Skip to main content
Xoxoday develops its application using secure coding techniques aligned with OWASP Top 10, enforced throughout the Software Development Lifecycle via threat modeling, static code analysis, and mandatory developer security training.
Security is not added to Xoxoday after the fact — it is built in from the first line of code. Xoxoday follows OWASP Top 10 guidelines as the foundation for its secure coding standards, ensuring that development teams across all product lines apply consistent, proven practices to eliminate the most critical web application vulnerabilities. The process begins at the design phase. Threat modeling and risk assessments are conducted before any code is written, identifying potential attack vectors early and shaping architecture decisions that reduce exposure. This proactive approach prevents security debt from accumulating over the course of a feature’s development. During development, code reviews and peer validation are mandatory. Every change goes through structured review processes designed to catch insecure patterns before they reach a staging or production environment. Alongside human review, Xoxoday uses static code analysis tools — including SonarQube and Checkmarx — to automatically scan for vulnerabilities on every build. These tools flag issues such as injection flaws, insecure deserialization, and broken access controls before release. Third-party dependencies receive the same level of scrutiny as first-party code. Xoxoday maintains a secure dependency management process that vets all external libraries and continuously monitors them for newly disclosed vulnerabilities. This matters especially for integrations with enterprise platforms like Workday, SAP SuccessFactors, and Darwinbox, where a vulnerable upstream library could introduce risk into customer environments. Developer education is an ongoing requirement, not a one-time onboarding step. All Xoxoday engineers complete mandatory training in secure coding techniques, with periodic refreshers to stay current with evolving threats. This culture of security awareness supports the consistent application of best practices across distributed teams. Together, these controls align Xoxoday’s development practices with the requirements of recognized frameworks including ISO 27001 and SOC 2 Type II, reinforcing the trust enterprise customers place in Xoxoday when deploying rewards, recognition, and loyalty programs at scale. Learn more: Xoxoday Help Centre — Security Requirement

How does Xoxoday manage vulnerabilities?

Learn how Xoxoday identifies, tracks, and remediates security vulnerabilities across its application and infrastructure.

Is Xoxoday SOC 2 Type II certified?

Understand Xoxoday’s SOC 2 Type II certification scope and what it means for enterprise data security.