Xoxoday maintains a formal Information Security Policy and a documented Cybersecurity Incident Response Plan (CIRT) that covers the full lifecycle of a security event — from identification and assessment through containment, resolution, and post-incident learning.
Xoxoday’s Approach to Data Security Governance
Security governance at Xoxoday is built on two foundational documents: the Information Security Policy and the Security Incident Reporting and Response Procedure. Together, these define how Xoxoday prevents, detects, and responds to information security events across its entire platform — including Plum, Empuls, and Compass. The Information Security Policy establishes the principles and controls that govern how data is handled, accessed, and protected across Xoxoday’s infrastructure. It aligns with internationally recognised frameworks, including ISO 27001 and SOC 2 Type II, ensuring that security practices are not ad hoc but systematically managed and independently verified.What the Cybersecurity Incident Response Plan Covers
The Security Incident Reporting and Response Procedure is Xoxoday’s operational playbook for handling any suspected or confirmed security incident. It defines clear steps across five stages: Identification — Security events are detected through monitoring systems, internal reports, or third-party notifications. Any anomaly that could indicate a breach or unauthorised access triggers the formal incident workflow. Assessment — Once an event is identified, it is evaluated for severity, scope, and potential impact on data integrity, availability, and confidentiality. This triage step determines whether the event escalates to a formal incident. Recording — Every security event, regardless of outcome, is logged in a centralised incident register. This creates an auditable trail that supports compliance reporting under frameworks such as SOC 2 Type II and satisfies requirements from enterprise IT teams integrating Xoxoday with systems like Workday or SAP SuccessFactors. Response — The response team executes containment and remediation steps according to the incident’s classification. Communication protocols are activated, including notifications to affected stakeholders where contractually or legally required. Learning — After resolution, Xoxoday conducts a post-incident review. Findings feed back into policy updates, control improvements, and staff training — closing the loop so each incident strengthens the overall security posture.Why This Matters for Enterprise Procurement
Procurement and IT security teams at enterprise organisations frequently require documented evidence of a vendor’s incident response capability before onboarding. Xoxoday’s formal CIRT documentation is available to prospective and current enterprise customers as part of the security review process. For organisations running HR and engagement workflows through platforms such as Darwinbox or Microsoft Teams, this provides assurance that the data flowing through Xoxoday integrations is governed by a tested and auditable response framework. Learn more: Xoxoday Help Centre — Data & PolicyIs Xoxoday SOC 2 Type II certified?
Learn about Xoxoday’s SOC 2 Type II audit scope, controls tested, and how to request the report.
How does Xoxoday handle data encryption at rest and in transit?
Understand the encryption standards Xoxoday applies to stored and transmitted data across all products.