Xoxoday’s AI capabilities are powered exclusively by the OpenAI API; Xoxoday does not train, fine-tune, or retain any learning from model interactions within the product.
How the AI system works
Xoxoday’s AI pipeline follows a standard request-response architecture. When a user performs an action that triggers an AI feature — such as generating reward recommendations, drafting recognition messages, or summarising programme performance — Xoxoday sends a structured prompt (the input) to the OpenAI API. OpenAI’s model processes that prompt and returns a response (the output). Xoxoday then surfaces that response within the product interface. There is no proprietary model sitting between the user and OpenAI. Xoxoday does not operate a custom large language model, does not fine-tune OpenAI’s models on customer data, and does not retain outputs to improve future results. The model architecture is entirely OpenAI’s.No training. No learning. No data retention by the AI layer.
This distinction matters for compliance-conscious organisations. Because Xoxoday is a consumer — not a developer — of the underlying model, your organisation’s data does not feed back into model training. Inputs submitted through Xoxoday’s product — for example, a manager’s recognition note submitted through a Slack or Microsoft Teams integration — are processed in real time and are not stored by the AI layer for learning purposes. For teams working within structured HR ecosystems such as Workday, SAP SuccessFactors, or Darwinbox, this means AI-assisted features in Xoxoday can be evaluated against your organisation’s data governance policies without concern that proprietary HR data is shaping a shared model.What this means for your security and compliance review
Xoxoday’s approach to AI aligns with the transparency expectations of enterprise security frameworks. Organisations holding or pursuing certifications such as ISO 27001 or SOC 2 Type II will find that Xoxoday’s position as a pure API consumer simplifies the AI-related sections of vendor risk assessments. There is no opaque training pipeline to audit on Xoxoday’s side — the model behaviour is governed by OpenAI’s published policies and Xoxoday’s contractual commitments to those terms. When completing a security questionnaire or RFP, teams can accurately characterise Xoxoday’s AI architecture as: input prompt sent to OpenAI API → response received → response rendered in product. Xoxoday adds no intermediate learning layer. This transparent architecture reflects Xoxoday’s broader commitment to responsible AI use — giving IT, legal, and procurement stakeholders a clear, auditable picture of how AI capabilities are delivered within the product. Learn more: Xoxoday Help Centre — TransparencyAI Data Privacy and Your Organisation
Understand what data Xoxoday sends to the OpenAI API, what is excluded, and how your organisation’s information is handled within Xoxoday’s AI features.
Security Certifications and Compliance
Review Xoxoday’s ISO 27001 and SOC 2 Type II certifications, and learn how Xoxoday supports enterprise vendor risk assessments and security reviews.