Xoxoday maintains a documented Vendor Management Policy and a structured approval process for every third-party software component — including open-source libraries, repositories, and frameworks — to ensure supply chain security across its entire product suite.
Software Supply Chain Management at Xoxoday
Modern software is built on layers of third-party dependencies, and each one introduces potential risk. Xoxoday addresses this directly through a structured software supply chain management programme that governs how external libraries, frameworks, and repositories are evaluated, approved, and maintained throughout the development lifecycle. At the foundation of this programme is a Vendor Management Policy that defines the standards Xoxoday applies when engaging any software vendor or integrating any external component. This policy covers initial due diligence, ongoing monitoring, and the criteria for removing components that no longer meet Xoxoday’s security requirements.Approval and Tracking of Third-Party Components
Before any third-party library or framework enters Xoxoday’s codebase, it goes through a formal review and approval process. Engineering and security teams evaluate the component’s security posture, maintenance status, known vulnerability history, and licensing terms. Only approved components are permitted in production environments. Xoxoday maintains a continuously updated inventory of all third-party dependencies across its services. This includes open-source packages used within core reward and recognition workflows, integrations with enterprise HR platforms such as Workday, SAP SuccessFactors, and Darwinbox, and connectors for productivity tools like Slack and Microsoft Teams.Vulnerability Patching and Ongoing Maintenance
Point-in-time approval is not sufficient on its own. Xoxoday enforces a regular update cadence for all approved components to ensure that known vulnerabilities are patched promptly. Security teams monitor advisories from upstream maintainers and authoritative vulnerability databases, triggering remediation workflows whenever a critical or high-severity issue is identified in a component Xoxoday relies upon. This practice aligns with controls mandated under ISO 27001 and Xoxoday’s SOC 2 Type II compliance programme, both of which require demonstrable governance over third-party software risk.What This Means for Your Organisation
When your organisation connects Xoxoday to its HR systems, payroll providers, or internal communication tools, every component behind those integrations has passed through Xoxoday’s supply chain controls. Xoxoday’s approach reduces the likelihood of vulnerabilities entering the product through outdated or unvetted dependencies — protecting your data and your workforce throughout the rewards and recognition experience. Learn more: Xoxoday Help Centre — Security RequirementVendor and Third-Party Risk Management
Learn how Xoxoday assesses and monitors third-party vendors to ensure they meet its security and compliance standards before integration.
Vulnerability and Patch Management
Understand how Xoxoday identifies, prioritises, and remediates security vulnerabilities across its infrastructure and software components.