Xoxoday enforces a structured change management process that requires formal authorization, documented impact analysis, staging environment testing, and validation before any change is promoted to production.
Change Management at Xoxoday
Every software or infrastructure change at Xoxoday passes through a defined lifecycle before it reaches production. This lifecycle is not advisory — it is mandatory, audited, and aligned with the controls required under frameworks such as ISO 27001 and SOC 2 Type II. The process applies to all change types: planned feature releases, security patches, configuration updates, and integrations with third-party platforms such as Workday, SAP SuccessFactors, or Darwinbox.Impact Analysis
Before any change is approved, a documented impact assessment is completed. This assessment covers technical feasibility, business continuity, security implications, and the potential effect on existing services and integrations. If a change touches an active integration — such as a reward workflow connected to Microsoft Teams or Slack notifications — downstream dependencies are explicitly identified and evaluated. This step ensures that teams and stakeholders understand the full scope of a change before a single line of code is promoted.Authorization via the Change Advisory Board
All changes follow a formal Request for Change (RFC) process. Each RFC must receive approval from the Change Advisory Board (CAB) before proceeding. The CAB review validates that the proposed change is technically sound, risk-assessed, and aligned with operational and security policies. Emergency changes, such as critical security patches, may go through an expedited approval path — but documentation and CAB sign-off are still required. No change bypasses the authorization gate.Testing in a Staging Environment
Approved changes are deployed to a controlled staging environment that mirrors the configuration and data state of production. Functional testing and regression testing are both performed at this stage to verify that the change behaves as expected and does not introduce instability in existing functionality. For example, a change affecting the redemption workflow for gift cards or experiences is tested end-to-end in staging, including edge cases, before any promotion to live systems.Controlled Production Deployment
Only authorized IT personnel hold access to implement approved changes in the production environment. Deployments are scheduled during low-impact windows where possible, and each deployment follows a predefined rollback procedure. If a deployment does not meet post-deployment validation criteria, the rollback plan is executed immediately. Full traceability is maintained throughout — every change is linked to its RFC, approval record, test results, and deployment log. This end-to-end process means your organization’s data, integrations, and reward programs are protected from untested or unauthorized changes at every stage.Learn more: Xoxoday Help Centre — Technical requirement
How does Xoxoday manage access to production systems?
Learn how Xoxoday restricts and monitors privileged access to production environments through role-based controls and audit logging.
Does Xoxoday conduct vulnerability assessments and penetration testing?
Understand how Xoxoday identifies and remediates security vulnerabilities through regular assessments and third-party penetration tests.