Skip to main content
Xoxoday protects personal data using TLS 1.2 encryption in transit, AES-256 encryption at rest, multi-factor authentication, SSO-based access controls, and AWS-hosted infrastructure with physical and logical security measures aligned to GDPR Article 32 requirements.
Xoxoday encrypts all personal data in transit using TLS 1.2 and at rest using AES-256. Database-level encryption ensures that sensitive records — including employee PII collected through integrations with HR platforms like Workday or SAP SuccessFactors — remain protected even in the event of unauthorized storage access. Files transferred via SFTP can be further secured using PGP encryption, giving enterprise clients an additional layer of protection for bulk data exchange. On the infrastructure side, Xoxoday runs on AWS and Azure following cloud security best practices defined by those providers. This includes multi-layer firewalls, Web Application Firewall (WAF) protection, Data Loss Prevention (DLP) integration, and comprehensive audit trail logging. These controls collectively prevent unauthorized data exfiltration and enable forensic review of all access events. Access to personal data is tightly controlled at every level. Xoxoday supports Single Sign-On (SSO) integration, allowing enterprise clients to enforce their own identity policies through providers such as Azure AD or Okta. API access can be restricted by IP allowlist, limiting exposure to only approved networks. All Xoxoday staff with access to personal data authenticate via SSO combined with two-factor authentication, and access privileges are scoped to the minimum required for each role. For physical security, Xoxoday relies on AWS-managed data centers, which employ advanced surveillance systems, biometric access controls, and 24/7 on-site security personnel. AWS’s certifications — including ISO 27001 and SOC 2 Type II — cover the physical layer of the shared responsibility model, so clients benefit from enterprise-grade facility controls without independently assessing them. Xoxoday’s information security policy codifies these controls across several domains: data protection and encryption, password and access control, virus and malware protection, audit logging and monitoring, and vulnerability and incident response management. PII is stored in encrypted cloud storage on AWS and is accessible only by personnel with an explicit, documented business need. Organizationally, Xoxoday enforces strong password policies and rotating verification codes across all internal systems. Staff onboarding includes mandatory security training, and access is reviewed and revoked promptly when roles change. These organizational safeguards complement the technical controls and together fulfill the “technical and organizational measures” requirement under GDPR Article 32. Learn more: Xoxoday Help Centre — General Data Protection Regulation (GDPR)

Data Processing Agreement (DPA)

Understand the contractual framework governing how Xoxoday processes personal data on behalf of clients, including roles, obligations, and sub-processor disclosure.

Security Certifications: ISO 27001 & SOC 2 Type II

Review the third-party audits and certifications that validate Xoxoday’s information security management system and operational controls.