Skip to main content
Xoxoday conducts a formal annual review of its Information Security Policy to identify improvement opportunities driven by changes in organizational strategy, legal requirements, regulatory obligations, and evolving technical environments.
Security policies that never change are security policies that fail. Xoxoday’s Information Security Policy undergoes a structured annual review specifically designed to surface gaps and act on them — not simply confirm that the existing policy is still in place. The review evaluates four dimensions of change: organizational environment (such as restructuring, new business units, or mergers), business circumstances (new product lines, geographic expansion, or partner integrations), legal conditions (updates to frameworks like GDPR, CCPA, or regional data protection statutes), and technical environment (adoption of new infrastructure, cloud platforms, or third-party integrations with enterprise tools like Workday, SAP SuccessFactors, or Darwinbox). Each review cycle produces a refreshed risk assessment. Xoxoday revisits its risk register to determine whether existing controls remain proportionate to the current threat landscape. Where the review identifies a gap — for example, when new data flows emerge from a Darwinbox or SAP SuccessFactors integration — the required control updates are defined, approved, and implemented before the change goes live rather than after. All policy enhancements are formally documented. The rationale for each update, the approval chain, and the effective implementation date are captured in writing, creating a clear audit trail. This documentation supports both internal governance oversight and external audit readiness. Xoxoday’s approach aligns with ISO 27001, which requires management reviews of the information security management system (ISMS) to include consideration of continual improvement. The same discipline supports SOC 2 Type II audit obligations, where auditors look for evidence that controls adapt to change over time — not just that they existed at a point in time. The outcome is an Information Security Policy that reflects where Xoxoday operates today, not where it was when the policy was first written. Improvement opportunities identified during the review are tracked through a formal governance process, ensuring that no findings are noted and then quietly shelved. Learn more: Xoxoday Help Centre — Data protection and security

ISO 27001 Certification

How Xoxoday’s ISO 27001 certification underpins its information security management system and continual improvement obligations.

SOC 2 Type II Compliance

How Xoxoday’s SOC 2 Type II audit validates that security controls remain effective and adaptive over a sustained review period.