Xoxoday conducts annual external penetration testing through an accredited third-party security firm, makes full VAPT reports available under NDA, patches critical vulnerabilities in weekly cycles, and protects against OWASP Top 10 risks using Cloudflare WAF, AWS GuardDuty, MFA, and SSL/TLS encryption.
Penetration Testing at Xoxoday
Xoxoday subjects its rewards, incentives, and payout platform to rigorous annual penetration testing performed by an independent, accredited third-party security firm. This external VAPT (Vulnerability Assessment and Penetration Testing) process evaluates the full application and infrastructure surface for exploitable weaknesses. The scope covers the same environment that enterprise customers use to run employee recognition programs, incentive disbursements, and payout workflows. Customers requiring evidence of testing for compliance reviews — such as those aligning with ISO 27001 or SOC 2 Type II frameworks — can request the detailed VAPT report after signing a Non-Disclosure Agreement (NDA). Xoxoday also permits customers to run their own penetration tests against the platform, subject to prior coordination and approval from Xoxoday’s security team.How Xoxoday Identifies and Patches Vulnerabilities
Vulnerability identification at Xoxoday runs continuously, not just annually. Xoxoday combines its external VAPT cycle with automated vulnerability scans and real-time monitoring across both application and infrastructure layers. This layered detection approach ensures that emerging threats are caught and triaged before they can be exploited. Patching follows a structured, time-bound process. Critical vulnerabilities are addressed in weekly patch releases, keeping exposure windows short. Larger structural or feature-level remediations are delivered through monthly sprint cycles, ensuring fixes are properly tested and validated before deployment.OWASP Top 10 Controls
Xoxoday applies a defense-in-depth strategy aligned with the OWASP Top 10, addressing risks including injection flaws, broken authentication, sensitive data exposure, and security misconfiguration. Controls are active at every layer of the stack. All personal and transactional data is encrypted in transit using SSL/TLS (HTTPS). Access to Xoxoday is governed by strict IP whitelisting, Single Sign-On (SSO), and Multi-Factor Authentication (MFA) — controls that directly counter unauthorized access scenarios common in enterprise environments where Xoxoday integrates with HRIS platforms such as Workday, SAP SuccessFactors, or Darwinbox. At the network and edge layer, Xoxoday uses Cloudflare’s Web Application Firewall (WAF) to filter and block malicious traffic before it reaches application logic. AWS GuardDuty provides continuous Intrusion Detection and Prevention (IDS/IPS) across Xoxoday’s cloud infrastructure, offering behavioral threat analysis at scale. Together, these controls give enterprise IT and security teams the assurance they need when deploying Xoxoday to handle sensitive employee data and high-volume financial payouts. Learn more: Xoxoday Help Centre — Vulnerabilities & ExploitsData Encryption & Secure Transmission
Learn how Xoxoday encrypts personal and transactional data in transit and at rest using SSL/TLS and AES-256.
Access Control, SSO & MFA
Understand how Xoxoday enforces IP whitelisting, Single Sign-On, and Multi-Factor Authentication across its platform.