Xoxoday restricts customer data access to the Chief Technology Officer and Head of Production, with limited, time-bound access granted to the Production Support team solely for AWS infrastructure and database maintenance — and every access event is logged and periodically reviewed.
How Xoxoday Controls Access to Customer Data
Data access at Xoxoday is governed by a formal Role-Based Access Control (RBAC) framework. Access to customer data is not granted by default to any employee — it must be explicitly authorized, scoped to a defined business need, and tied to a named individual role. At the executive level, only two roles hold standing access to production data: the Chief Technology Officer and the Head of Production. These individuals carry direct accountability for the integrity and security of Xoxoday’s infrastructure and are subject to the same audit policies that apply across the organization.Time-Bound Access for Production Support
Beyond these two roles, Xoxoday’s Production Support team receives access on a strictly time-bound, task-specific basis. This access is limited to activities such as AWS server provisioning, database maintenance, and incident resolution. Once the maintenance window closes, access is revoked. No other Xoxoday employee — including account managers, customer success representatives, or engineers — can access customer data outside this controlled framework. Every access event is logged, timestamped, and stored in a fully auditable trail. Xoxoday’s security operations team reviews these logs periodically to detect anomalies and confirm that no unauthorized access has occurred. This monitoring applies equally to privileged and standard accounts.Compliance with GDPR and ISO/IEC 27001:2022
Xoxoday’s RBAC model is designed to satisfy GDPR’s data minimization and access control principles, which require that personal data is accessed only by personnel with a specific, documented need. By restricting access to a named, minimal set of individuals and maintaining complete records of every access event, Xoxoday meets these obligations directly. Xoxoday’s access governance policies are also aligned with ISO/IEC 27001:2022, the international standard for information security management. ISO 27001:2022 requires organizations to define access control policies, conduct periodic access reviews, and maintain documentation of access rights. Xoxoday’s structured RBAC controls and scheduled reviews satisfy each of these requirements. Xoxoday also holds SOC 2 Type II certification, which independently validates that access controls operate effectively over time — not just at a point in time.What This Means for HR and IT Teams
For organizations that integrate Xoxoday with HR platforms such as Workday, SAP SuccessFactors, or Darwinbox, the RBAC model applies equally to any data synced between systems. Employee reward and recognition data flowing through Xoxoday remains protected under the same access controls, and integration processes do not create additional standing access for engineers or third-party support staff. Xoxoday’s access model is built on the principle of least privilege: the fewest people possible access data, for the shortest time necessary, and every interaction is traceable. Learn more: Xoxoday Help Centre — ComplianceHow does Xoxoday encrypt data at rest and in transit?
Understand the encryption standards Xoxoday applies to stored and transmitted customer data.
Is Xoxoday compliant with GDPR?
Learn how Xoxoday meets GDPR requirements for data processing, retention, and subject rights.
What is Xoxoday's ISO 27001 certification scope?
See which systems and processes are covered under Xoxoday’s ISO/IEC 27001:2022 certification.
Does Xoxoday have a SOC 2 Type II report?
Find out how Xoxoday’s SOC 2 Type II audit validates its security, availability, and confidentiality controls.