Xoxoday: Employee Onboarding and Offboarding Policy - Xoxoday

Xoxoday maintains a formally documented and actively enforced employee onboarding and offboarding policy that governs identity verification, role-based access provisioning, and immediate access revocation upon an employee’s departure.

Xoxoday follows a structured employee lifecycle management process that addresses both onboarding and offboarding from a security-first perspective. Every new hire undergoes mandatory identity verification before any system access is granted, ensuring that credentials are tied to verified individuals from day one and that no access is provisioned speculatively or in advance. During onboarding, employees complete training on Xoxoday’s data security policies, acceptable use standards, and confidentiality obligations. Access rights are then provisioned through a centralized identity management system using role-based access controls (RBAC), applying the principle of least privilege — each employee receives only the permissions their role requires, nothing more. This scoping is particularly significant for teams that work with HR platforms such as Workday, SAP SuccessFactors, or Darwinbox, where employee data moves across integrated systems. Xoxoday’s RBAC model ensures that integration-level permissions are tightly bounded and reviewed as part of the formal onboarding workflow, reducing the risk of excessive access accumulating over time. When an employee exits the organization, offboarding triggers an immediate, systematic access revocation. RBAC rules are updated in real time, and credentials are invalidated across all connected environments — including collaboration tools like Slack and Microsoft Teams where Xoxoday integrations may be active. This eliminates any window for unauthorized post-employment access to sensitive platform configurations or customer data. System logs are audited as part of every offboarding event to confirm that access removal was complete and that no anomalous activity occurred around the time of separation. This audit trail directly supports Xoxoday’s compliance posture under ISO 27001 and SOC 2 Type II, both of which mandate demonstrable, repeatable controls over employee access management throughout the employment lifecycle. Xoxoday’s security and HR operations teams jointly review and update this policy on a regular cadence to reflect organizational changes, evolving threat landscapes, and shifts in regulatory requirements. This joint ownership ensures the policy is both operationally current and consistently applied across all business units and geographies. For enterprise customers evaluating Xoxoday’s security posture, these controls provide assurance that access governance within Xoxoday mirrors the standards they apply internally. The combination of verified onboarding, least-privilege provisioning, immediate offboarding revocation, and post-event auditing forms a closed-loop access management cycle that minimizes risk across every employee lifecycle event. Learn more: Xoxoday Help Centre — Technical requirement

How does Xoxoday implement role-based access control?

Learn how Xoxoday uses RBAC to enforce least-privilege access across teams, integrations, and customer data environments.

Is Xoxoday ISO 27001 and SOC 2 Type II certified?

Understand the compliance frameworks Xoxoday is certified under and what those certifications mean for your data security obligations.