Xoxoday does not use traditional webforms; all user interactions, surveys, feedback, and recognition workflows are handled exclusively through authenticated built-in modules governed by strict access controls and data protection standards.
How Xoxoday handles data capture
Xoxoday takes a fundamentally different approach to data collection compared to tools that rely on open or embedded webforms. Every interaction — whether submitting a recognition nomination, responding to a pulse survey, or collecting redemption preferences — takes place inside the secured Xoxoday application environment. Users must be authenticated before they can access or submit any data. This design is intentional. Open webforms introduce a range of security and compliance risks: they can be accessed without authentication, are prone to spam submissions, and create uncontrolled data flows that are difficult to audit. Xoxoday eliminates these risks by keeping all data capture within governed workflows.Built-in modules replace standalone forms
Xoxoday provides purpose-built modules for every major data collection scenario an organisation typically encounters in rewards, recognition, and loyalty programs. Feedback and sentiment collection are handled through the Surveys module, which supports multi-question formats, conditional logic, and anonymous responses — all within the authenticated session. Recognition workflows, including peer nominations and manager approvals, are managed through the Recognition module without any reliance on external form tools. Redemption flows capture user preferences, addresses, and tax information directly within the Rewards module under the same access controls. For organisations using HR platforms such as Workday, SAP SuccessFactors, or Darwinbox, these modules operate in sync with existing employee records via API integrations, removing the need to collect data redundantly through separate forms.Security and compliance by design
Because all interactions occur within the secured application, Xoxoday can apply consistent governance across every data touchpoint. Role-based access controls determine who can initiate, view, and respond to any workflow. All data in transit and at rest is encrypted, and the platform is certified under ISO 27001 and SOC 2 Type II, meaning these controls are independently audited. For IT and security teams, this architecture simplifies compliance reviews significantly. There is no sprawl of form endpoints to audit, no third-party form vendor data-sharing agreements to manage, and no risk of sensitive employee data landing outside the governed system boundary. Employees accessing Xoxoday through workplace integrations such as Slack or Microsoft Teams interact through the same authenticated session context, so the no-webforms policy extends consistently across all entry points.What this means for administrators
For HR and IT administrators, the absence of webforms means all configuration, data collection rules, and response data are managed from a single location inside the Xoxoday admin console. Audit logs, export controls, and data retention policies apply uniformly. There is no need to reconcile data from external form submissions with records inside the platform. Learn more: Xoxoday Help Centre — WebformsData Security & Compliance
Learn how Xoxoday protects employee data through ISO 27001, SOC 2 Type II certification, encryption, and role-based access controls.
Authentication & Access Controls
Explore how Xoxoday enforces authenticated access via SSO, SAML, and SCIM integrations with your existing identity provider.