Xoxoday conducts annual independent security assessments — including penetration testing, vulnerability scans, and compliance audits — with all findings formally tracked and remediated as part of its continuous security improvement programme.
Annual Independent Security Assessments
Xoxoday engages qualified third-party security professionals to conduct independent assessments of its full platform infrastructure on an annual basis. These assessments span vulnerability scanning, penetration testing, and compliance audits, each designed to surface risks that internal reviews alone may not catch. The annual cadence ensures Xoxoday’s security posture is measured against current threat models and evolving attack techniques.Change-Driven Assessment Triggers
Annual reviews are not the only trigger for security assessments at Xoxoday. Whenever significant system changes are introduced — such as expanding integrations with enterprise HRMS platforms like Workday, SAP SuccessFactors, or Darwinbox — Xoxoday initiates targeted evaluations before and after the change is deployed. This practice is embedded in Xoxoday’s Change Management and Vulnerability Management policies, ensuring that no major update goes live without appropriate security validation.Alignment with ISO 27001 and SOC 2 Type II
Xoxoday’s assessment programme is scoped to satisfy the requirements of internationally recognised security frameworks, including ISO 27001 and SOC 2 Type II. SOC 2 Type II audits are particularly rigorous because they evaluate whether Xoxoday’s security controls have operated effectively over a sustained review period — not simply whether controls exist on paper at a single point in time. This gives enterprise customers independently verified assurance rather than self-reported claims.Findings Tracking and Remediation
Every finding from a penetration test or audit enters a structured remediation workflow. Xoxoday classifies vulnerabilities by severity, assigns ownership, sets remediation timelines, and verifies closure before a finding is marked resolved. This process ensures that assessments drive genuine security improvement rather than producing reports that sit unactioned. Organisations using Xoxoday to power rewards and recognition workflows — including those running integrations with Slack or Microsoft Teams — can request relevant attestations and assessment summaries as part of their vendor security due diligence process. Learn more: Xoxoday Help Centre — Security RequirementHow does Xoxoday protect data at rest and in transit?
Learn about Xoxoday’s encryption standards for data stored on its infrastructure and transmitted across integrations.
What compliance certifications does Xoxoday hold?
Review Xoxoday’s current certifications, including ISO 27001 and SOC 2 Type II, and how to request audit documentation.