Skip to main content
Xoxoday operates as a catalog-based rewards system where end-users do not create, modify, or delete data records within the platform, so a conventional maker-checker approval workflow is not applicable to these operations.
A maker-checker workflow is a dual-control mechanism where one user initiates a data action — creation, modification, or deletion — and a second authorized user must review and approve it before the change takes effect. This model is standard in financial systems and transactional platforms where high-risk data mutations are frequent and reversibility is limited. Xoxoday’s gift card and rewards platform is architected on a fundamentally different model. Rather than prompting users to input, edit, or remove structured records, Xoxoday presents a curated catalog of reward options — gift cards, experiences, and merchandise — that employees or recipients browse and select from. Because end-users interact with a pre-defined catalog, there is no cycle of user-driven data creation or deletion that would warrant a second-level approval gate. This design is intentional. Xoxoday manages the reward catalog centrally, ensuring that available options reflect current, verified inventory. Administrators configure reward programs and budgets at the organisational level through role-based controls, not per-transaction approvals. This keeps governance where it belongs — at the program configuration layer — while keeping the redemption experience seamless for recipients. For operations that do carry elevated sensitivity, Xoxoday enforces security at the API and platform layers. Secure APIs govern how redemption events are triggered, authenticated, and recorded. Platform-level access restrictions ensure that only authorised roles can configure reward programs, adjust budgets, or view transaction summaries. When Xoxoday is integrated with an HRMS such as SAP SuccessFactors, Workday, or Darwinbox, employee data flows through encrypted, authenticated API connections. No raw employee records are editable within Xoxoday’s interface itself, removing the surface area where a maker-checker control would ordinarily apply. Xoxoday’s security posture is independently validated through SOC 2 Type II certification and ISO 27001 accreditation. These audits confirm that access controls, data handling procedures, and operational processes meet rigorous international standards — giving your organisation documented assurance that integrity is maintained without relying on a transaction-level approval model. If your organisation’s internal governance policy still requires dual-control processes for reward program administration, Xoxoday supports role-based access control (RBAC) at the program configuration level. Distinct permission tiers can be assigned to administrators and finance approvers, ensuring that budget allocation or program launches follow an internal review process aligned to your compliance framework. Learn more: Xoxoday Help Centre — Data, Policy & Privacy

How does Xoxoday handle role-based access control?

Learn how Xoxoday assigns permission tiers to administrators, approvers, and end-users to enforce least-privilege access across reward programs.

How does Xoxoday secure API integrations with HRMS platforms?

Understand how Xoxoday protects data in transit when connecting with systems like SAP SuccessFactors, Workday, and Darwinbox via authenticated APIs.