Xoxoday protects all data in use through TLS 1.2 encryption in transit, AES-256 encryption at rest, multi-layer firewalls, a Web Application Firewall, DLP integration, and MFA-enforced administrative access across AWS and Azure infrastructure.
Encryption in Transit
Every connection between Xoxoday and your organisation’s users or integrated systems is secured using TLS 1.2. This means data flowing through integrations with tools like Slack or Microsoft Teams cannot be intercepted or tampered with in transit. All API calls, webhooks, and dashboard sessions operate exclusively over encrypted channels.Encryption at Rest
Data stored within Xoxoday’s infrastructure is encrypted using AES-256, the same standard adopted by financial institutions and government agencies worldwide. This applies to all stored records, including reward transactions, employee programme data, and configuration settings. Access to encryption keys is restricted to a tightly controlled group of authorised engineering leadership, reducing the risk of insider exposure.Cloud Security Architecture
Xoxoday runs on AWS and Azure, following cloud security best practices defined by both providers. The infrastructure is protected by multi-layer firewalls and a Web Application Firewall (WAF) that screens incoming traffic for malicious requests, injection attacks, and other OWASP Top 10 threats. Network segmentation ensures that sensitive production workloads remain isolated from general application traffic.Administrative Access Controls and Audit Logging
All administrative access to Xoxoday’s production environments requires multi-factor authentication (MFA), eliminating the risk of credential-based compromise. Every administrative action is captured in a tamper-evident audit trail, giving your security and compliance teams a complete record of access events. This logging capability directly supports evidence collection under frameworks such as ISO 27001 and SOC 2 Type II.Data Loss Prevention
Xoxoday integrates Data Loss Prevention (DLP) controls to monitor and restrict the movement of sensitive information across the environment. DLP policies help ensure that confidential business data and personally identifiable information cannot be inadvertently exported or shared outside authorised channels. For organisations managing HR data flows through systems like SAP SuccessFactors or Darwinbox, this provides an additional layer of assurance at every integration boundary. Taken together, these controls form a layered security posture that protects your organisation’s data throughout its entire lifecycle on Xoxoday. Learn more: Xoxoday Help Centre — Data Security (Confidentiality, Integrity)Access Control & Authentication
Learn how Xoxoday enforces role-based access controls, MFA, and SSO to ensure only authorised users can reach sensitive data and administrative functions.
Compliance Certifications
Explore the security and privacy certifications Xoxoday holds, including ISO 27001 and SOC 2 Type II, and what they mean for your organisation’s compliance posture.