Skip to main content
Xoxoday secures all inbound traffic through five layered firewall tiers, from a Cloudflare WAF at the public edge to private-network-isolated databases, so no external request ever reaches application logic or stored data directly.
Xoxoday’s network security architecture follows a defense-in-depth model, layering multiple independent controls so that a breach at any single tier does not expose the systems behind it. Every public request passes through five distinct security boundaries before it can interact with application logic or stored data. Tier 1 — Cloudflare WAF (public edge) The outermost layer is a Cloudflare-based Web Application Firewall that inspects all inbound HTTP/HTTPS traffic, blocks known attack signatures, and enforces rate limits to prevent DDoS-style floods. Rate limiters are configured to detect and drop repeated requests from specific IP addresses before they can saturate downstream resources. Only traffic that passes Cloudflare’s inspection moves further into the stack. Tier 2 — Load balancers and API gateway Immediately behind Cloudflare sit the load balancers and API gateway. These components are configured to accept connections exclusively from Cloudflare’s published IP ranges. Any direct request originating from an IP outside those ranges is dropped at this layer, eliminating an entire class of perimeter-bypass attempts. Tier 3 — Web servers (Kubernetes, private network) Web traffic is then routed to containerized web servers running inside a private Kubernetes network with no public internet exposure. Their isolation means that even if an attacker somehow navigated past Cloudflare and the API gateway, the web servers present no directly addressable public surface. Tier 4 — Application servers and microservices (Kubernetes, private network) Business logic runs in a separate layer of Kubernetes containers, also isolated on the private network. This separation ensures that the web tier and the application tier each carry minimal privileges relative to one another, limiting lateral movement if one component is compromised. Tier 5 — Database (private network) Databases sit entirely within the private network and accept connections only from authorised application-tier services. No database port is exposed to the public internet or to the web tier directly. This layered isolation supports Xoxoday’s compliance posture under ISO 27001 and SOC 2 Type II, both of which require demonstrable network segmentation and access controls. Xoxoday augments these perimeter layers with AWS GuardDuty, a continuous threat-detection service that monitors VPC flow logs, DNS queries, and CloudTrail events across all AWS accounts. GuardDuty surfaces anomalous behaviour—such as unusual API calls or communication with known malicious IPs—giving the security team real-time visibility without relying solely on static firewall rules. For enterprise customers integrating Xoxoday with HR platforms like Workday or SAP SuccessFactors, all API traffic between those systems and Xoxoday passes through the same Cloudflare-gated entry point, ensuring consistent policy enforcement regardless of the integration method in use. Learn more: Xoxoday Help Centre — Technology

How does Xoxoday encrypt data at rest and in transit?

Details on AES-256 encryption at rest and TLS 1.2+ in transit across all Xoxoday services and integrations.

What compliance certifications does Xoxoday hold?

Xoxoday’s current ISO 27001, SOC 2 Type II, and GDPR compliance status and audit scope.

Where is Xoxoday data hosted and stored?

Xoxoday’s data residency options, AWS region selection, and tenant data isolation model.

How does Xoxoday handle access control and authentication?

Role-based access control, SSO support, and MFA enforcement across the Xoxoday platform.