Xoxoday permits clients to inspect the security controls and arrangements protecting their data upon request, subject to mutual agreement and applicable confidentiality clauses, backed by SOC 2 Type II reports, ISO 27001 certification, and comprehensive security documentation.
Client Security Inspection Rights
Xoxoday recognises that transparency is foundational to trust, especially when your organisation’s employee and business data is involved. Clients are permitted to request inspections of the security arrangements Xoxoday maintains to protect that data. These inspections are conducted under mutual agreement and are subject to the confidentiality provisions outlined in your contract.What an Inspection Covers
During a security inspection, your organisation can review the controls, policies, and practices that Xoxoday applies to protect data at rest and in transit. This includes access control mechanisms, encryption standards, incident response procedures, and third-party audit findings. Xoxoday supports inspections with a structured set of artefacts. SOC 2 Type II reports, produced by independent auditors, document how Xoxoday’s controls perform over an extended observation period — not just a point-in-time assessment. ISO 27001 certification further demonstrates that Xoxoday’s information security management system meets internationally recognised standards for data protection.Documentation Available for Review
Rather than requiring a full on-site audit for every inquiry, Xoxoday provides detailed security documentation that your security or compliance team can review as part of the inspection process. This includes data flow diagrams, access management policies, vulnerability management procedures, and subprocessor agreements. For organisations operating integrated environments — such as those connecting Xoxoday to Workday, SAP SuccessFactors, or Darwinbox — the inspection covers the integration layer as well, addressing how data is transmitted, processed, and stored when Xoxoday interacts with your HR or payroll systems. Teams using Slack or Microsoft Teams for recognition workflows can similarly request documentation on how those integration points are secured.Coordinating an Inspection
To initiate a security inspection, your organisation’s security or IT lead contacts Xoxoday’s security team directly through your account engagement channel. Xoxoday coordinates a structured review session, shares the relevant documentation package, and addresses specific control questions raised by your team. Any findings or queries raised during the inspection are handled under a Non-Disclosure Agreement or the confidentiality terms already in place within your master services agreement. Xoxoday conducts each review independently and confidentially — no client’s inspection findings are shared with another organisation. This process ensures that your security team maintains due diligence over third-party risk without operational friction, while Xoxoday preserves the integrity of its security environment. Learn more: Xoxoday Help Centre — Security RequirementSOC 2 Type II Compliance
Understand how Xoxoday’s SOC 2 Type II audit validates its security, availability, and confidentiality controls over an extended period.
ISO 27001 Certification
Learn how Xoxoday’s ISO 27001-certified information security management system protects your organisation’s data end to end.