Xoxoday operates in a secure multi-tenant environment where each customer’s data is logically and physically segregated using client-specific encryption keys and role-based access controls, ensuring no cross-tenant data exposure.
Multi-Tenant Architecture with Strong Data Isolation
Xoxoday runs on a secure multi-tenant infrastructure, meaning multiple customers share the same underlying platform while their data remains completely separate. This approach delivers enterprise-grade scalability without compromising the confidentiality or integrity of any individual customer’s data. Dedicated single-tenant environments are not required because Xoxoday’s architecture enforces isolation at both the logical and physical layers.Logical and Physical Segregation
Each customer’s data is stored with a unique, client-specific encryption key. Even within shared infrastructure, the data belonging to your organisation is cryptographically distinct from every other tenant. Logical separation is enforced through strict access control policies, ensuring that no user, query, or process can traverse tenant boundaries. At the physical layer, Xoxoday partitions storage and database resources so that your data is never co-mingled with another customer’s records. This dual-layer approach — combining logical and physical controls — meets the requirements of ISO 27001 and SOC 2 Type II, the same standards that govern enterprise SaaS security globally.Encryption at Rest and in Transit
All data stored within Xoxoday’s environment is encrypted at rest using AES-256 encryption tied to per-tenant keys. Data in transit between Xoxoday and integrated systems — including HRIS platforms such as Workday, SAP SuccessFactors, and Darwinbox — is protected using TLS 1.2 or higher. Reward data, employee records, and redemption histories remain confidential from ingestion through display.Role-Based Access and Authentication
Xoxoday enforces role-based access control (RBAC) across all tenant environments. Administrators within your organisation are assigned permissions scoped strictly to your tenant and cannot view or modify data belonging to any other customer. Strict authentication protocols — including SSO and multi-factor authentication (MFA) — reinforce these logical boundaries at every session. For example, when an HR team integrates Xoxoday with Microsoft Teams or Slack to distribute recognition awards, access tokens and session data are bound to the specific tenant context. No reward transaction or employee record from your organisation is ever visible to another Xoxoday customer.Continuous Compliance Validation
Xoxoday’s multi-tenant controls are validated through regular third-party audits aligned with ISO 27001 and SOC 2 Type II standards. These certifications provide independent assurance that logical and physical separation mechanisms are operating as designed and that controls are consistently enforced across all customer environments. Learn more: Xoxoday Help Centre — Data, Policy & PrivacyHow does Xoxoday encrypt customer data?
Learn how Xoxoday applies AES-256 encryption at rest and TLS in transit to protect all customer data across its platform.
What access controls does Xoxoday enforce?
Understand how Xoxoday’s role-based access control and authentication protocols restrict data access to authorised users only.