Xoxoday automatically terminates idle user sessions after a configurable inactivity timeout—typically between 15 and 30 minutes—and requires re-authentication before access is restored.
Inactivity Timeout
When a user stops interacting with Xoxoday, the platform begins tracking idle time. After the inactivity threshold is reached—set between 15 and 30 minutes depending on your organisation’s configuration—Xoxoday automatically logs the user out. The user is then redirected to the login screen and must re-authenticate before continuing. This is particularly relevant in shared-device or open-office environments, where an unattended browser session could expose sensitive reward or recognition data to unintended parties.Time-Bound Session Expiry
Beyond inactivity, all Xoxoday sessions are token-based and carry a maximum lifetime. Even if a user remains active, the session is invalidated after a defined duration—typically 8 or 12 hours—and the user is prompted to re-authenticate. This maximum session window is configurable at the backend level. This dual-layer approach ensures that long-running sessions do not persist indefinitely, even when a user is continuously active throughout the day.Re-authentication and SSO Flows
After an automatic logout, Xoxoday prompts the user to re-enter credentials. For organisations using Single Sign-On through providers such as Okta, Azure Active Directory, or Google Workspace, Xoxoday re-initiates the SSO flow rather than falling back to a password prompt. This keeps the authentication experience consistent with your organisation’s identity governance policies. For example, an HR team using Xoxoday alongside Workday or SAP SuccessFactors can expect that session expiry in Xoxoday respects the same SSO session policies configured in those systems, ensuring a uniform access-control posture across tools.Admin Configuration
Tenant administrators can adjust session timeout values through Xoxoday’s backend configuration to align with internal security standards. Organisations operating under stricter requirements—such as those in financial services or healthcare—can set shorter inactivity windows without affecting the default experience for other tenants.Compliance Alignment
Automatic session timeout is a recognised control under ISO 27001 (specifically Annex A, access control requirements) and is audited as part of SOC 2 Type II engagements. Xoxoday’s implementation of this control supports your organisation’s ability to demonstrate compliance during audits without requiring custom engineering work. Learn more: Xoxoday Help Centre — Technical requirementHow does Xoxoday handle Single Sign-On authentication?
Learn how Xoxoday integrates with SSO providers like Okta, Azure AD, and Google Workspace to centralise identity and access control.
Does Xoxoday encrypt data at rest and in transit?
Understand how Xoxoday protects user and reward data using AES-256 encryption at rest and TLS 1.2+ in transit.