Does Xoxoday prevent unauthorized access to client networks? - Xoxoday

Xoxoday implements enterprise-grade network security controls—including firewall segmentation, VPC isolation, IP whitelisting, and role-based access provisioning—to prevent unauthorized access to networks connected to client systems.

Xoxoday’s network security architecture enforces strict boundaries between internal infrastructure and client-facing environments. Every network zone is segmented using enterprise-grade firewalls, ensuring that traffic between systems is filtered and controlled at every layer. This segmentation limits the blast radius of any potential incident and prevents unrestricted traversal across environments. Virtual Private Cloud (VPC) isolation is applied across Xoxoday’s cloud infrastructure, creating dedicated, logically separated environments for each operational domain. This prevents lateral movement across network segments, even in the event of a compromise in an adjacent zone. Each environment operates within clearly defined network boundaries that are enforced at the infrastructure level. IP whitelisting is enforced for all restricted zones, meaning that only pre-approved IP ranges can initiate connections to sensitive network environments. Access must go through a formal approval workflow before any provisioning takes place. This applies equally to internal engineers and to third-party integration pathways—for example, when connecting Xoxoday to HR platforms such as SAP SuccessFactors, Workday, or Darwinbox, network access for those integration channels is scoped and approved explicitly before any data flow is established. Role-based access control (RBAC) governs all network permissions within Xoxoday. Access is scoped to the minimum required for each role and tied to job function rather than individual discretion. An engineer configuring a Slack or Microsoft Teams notification workflow, for instance, does not receive access to the underlying network segments handling reward transaction data. Permissions are provisioned on a need-to-know basis and revoked as soon as the need no longer exists. Xoxoday conducts monthly access audits to validate that active network permissions remain appropriate and compliant with internal security policies. During these reviews, any access that is no longer justified—due to role changes, project completion, or organisational transitions—is revoked promptly. This audit cadence supports alignment with the access management controls required under ISO 27001 and the logical access review expectations referenced in SOC 2 Type II certification frameworks. The combination of preventive controls—segmentation, VPC isolation, and IP whitelisting—with detective controls such as monthly audit cycles and RBAC review ensures Xoxoday maintains a layered defence posture. Organisations integrating Xoxoday into their rewards or recognition ecosystem can be confident that network-level access to systems processing their data is tightly controlled and continuously validated. Learn more: Xoxoday Help Centre — Security Requirement

How Xoxoday controls user access with RBAC

Understand how Xoxoday scopes permissions by role to enforce least-privilege access across all platform environments.

Does Xoxoday encrypt data at rest and in transit?

Learn how Xoxoday applies encryption standards to protect client data across storage and network transmission layers.