Xoxoday’s Information Security function is led by a Chief Information Security Officer (CISO) who reports directly to the Group CTO and holds formal accountability for data protection and privacy as both Chief Data Protection Officer (CDPO) and Chief Privacy Officer (CPO).
Leadership and Accountability
Xoxoday places Information Security at the executive level. The CISO owns the overall security strategy and its implementation across every part of the organisation, reporting directly to the Group’s Chief Technology Officer. This reporting line ensures that security decisions carry weight at the highest levels of leadership. The CISO also formally holds the roles of Chief Data Protection Officer (CDPO) and Chief Privacy Officer (CPO). Consolidating these responsibilities into a single role means data protection and privacy obligations — including those arising from GDPR — remain tightly integrated with the broader security programme rather than being managed in isolation.The Five Disciplines of the Information Security Team
Beneath the CISO, a dedicated Information Security team operates across five structured areas of responsibility. Governance and Compliance keeps Xoxoday aligned with internationally recognised standards including ISO 27001 and SOC 2 Type II. The team develops and enforces security policies, conducts regular audits, and manages compliance initiatives on a scheduled cadence. Certifications are actively maintained and renewed to reflect changes in the regulatory environment. Risk Management covers the identification, assessment, and treatment of security risks before they escalate. Risk assessments are conducted systematically, treatment plans are implemented and tracked, and the risk landscape is monitored on an ongoing basis. This includes risks that arise from integrations with enterprise platforms such as SAP SuccessFactors, Darwinbox, or Workday, where data flows cross organisational boundaries. Incident Response ensures Xoxoday is prepared to contain and recover from security events with minimal disruption. The team maintains live incident response plans, runs regular simulation drills, and coordinates cross-departmental responses when incidents occur. Clear escalation paths are defined so that response time stays short regardless of where an incident originates. Security Awareness and Training builds a security-first culture across the workforce. Employees receive regular training sessions and targeted awareness campaigns that help them recognise phishing attempts, handle sensitive data correctly, and respond to threats — whether they are working inside Xoxoday’s own environment or through connected tools like Slack or MS Teams. Technical Security Operations manages the infrastructure that protects Xoxoday around the clock. This includes deploying and maintaining firewalls, intrusion detection systems, and endpoint security tools, as well as continuously monitoring for anomalous activity across the environment. Together, these five disciplines give Xoxoday a layered, defence-in-depth security posture that addresses people, processes, and technology in equal measure. Learn more: Xoxoday Help Centre — Security Information and Documentation RequestXoxoday Compliance Certifications: ISO 27001 & SOC 2
Learn how Xoxoday maintains ISO 27001 and SOC 2 Type II certifications and what each standard means for your organisation’s data security requirements.
Data Protection and Privacy Policy at Xoxoday
Understand how Xoxoday manages GDPR obligations, data subject rights, and the responsibilities of the Chief Data Protection Officer.