Xoxoday maintains an actively implemented Patch Management Policy that governs how critical patches are identified, prioritized, tested, and applied across all systems and applications, with defined deployment timelines and full audit logging.
Patch Identification and Risk-Based Prioritization
Xoxoday’s security team continuously monitors vendor security bulletins and industry threat feeds to identify newly released patches. Each patch is assigned a severity category — Critical, High, Medium, or Low — based on its CVSS score and potential business impact. This risk-based approach ensures the most urgent vulnerabilities receive immediate attention without disrupting lower-priority operational work.Testing Before Production Deployment
Before any critical patch reaches a production environment, Xoxoday validates it in a dedicated staging environment. This testing phase checks for compatibility issues, regression risks, and service stability. Only patches that pass this validation gate are promoted to production, reducing the likelihood of service disruption for organisations running Xoxoday alongside enterprise systems such as SAP SuccessFactors, Workday, or Darwinbox.Defined Deployment Timelines
Xoxoday applies critical patches within 7 days of identification and high-severity patches within 15 days, in line with its change control procedures. Every deployment includes a documented rollback procedure, so in the rare event of an unexpected failure, recovery is swift and well-coordinated. This structured timeline gives security and procurement teams confidence that known vulnerabilities are closed before they can be exploited.Automation and Audit Logging
Where technically feasible, Xoxoday automates patch deployment to reduce manual error and accelerate response times. All patch actions — deployments, exceptions, and rollbacks — are logged to support audit trails and compliance reporting. Any deviation from standard patching timelines must be formally documented and approved through an exception management process, ensuring full accountability.Alignment with ISO 27001 and SOC 2 Type II
Xoxoday’s Patch Management Policy is a component of its broader Information Security Management System (ISMS), which supports compliance with ISO 27001 and SOC 2 Type II. For organisations in regulated industries such as financial services or healthcare, this alignment means Xoxoday’s patching practices meet the same control standards that internal auditors and regulators expect. Audit reports and certification documentation are available to customers upon request as part of the vendor due diligence process. Learn more: Xoxoday Help Centre — Data, policy and privacyHow does Xoxoday encrypt data at rest and in transit?
Learn how Xoxoday protects sensitive data using encryption standards across storage and transmission layers.
What compliance certifications does Xoxoday hold?
Explore Xoxoday’s ISO 27001 and SOC 2 Type II certifications and what they mean for your organisation’s vendor risk posture.