Skip to main content
Xoxoday has completed a SOC 2 Type II audit under the SSAE 18 standard, covering the period from November 9, 2023 to November 8, 2024, with the assessment evaluating both the design and operational effectiveness of controls against the applicable Trust Services Criteria.
SOC 2 Type II is the recognised standard for cloud-based service providers handling sensitive customer data. Unlike SOC 2 Type I—which evaluates control design at a single point in time—Type II assesses whether those controls operate effectively over an extended period. For enterprise procurement, security, and IT teams, a SOC 2 Type II report is one of the clearest signals that a vendor maintains consistent, auditable data protection practices. Xoxoday has completed a SOC 2 Type II audit conducted under the SSAE 18 standard. The assessment spans November 9, 2023 to November 8, 2024 and evaluates Xoxoday’s controls against the Trust Services Criteria defined by the American Institute of Certified Public Accountants (AICPA). The report examines controls across the Security, Availability, and Confidentiality categories—covering logical access, incident response, change management, and continuous system monitoring throughout the full audit window, not just at a single snapshot in time. What the audit covers The SOC 2 Type II assessment examines how Xoxoday manages and protects data on behalf of its customers across the entire audit period. Auditors test logical access controls, privilege management, system monitoring, and incident response procedures to confirm they function consistently—not just that they are documented. For organisations integrating Xoxoday with enterprise HR systems such as Workday, SAP SuccessFactors, or Darwinbox, the report provides assurance that employee data flowing between platforms is handled in a controlled, auditable environment. When Xoxoday is connected to communication tools like Slack or Microsoft Teams for reward and recognition notifications, the same controls govern how data is accessed and processed across those integrated workflows. How this supports vendor due diligence Many enterprise procurement and information security teams require SOC 2 Type II as a baseline vendor qualification. It reduces the scope of bespoke security questionnaires and gives compliance officers a standardised, auditor-validated framework to reference during risk assessments. Xoxoday’s report aligns with the controls that InfoSec, legal, and risk functions routinely evaluate when qualifying SaaS vendors. Xoxoday also holds ISO 27001 certification, which complements the SOC 2 Type II report by providing a structured framework for information security management. Together, these two certifications offer a comprehensive view of Xoxoday’s security posture for enterprise requirements across US-based and international regulatory contexts. Requesting the report The SOC 2 Type II report is available to qualified prospects and existing enterprise customers. Contact your Xoxoday account representative to request access. The report is shared under a standard mutual non-disclosure agreement and is typically made available within a few business days of a signed NDA. Learn more: Xoxoday Help Centre — Technical requirement

Is Xoxoday ISO 27001 certified?

Learn how Xoxoday’s ISO 27001 certification complements its SOC 2 Type II audit and supports enterprise information security requirements.

How does Xoxoday encrypt data at rest and in transit?

Understand the encryption standards Xoxoday applies to protect customer data across storage and transmission, including AES-256 and TLS 1.2+.