLS-enforced channel.

Data at Rest

All stored data—including customer records, transaction histories, and reward redemption data—is encrypted using AES-256. Full-disk encryption (FDE) is applied to all storage volumes and backups via AWS EBS encryption within Xoxoday’s cloud infrastructure. Database encryption combines Transparent Data Encryption (TDE) with column-level encryption for sensitive fields such as personal identifiers and financial details. Files uploaded to Xoxoday are encrypted before storage, with SHA-256 hashing applied to verify integrity. Backups are encrypted both at rest and during transfer to secure storage locations, ensuring no unprotected copy of data exists at any point.

Key Management

Encryption key lifecycle management is handled through AWS Key Management Service (KMS). Access to keys is governed by role-based access controls (RBAC), multi-factor authentication (MFA), and enforced rotation schedules. Every key usage event is logged and auditable, directly supporting Xoxoday’s compliance obligations under ISO/IEC 27001:2022 and SOC 2 Type II.

Security Outcome

Together, these controls eliminate exposure to eavesdropping, data interception, and unauthorized access across all surfaces. Whether data flows through an HR integration with a system like Darwinbox or resides in an encrypted backup, Xoxoday ensures it remains protected, integrity-verified, and accessible only to authorized parties. Learn more: Xoxoday Help Centre — Compliance

SOC 2 Type II Compliance at Xoxoday

Learn how Xoxoday maintains SOC 2 Type II attestation across security, availability, and confidentiality trust service criteria.

Access Controls and Authentication

Understand how Xoxoday enforces role-based access controls, MFA, and privileged access management to limit exposure of sensitive data.