Are inactive user accounts deleted promptly in Xoxoday? - Xoxoday

Xoxoday promptly deletes inactive or unnecessary user accounts, while retaining accounts associated with financial transactions in accordance with audit and regulatory requirements.

User lifecycle management is a foundational element of enterprise security, and Xoxoday treats it as such. When an employee leaves an organisation, changes roles, or no longer requires access, their account is deleted promptly. This minimises the attack surface and eliminates the risk of orphaned credentials being exploited after an offboarding event. Xoxoday’s access control framework aligns with the principles outlined in ISO 27001 and the access management controls evaluated as part of SOC 2 Type II certification. Both frameworks require that user access rights be reviewed and revoked when they are no longer necessary. Xoxoday meets these requirements by treating account removal as a standard part of offboarding rather than a manual, ad-hoc process. For organisations using HR systems such as Workday, SAP SuccessFactors, or Darwinbox, user lifecycle events — including terminations and role changes — can be synchronised with Xoxoday through supported integrations. When an employee’s status changes in the HR system of record, the corresponding Xoxoday account can be deprovisioned without manual intervention, closing the window between an access event and account removal. Retention of financially linked accounts Not all accounts are removed on the same timeline. Accounts associated with financial transactions — such as those involved in processing rewards, incentive disbursements, or loyalty payouts — are retained beyond the point of deactivation. This retention satisfies audit trail requirements and regulatory obligations that demand a complete, accurate record of all financial activity. An account may no longer be active for day-to-day use, yet its transaction history remains accessible to authorised administrators for audit and review. Xoxoday ensures that retained data is protected and accessible only to personnel with the appropriate permissions — it does not remain exposed to general users or former account holders. Consider a practical example: if a team member who received rewards through Xoxoday leaves your organisation, their login access is revoked immediately. However, the records associated with that account — detailing rewards issued, redeemed, or transferred — are preserved to support financial reconciliation, tax reporting, and any regulatory audits that may follow. What this means for your security posture IT and security teams can rely on a clear, consistent policy: inactive accounts are removed promptly, and financially significant records are retained only for as long as compliance demands. This approach reduces risk without compromising your organisation’s ability to present a complete audit trail when required by auditors or regulators. Organisations operating under frameworks like SOC 2 Type II or ISO 27001 will find that Xoxoday’s account management practices directly support the access lifecycle controls these certifications require, reducing the manual audit burden on your compliance team. Learn more: Xoxoday Help Centre — Security Requirement

Role-Based Access Control in Xoxoday

Understand how Xoxoday enforces least-privilege access through role-based permissions and how administrators manage user rights across the platform.

Audit Logs and Activity Tracking

Learn how Xoxoday maintains detailed audit logs of user actions and financial transactions to support compliance reviews and security investigations.