Skip to main content
Xoxoday governs all administrative rights across workstations, servers, and network equipment using Role-Based Access Control (RBAC), with monthly access reviews and a formal approval process required for any privilege escalation.
Administrative access to the infrastructure powering the Xoxoday digital rewards platform is governed through Role-Based Access Control (RBAC). Every account — from network engineers to database administrators — is assigned the minimum level of access required to perform its designated function. No standing administrative privileges exist beyond what is formally authorized and documented. Access reviews occur on a monthly cadence across all production systems, covering servers, workstations, and network equipment that support client environments. Each review confirms that only current, active personnel with a verified business need retain administrative rights. Accounts that no longer meet this threshold are revoked without delay. When elevated privileges are required — for example, a DevOps engineer needing temporary elevated access to investigate a production incident — Xoxoday enforces a formal approval workflow. The request must be authorized by a designated approver before access is granted, and every action taken under elevated privileges is logged for audit purposes. This approach reflects the least-privilege principle and directly supports Xoxoday’s compliance posture under ISO 27001 and SOC 2 Type II. For enterprise clients whose environments include HR and IT platforms such as Workday, SAP SuccessFactors, or Darwinbox, Xoxoday applies the same administrative access governance to any integration-layer infrastructure. Service accounts used for API-level connections are scoped to the minimum permissions required and are included in the same monthly review cycles as human user accounts. This ensures that access sprawl cannot accumulate quietly through automated integration pathways. All access governance activities are defined and enforced under Xoxoday’s Information Security Policy. This policy sets out approval workflows, escalation paths, and audit log retention requirements — giving IT, compliance, and procurement teams a consistent, auditable framework to evaluate when assessing Xoxoday as a vendor. For organizations running formal vendor security assessments or RFP processes, Xoxoday can provide supporting documentation including access control matrices and evidence of completed review cycles. These artifacts are available through the standard vendor due diligence request process. Learn more: Xoxoday Help Centre — Security Requirement

How Xoxoday Implements Role-Based Access Control

Learn how Xoxoday uses RBAC to scope permissions across user roles, service accounts, and integration layers throughout its platform infrastructure.

Xoxoday ISO 27001 and SOC 2 Type II Compliance

Understand the compliance certifications Xoxoday maintains and how they translate into concrete security controls for enterprise clients.