Skip to main content
Xoxoday performs authenticated vulnerability scanning — including static code analysis, dynamic application testing, and penetration testing — across all systems and applications prior to every new release, with all identified issues remediated according to severity-based timelines defined in its Threat and Vulnerability Management Procedure.
Xoxoday scans all systems and applications for vulnerabilities using authenticated user accounts as a mandatory step in every release cycle. Authenticated scanning ensures that testing reflects real-world access scenarios rather than unauthenticated surface-level checks. This process is governed by Xoxoday’s formal Threat and Vulnerability Management Procedure, which defines standards, responsible teams, and remediation timelines across the release pipeline. The scanning process covers three core techniques applied in sequence. Static application security testing (SAST) analyzes source code for insecure patterns before execution. Dynamic application security testing (DAST) runs tests against live application instances, simulating how an authenticated user — or a potential attacker — would interact with the system under realistic conditions. Penetration testing completes the cycle, with security professionals actively attempting to exploit identified weaknesses in a controlled environment. When vulnerabilities are discovered, Xoxoday prioritizes remediation by severity. Critical and high-severity findings are addressed on accelerated timelines, and no release proceeds until issues above the defined threshold are fully resolved. Medium and low findings follow standard remediation windows within subsequent release cycles. This structured approach supports Xoxoday’s compliance with ISO 27001 and contributes to its SOC 2 Type II attestation. For enterprises running Xoxoday alongside HR platforms such as Workday, SAP SuccessFactors, or Darwinbox, authenticated scanning is especially significant. These integrations route sensitive employee data and reward transactions across system boundaries. By scanning integration touchpoints with authenticated credentials, Xoxoday validates that access controls, token handling, and data exchange remain secure with every update — not just the core application layer. Security and engineering teams collaborate throughout development, and vulnerability scan results serve as a release gate rather than a post-deployment review. This means every version of Xoxoday that reaches a customer environment has been tested, triaged, and cleared by a defined security standard before deployment. Organizations in regulated industries — financial services, healthcare, and global enterprises with strict data governance requirements — can rely on Xoxoday’s pre-release scanning as part of their own vendor risk management programs. Learn more: Xoxoday Help Centre — Vulnerabilities Management

Penetration Testing

Learn how Xoxoday conducts regular penetration testing to validate the security of its systems, APIs, and third-party integrations.

Security Certifications

Understand Xoxoday’s compliance posture, including ISO 27001 certification and SOC 2 Type II attestation.