Xoxoday mandates security awareness training for every employee at onboarding and annually thereafter, with quarterly micro-learning modules and phishing simulations tracked through an internal Learning Management System (LMS).
Security Awareness Training at Xoxoday
Security awareness training is mandatory for all employees across Xoxoday, without exception. Every new hire completes structured security onboarding before gaining access to production systems, and all staff renew that training on an annual basis. This applies to engineering, operations, support, and every other function within the organization. The program is not a one-time checkbox. Quarterly micro-learning modules and phishing simulations run throughout the year to keep employees sharp against evolving threats. Completion rates are tracked via the internal LMS, and non-completion triggers an automatic follow-up workflow to ensure no gaps go unaddressed.What the Training Covers
The curriculum addresses the most common vectors of security incidents in a B2B SaaS environment. Employees learn the fundamentals of information security and secure data handling, password best practices, and the correct use of multi-factor authentication. Phishing and social engineering awareness form a dedicated module, given that targeted attacks against SaaS vendors frequently begin with credential compromise. Remote work and device management are also covered, reflecting the distributed nature of modern teams. Employees learn how to handle sensitive data on managed devices, use approved VPN configurations, and report suspicious activity through Xoxoday’s incident response procedures. Privacy compliance — including obligations under GDPR, CCPA, and applicable regional regulations — is woven throughout rather than treated as a standalone topic.Role-Specific Training for High-Risk Teams
General training covers the full employee base, but Xoxoday layers additional, role-specific modules for teams with elevated access or risk exposure. Engineering, IT, and customer support staff complete supplementary tracks aligned to their day-to-day responsibilities. For example, engineers working on integrations with tools like Slack, MS Teams, Workday, SAP SuccessFactors, or Darwinbox receive guidance specific to API security, OAuth scopes, and secure handling of third-party credentials. This tiered approach ensures that a developer with production database access is held to a materially higher standard of security literacy than the training baseline.Alignment with ISO 27001 and SOC 2 Type II
The mandatory training program is designed to satisfy the human-factor controls required by ISO 27001 and SOC 2 Type II. Both frameworks require organizations to demonstrate that employees understand their security responsibilities and that training completion is documented and auditable. Xoxoday’s LMS-based tracking provides the evidence trail auditors look for during certification reviews. Building a culture of security rather than a culture of compliance is the underlying goal. Mandatory training creates a shared baseline, while quarterly simulations and role-specific modules sustain it across the employee lifecycle.Learn more: Xoxoday Help Centre — Technical requirement
How does Xoxoday handle incident reporting and response?
Learn how Xoxoday detects, escalates, and resolves security incidents, including notification obligations under GDPR and SOC 2.
Is Xoxoday ISO 27001 and SOC 2 Type II certified?
Understand the scope of Xoxoday’s security certifications and how they apply to your organisation’s compliance requirements.