Skip to main content
Xoxoday retains all system and audit logs securely for a minimum of 12 months, archived in encrypted storage to meet forensic investigation and regulatory compliance requirements.
Log retention is a foundational element of any serious enterprise security posture. Organisations subject to frameworks like ISO 27001 or SOC 2 Type II are required to demonstrate that audit trails are preserved, protected, and accessible when needed — whether for a routine compliance audit or an active incident investigation. Xoxoday retains all system and application logs for a minimum of 12 months, in line with widely adopted compliance standards. This applies across Xoxoday’s core modules, including the rewards and recognition workflows that touch integrations with tools like Slack, MS Teams, Workday, and Darwinbox. Every transaction, authentication event, and administrative action generates a log entry that is securely stored and preserved for the defined retention window. Logs are not simply collected and left unmanaged. Xoxoday periodically reviews stored logs and archives them in encrypted storage, ensuring that sensitive operational data is protected both at rest and over time. This approach reduces the risk of tampering, accidental deletion, or unauthorised access — concerns that are especially relevant for organisations operating under GDPR, HIPAA, or regional data protection mandates. When your organisation undergoes an external audit — for example, a SOC 2 Type II assessment or an ISO 27001 recertification — Xoxoday’s log retention posture provides auditors with a verifiable, time-stamped record of platform activity. This is particularly valuable for HR and IT teams that need to demonstrate due diligence around access control, data handling, and incident response. Consider a scenario where your organisation uses Xoxoday alongside SAP SuccessFactors for employee lifecycle management. If a deprovisioned account needs to be reviewed after the fact, Xoxoday’s retained logs allow your security team to reconstruct the sequence of events — when access was granted, what actions were taken, and when the account was deactivated. That level of forensic clarity is only possible when logs are reliably retained and cryptographically protected. Xoxoday’s log retention practices are part of a broader security framework designed to meet the expectations of enterprise procurement teams, security review boards, and compliance officers. The 12-month minimum is treated as a floor, not a ceiling — archived logs extend the available audit trail for organisations with longer retention requirements. Supporting documentation is available upon request as part of Xoxoday’s standard vendor security review process. Learn more: Xoxoday Help Centre — Security Requirement

How does Xoxoday encrypt data at rest and in transit?

Learn about Xoxoday’s encryption standards covering stored data and data in transit across all platform modules.

Is Xoxoday certified under ISO 27001 and SOC 2 Type II?

Understand Xoxoday’s compliance certifications, their scope, and what they mean for your vendor assessment process.