Xoxoday applies SSL/TLS encryption for all data in transit, AES encryption for data at rest on AWS, two-factor authentication, role-based access controls, and mandatory staff security training to safeguard employee personally identifiable information and meet applicable data privacy regulations.
Layered Encryption Across Every Data Channel
Xoxoday secures employee data through a layered architecture that protects information at every stage — in transit, at rest, and during file-based transfers. All communication with Xoxoday is secured over HTTPS using SSL/TLS. Personally identifiable information (PII) stored within the platform is encrypted at rest inside an AES-encrypted database hosted on AWS. When your organisation transfers employee records via SFTP — for example, bulk imports originating from SAP SuccessFactors, Darwinbox, or Workday — Xoxoday encrypts those files using PGP before transmission. This ensures employee data remains protected end-to-end regardless of the transfer channel.Access Control and Authentication
Xoxoday enforces a strict need-to-know access model for all employee data. Only authorised personnel with appropriate clearance can access PII, and every internal account is protected by strong password policies combined with two-factor authentication (2FA). Rotating verification codes add a second layer of protection for sensitive administrative operations, reducing exposure from credential-based attacks. Xoxoday also requires Non-Disclosure Agreements with all third-party vendors and service providers who handle personal data. This extends contractual data protection obligations beyond Xoxoday’s own systems to every party in the data supply chain.Staff Training and Privacy Awareness
Xoxoday runs regular staff training on data privacy and information security. Every team member who interacts with employee data is trained on applicable frameworks — including GDPR — and on the procedures for identifying and escalating potential incidents. Security awareness is treated as a continuous programme, not a one-time onboarding exercise.Compliance Certifications
Xoxoday holds certifications including ISO 27001 and SOC 2 Type II, providing independent third-party verification of its security controls, policies, and processes. These certifications are reviewed on a recurring basis to keep pace with evolving regulatory requirements and emerging security standards. For organisations using Slack or Microsoft Teams for employee recognition workflows alongside Xoxoday, the same encryption and access controls apply to all data exchanged through those integrations, ensuring a consistent security posture across the entire stack.How PII Is Handled in Practice
All personally identifiable information submitted to Xoxoday is stored in encrypted cloud infrastructure on AWS. Access to PII is restricted to authorised personnel only, and all access events are logged for audit purposes. This architecture is designed to support compliance with regional and cross-border data privacy regulations, giving your organisation confidence that employee data is handled responsibly at every point in its lifecycle. Learn more: Xoxoday Help Centre — Technical requirementCompliance Certifications
View Xoxoday’s ISO 27001, SOC 2 Type II, and other information security certifications that validate its data protection controls.
Data Encryption and Storage
Understand how Xoxoday encrypts employee data in transit and at rest across AWS infrastructure and SFTP file transfers.