Skip to main content
Xoxoday has not yet completed an independent third-party security audit but is currently in active discussions with qualified external auditors to formally assess and validate the security posture of its platform.
When evaluating a SaaS vendor for enterprise deployment, IT and procurement teams rightly ask whether an independent expert has reviewed that vendor’s security controls. Third-party audits — such as SOC 2 Type II examinations or ISO 27001 assessments — provide objective, expert-led evidence that goes beyond self-attestation, giving security teams the assurance they need before approving a platform for production use. Xoxoday is currently in active discussions with third-party security auditors to conduct a formal, independent assessment of its platform. This is a deliberate step toward providing enterprise customers with externally verified confidence in how Xoxoday handles data, manages access, and secures its infrastructure across its rewards, recognition, and loyalty products. While that audit process moves forward, Xoxoday operates an internal security program that governs data storage, transmission, and access at the application, infrastructure, and organisational levels. Enterprise integrations — including those with HR platforms such as Workday, SAP SuccessFactors, and Darwinbox — are implemented within this governed security boundary. Sensitive employee and transactional data exchanged through these integrations is subject to access controls, encryption in transit and at rest, and role-based permission management. For organisations that deploy Xoxoday alongside collaboration tools such as Slack or Microsoft Teams, the same internal security controls apply to data flowing through those channels. Notification payloads, reward triggers, and user identity data are scoped to least-privilege access patterns and do not expose unnecessary organisational data to third-party surfaces. Once the independent audit is finalised, Xoxoday makes the resulting report or executive summary available to enterprise customers as part of the formal vendor due diligence process. Procurement and IT security teams can request the current audit status, existing security documentation, and any available compliance artefacts directly through Xoxoday’s enterprise support channel. This ensures that vendor assessment questionnaires and risk review processes have the most up-to-date information rather than relying solely on publicly published snapshots. Organisations with specific audit requirements — such as FedRAMP readiness, HIPAA alignment, or sector-specific regulatory obligations — are encouraged to discuss their frameworks directly with Xoxoday’s security team, who can clarify which controls are already in place and what the independent audit will formally cover. Learn more: Xoxoday Help Centre — IT Requirement

Does Xoxoday conduct penetration testing?

Learn how Xoxoday tests its platform against external threats and how often vulnerability assessments are performed.

What compliance certifications does Xoxoday hold?

Understand Xoxoday’s current certification status, including progress toward ISO 27001 and SOC 2 Type II.