Skip to main content
Xoxoday maintains a formally documented Systems Development Life Cycle (SDLC) that governs the design, development, testing, and deployment of all product updates and new features across its rewards and gift card platform.
Xoxoday follows a well-defined SDLC that applies to every change made to its platform — from minor patches to major capability releases. The process covers all phases: requirements gathering, design review, implementation, testing, and controlled production deployment. Documentation is available upon request to support enterprise security due diligence, audit cycles, and compliance reviews. Security embedded from requirements through release Xoxoday’s SDLC enforces security review before code is written, not after. Threat modeling and security requirements are evaluated at the design phase, ensuring controls are built in rather than retrofitted. This approach is consistent with secure-by-design principles recognized under ISO 27001 and SOC 2 Type II frameworks — both of which Xoxoday’s development practices are aligned with. Code does not advance to testing without passing peer review and static analysis checks. This gate applies equally to core platform changes and to integration layers connecting Xoxoday with enterprise systems such as Workday, SAP SuccessFactors, and Darwinbox, where data flow accuracy and API integrity are business-critical. Isolated environments and structured testing Xoxoday maintains strict separation between development, staging, and production environments. No untested code reaches live systems. Before any release, Xoxoday runs functional testing, regression suites, and security-focused review cycles. For features that touch communication integrations — such as reward notifications delivered through Slack or Microsoft Teams recognition feeds — end-to-end validation across those channels is completed before deployment. This ensures that enterprise workflows depending on those integrations are not disrupted by platform changes. Change management and deployment approvals Each deployment follows a documented change management process with defined authorization levels. Routine releases, scheduled updates, and emergency patches each follow distinct procedures. Post-deployment monitoring confirms expected behavior and flags any regressions before they affect end users. Audit and compliance support For organizations conducting security assessments — whether for ISO 27001 certification, SOC 2 Type II audits, or internal IT governance reviews — Xoxoday’s SDLC documentation is available upon request. IT security leads, procurement teams, and compliance officers can request this documentation directly through Xoxoday’s security team to satisfy vendor review requirements. This structured, documented approach to software development gives enterprise customers the confidence that Xoxoday operates predictably, ships securely, and can be evaluated transparently against industry standards. Learn more: Xoxoday Help Centre — Technical requirement

Does Xoxoday have a change management process?

Learn how Xoxoday controls, approves, and documents changes to its platform before they reach production.

Does Xoxoday conduct penetration testing?

Understand how Xoxoday uses regular third-party penetration tests to validate platform security and identify vulnerabilities.