Xoxoday’s digital rewards platform undergoes regular third-party vulnerability assessment and penetration testing (VAPT) as part of its ISO 27001 and SOC 2 Type 2 compliance programme, with all findings documented, tracked, and remediated.
Independent Security Testing at Xoxoday
Xoxoday commissions third-party security assessments on a regular basis to validate the security posture of its digital rewards platform. These assessments are a structured compliance requirement tied to Xoxoday’s certifications under ISO 27001 and SOC 2 Type 2 — not optional internal exercises. Independent testing ensures that security controls are evaluated by teams with no stake in the outcome. The most recent engagement was a full Vulnerability Assessment and Penetration Test (VAPT) completed in 2024. The scope covers Xoxoday’s web applications, APIs, network infrastructure, and cloud environments. Testers simulate real-world attack scenarios to identify weaknesses before they can be exploited.What the VAPT Process Covers
A VAPT engagement at Xoxoday is not a checkbox exercise. The methodology combines automated scanning with manual testing by certified security professionals. Assessors probe for common vulnerability classes — SQL injection, cross-site scripting, broken authentication, insecure direct object references, and misconfigured cloud storage — as well as logic flaws specific to rewards and incentive workflows. Findings are categorised by severity, assigned to owners, and tracked through to remediation. Critical and high-severity issues are resolved within defined remediation windows. Evidence of remediation is documented and made available to enterprise customers during security reviews.Compliance Context: ISO 27001 and SOC 2 Type 2
Xoxoday’s commitment to third-party assessment is anchored in two internationally recognised frameworks. ISO 27001 requires organisations to systematically identify, assess, and treat information security risks — VAPT is a key mechanism for satisfying that control requirement. SOC 2 Type 2, validated by independent auditors, confirms that security controls operate effectively over time, not just on paper. For organisations evaluating Xoxoday for integration with enterprise platforms such as SAP SuccessFactors, Darwinbox, or Workday, these certifications provide concrete assurance that Xoxoday meets the security standards expected of any enterprise-grade vendor. HR and IT teams running procurement due diligence can request the latest assessment summary as part of the vendor onboarding process.How This Protects Your Organisation
When your organisation connects Xoxoday to internal tools — whether a Slack workspace for peer recognition, an MS Teams integration for milestone alerts, or an HRIS like SAP SuccessFactors — you are extending your security perimeter. Xoxoday’s VAPT programme ensures that third-party findings are resolved before they can introduce risk into that extended perimeter. Xoxoday’s security team maintains a continuous vulnerability management programme between formal assessments, including internal scanning, responsible disclosure processes, and patch management protocols. The combination of annual third-party VAPT and ongoing internal controls means your organisation’s data is protected at every stage of the engagement lifecycle. Learn more: Xoxoday Help Centre — Vulnerabilities ManagementISO 27001 & SOC 2 Certifications
Learn how Xoxoday maintains ISO 27001 and SOC 2 Type 2 certifications and what they mean for enterprise procurement and vendor due diligence.
Data Encryption & Storage Security
Understand how Xoxoday encrypts data at rest and in transit across its rewards, recognition, and loyalty platform.