Xoxoday secures all banner placement and tracking implementations through mandatory pre-deployment security reviews, compliance with GDPR, ISO 27001, and SOC 2 Type II, and fully isolated client-specific deployments that never merge into the standard product codebase.
Code Review and Vulnerability Prevention
Every custom banner implementation goes through a structured security review and testing process before it reaches any production environment. Xoxoday engineers evaluate the custom code against known vulnerability classes — including injection attacks, cross-site scripting, and insecure data handling — ensuring nothing is deployed that has not been rigorously validated. For example, if your organisation integrates Xoxoday’s reward flows within a tool like Microsoft Teams or Workday, any custom banner or tracking logic added to support that integration is independently tested to match the security baseline of the host environment. Deployment does not proceed until the review is complete.Data Privacy Compliance Across Every Customisation
Banner tracking can inherently touch user behaviour data, and Xoxoday treats this with full regulatory seriousness. All user data processed through banner tracking mechanisms aligns with GDPR, ISO 27001, and SOC 2 Type II requirements. Data minimisation principles are applied, retention is controlled, and nothing is stored or transmitted beyond what is necessary for the feature to function. Organisations operating in regulated industries — including finance, healthcare, and multinational enterprises running platforms like SAP SuccessFactors or Darwinbox — can rely on Xoxoday’s compliance posture extending to every customisation, not just the core product. The standards do not change based on feature scope.Isolated, Client-Specific Deployments
One of the most consequential security design decisions Xoxoday makes is keeping custom banner and tracking implementations entirely separate from the standard product codebase. Bespoke features are built and delivered exclusively for your organisation and are never merged back into Xoxoday’s shared platform. This isolation means a customisation built for one organisation creates no exposure for any other. It also means that a security change or incident in one deployment does not propagate across Xoxoday’s broader customer base. Each implementation is scoped, contained, and independently auditable.What This Means in Practice
When your organisation requests banner placement or tracking as part of a Xoxoday deployment, you receive a feature built to your specifications, reviewed for security vulnerabilities, and delivered in an architecture designed to protect your users and their data. Xoxoday does not treat customisation as an exception to its security programme — it treats it as a controlled extension of the same standards that govern the entire platform. Custom does not mean unreviewed. Learn more: Xoxoday Help Centre — Technical requirementISO 27001 and SOC 2 Type II Compliance
Understand how Xoxoday’s certifications govern data handling, access controls, and security operations across the platform and all client deployments.
Enterprise Integration Security
Learn how Xoxoday secures integrations with platforms like SAP SuccessFactors, Workday, Darwinbox, Slack, and Microsoft Teams.