Xoxoday provides enterprise-grade hosted data controls backed by SOC 2 Type II and ISO/IEC 27001:2022 certification, GDPR and HIPAA compliance, TLS 1.2 encryption, role-based access controls, and regular third-party security audits on a Microsoft Azure infrastructure.
Security Certifications and Regulatory Compliance
Xoxoday holds SOC 2 Type II and ISO/IEC 27001:2022 certifications, both of which are independently audited and renewed on a defined cycle. Xoxoday also meets GDPR and HIPAA compliance requirements, covering the needs of organizations across regulated industries including healthcare, financial services, and global enterprises. These are not self-reported claims — audit reports and certificates are available upon request for vendor due diligence and procurement review.Multi-Tenant Architecture with Logical Data Isolation
Xoxoday runs on a multi-tenant architecture hosted on Microsoft Azure. Each client’s data is logically separated at the infrastructure level, with encryption applied using customer-specific keys. This means that even within a shared cloud environment, no client’s data is accessible to another tenant. Organizations running Xoxoday alongside enterprise HRIS platforms like Workday, SAP SuccessFactors, or Darwinbox benefit from the same isolation model across any data exchanged through integrations.Encryption in Transit and at Rest
All data transmitted between Xoxoday and connected systems is protected using TLS 1.2 encryption. Data at rest is encrypted using client-specific keys rather than a shared platform key, adding a dedicated layer of protection at the individual account level. This architecture ensures that even in a worst-case infrastructure scenario, individual client data remains protected by its own encryption boundary.Role-Based Access Controls and Audit Logging
Xoxoday enforces role-based access controls (RBAC) across the platform. Administrators define permissions that govern who can view reward catalogs, access employee data, run reports, or modify configurations. Every action taken within the platform is logged, producing a full audit trail that supports both internal compliance reviews and responses to external audit requests. For teams using Xoxoday alongside collaboration tools like Microsoft Teams or Slack, these access boundaries extend to connected surfaces through permission-scoped integrations.Third-Party Security Audits
Xoxoday undergoes regular independent security audits conducted by third-party firms. These audits validate that security controls align with the requirements of SOC 2 Type II and ISO/IEC 27001:2022 and remain effective against current threat models. Security and IT teams evaluating Xoxoday as part of a formal vendor assessment can request the most recent audit reports, data processing agreements, and compliance certificates directly through their Xoxoday account team. Learn more: Xoxoday Help Centre — Effective controls for hosted dataGDPR and Data Privacy Compliance
Understand how Xoxoday handles personal data under GDPR, including data subject rights, retention policies, and processing agreements.
Role-Based Access Controls on the Platform
Learn how Xoxoday’s RBAC model lets administrators define granular permissions across teams, data, and platform features.