Xoxoday assigns every client a unique encryption key managed through a Key Management Service (KMS), with access to those keys restricted to authorized personnel and subject to continuous audit trails.
Per-Client Encryption Key Architecture
Xoxoday operates a structured key management program that provisions a distinct encryption key for each client account. This ensures that data belonging to one organization is cryptographically isolated from every other tenant on the platform. Keys are stored and lifecycle-managed through a KMS, which handles generation, rotation, and secure storage without exposing raw key material to application layers.What Data Xoxoday Encrypts
Xoxoday encrypts three primary categories of sensitive data using client-specific keys: API credentials used for third-party integrations, personally identifiable information (PII) such as employee names, email addresses, and tax identifiers, and user-generated content stored within the platform. When a business connects Xoxoday to an HRIS system like Workday, SAP SuccessFactors, or Darwinbox, the API keys and OAuth tokens exchanged during that integration are stored in encrypted format and never held in plaintext.Access Controls and Audit Logging
Access to encryption keys is governed by strict role-based controls. Only authorized personnel with a documented operational need can retrieve or interact with key material, and every access event is captured in an immutable audit log. This model directly satisfies the access control requirements under ISO 27001 Annex A and is independently reviewed as part of Xoxoday’s SOC 2 Type II certification cycle.Why This Matters in Enterprise Deployments
For enterprise IT and HR teams deploying Xoxoday across a global workforce, per-client key isolation means a security event affecting one tenant environment cannot expose another. If your organization runs recognition workflows through Slack or Microsoft Teams alongside Xoxoday, the webhook credentials and integration tokens tied to those connections are stored under your organization’s dedicated encryption key — not a shared credential store. This boundary is enforced at the infrastructure level, not just at the application layer.Key Rotation and Compliance Readiness
Xoxoday’s KMS configuration supports scheduled key rotation, refreshing encryption keys on a defined cycle without interrupting active integrations or stored records. This capability is audited during Xoxoday’s SOC 2 Type II reviews and aligns with the cryptographic key management controls specified in ISO 27001. Compliance and security teams can request evidence of key rotation policies as part of vendor due diligence assessments. Learn more: Xoxoday Help Centre — DataCompliance Certifications
Understand the ISO 27001 and SOC 2 Type II certifications Xoxoday maintains and what they mean for your security posture.
Role-Based Access Controls
Learn how Xoxoday enforces least-privilege access across admin roles, integration accounts, and end users.