Xoxoday uses only FIPS 140-2 validated cryptographic modules across all encryption and key management operations, with no custom or non-conforming modules in production use.
FIPS 140-2 Cryptographic Compliance
Xoxoday’s cryptographic architecture conforms to Federal Information Processing Standards (FIPS) Publication 140-2. All cryptographic operations — including encryption at rest, encryption in transit, TLS termination, and key management — are performed exclusively through AWS Key Management Service (KMS) and AWS Certificate Manager (ACM). Both services rely on FIPS 140-2 validated cryptographic libraries, ensuring Xoxoday meets the standards required by U.S. federal agencies and regulated enterprise environments.Encryption in Transit
For data in transit, Xoxoday enforces TLS 1.2 or higher across all communications — covering API calls, webhook transmissions, and user-facing integrations including Slack and Microsoft Teams. This ensures that data exchanged between Xoxoday and connected HR platforms cannot be intercepted or tampered with during transmission.Encryption at Rest
For data at rest, Xoxoday applies AES-256 encryption to all stored records. This covers reward catalogues, employee recognition data, points balances, and personally identifiable information processed through integrations with systems such as Workday, SAP SuccessFactors, and Darwinbox. AES-256 is a FIPS 140-2 approved symmetric cipher and the recognised benchmark for enterprise-grade data protection.No Custom or Proprietary Cryptographic Modules
Xoxoday does not implement custom or proprietary cryptographic algorithms. Every cryptographic function is delegated to AWS-managed services or vetted third-party libraries that carry formal FIPS 140-2 validation. This eliminates the implementation risks that arise when organisations build cryptographic controls outside established, audited frameworks.No Non-Conforming Modules in Production
There are no known non-conforming cryptographic modules in production use within Xoxoday. Every module in active use either holds direct FIPS 140-2 validation or is consumed through a FIPS-compliant cloud service. For organisations running information security audits under SOC 2 Type II or ISO 27001 frameworks, Xoxoday’s cryptographic posture aligns with the encryption control requirements of both standards.Requesting Formal Attestation
If your organisation requires formal documentation — such as a cryptographic inventory, third-party attestation report, or evidence of FIPS-compliant configurations — Xoxoday can provide these materials upon request. This is particularly relevant for enterprises in regulated industries such as financial services, healthcare, or government contracting, where cryptographic compliance evidence is a prerequisite for vendor approval. Learn more: Xoxoday Help Centre — Data, Policy & PrivacyHow does Xoxoday encrypt data at rest and in transit?
Learn how Xoxoday applies AES-256 and TLS 1.2+ encryption across all storage and transmission layers.
Is Xoxoday SOC 2 Type II certified?
Understand Xoxoday’s SOC 2 Type II compliance posture and how to request the audit report for your vendor review.