Xoxoday provides ISO 27001:2023 and SOC 2 Type II audit certificates, along with a Vulnerability Assessment and Penetration Testing (VAPT) certificate for the Empuls Web Application (2024), as formal evidence of its compliance with global security standards.
ISO 27001:2023 Certification
Xoxoday holds an ISO 27001:2023 certificate, the internationally recognized standard for information security management systems (ISMS). This certification confirms that Xoxoday maintains a systematic approach to managing sensitive company and customer information, covering risk assessment, access controls, incident response, and continuous improvement. For organizations using enterprise HRIS platforms such as SAP SuccessFactors, Workday, or Darwinbox, the ISO 27001 certificate provides the assurance needed to onboard Xoxoday as a trusted third-party vendor.SOC 2 Type II Audit Report
The SOC 2 Type II report documents how Xoxoday’s controls operate over an extended observation period — not just at a single point in time. This report covers the Trust Services Criteria for security, availability, and confidentiality, and is the most requested artifact during enterprise procurement processes. IT and compliance teams at mid-market and enterprise companies regularly require SOC 2 Type II evidence before authorizing integrations with employee engagement tools or rewards platforms.VAPT Certificate — Empuls Web Application (2024)
Xoxoday provides a Vulnerability Assessment and Penetration Testing (VAPT) certificate specifically for the Empuls Web Application, conducted in 2024. VAPT testing independently validates that Xoxoday’s application layer has been assessed for known vulnerabilities and that identified risks have been addressed. This is particularly relevant for organizations requiring application-level security assurance in addition to organizational-level certifications like ISO 27001.How These Documents Support Enterprise Audits
Together, these three documents form a defensible compliance evidence package. An internal audit team uses the ISO 27001 certificate to verify policy frameworks, the SOC 2 Type II report to verify operational controls, and the VAPT certificate to verify application security. This makes it straightforward to complete vendor security questionnaires or respond to due-diligence requests from customers and partners. For organizations in regulated industries — including financial services, healthcare, and government-adjacent sectors — Xoxoday’s compliance documentation supports the requirements of frameworks such as GDPR and India’s Digital Personal Data Protection Act (DPDP). Compliance artifacts are made available through Xoxoday’s security and trust documentation process, accessible via your Xoxoday account team or the compliance inquiry process described in the Help Centre. Learn more: Xoxoday Help Centre — ComplianceData Privacy and GDPR Compliance
Learn how Xoxoday handles personal data in line with GDPR and regional data protection regulations.
Security Infrastructure and Data Encryption
Understand the encryption standards, access controls, and infrastructure safeguards Xoxoday applies to protect user data.