Skip to main content
Xoxoday maintains a cloud-native AWS infrastructure secured with TLS 1.2+ encryption in transit, AES-256 encryption at rest, role-based access controls, and 24x7x365 security operations, backed by ISO 27001, SOC 2 Type II, and GDPR compliance certifications.
Xoxoday’s infrastructure runs entirely on Amazon Web Services (AWS), inheriting enterprise-grade physical security, network segmentation, and multi-availability-zone redundancy. This cloud-native foundation means your organisation’s data benefits from AWS’s globally recognised security controls without requiring any on-premises configuration or custom network provisioning. Every byte of data moving through Xoxoday is encrypted. Data in transit is protected using TLS 1.2 or higher, and data at rest — across storage volumes, databases, and backups — is encrypted with AES-256. This applies uniformly to reward catalogues, recipient records, and redemption histories processed through Xoxoday’s rewards and recognition workflows. Xoxoday enforces Role-Based Access Control (RBAC), mandatory multi-factor authentication (MFA), and least-privilege principles across all internal systems. Access provisioning is managed through a centralised Identity and Access Management (IAM) framework, ensuring only authorised personnel can interact with sensitive systems or customer data. Integrations with enterprise HRIS platforms such as Workday, SAP SuccessFactors, and Darwinbox operate under the same access governance policies. Xoxoday operates a secure Software Development Life Cycle (SDLC) that embeds security at every stage of product engineering. Automated static and dynamic application security testing, dependency scanning, and CI/CD pipeline checks ensure vulnerabilities are identified and remediated before code reaches production. This reduces the attack surface for applications your workforce uses daily, including Slack and Microsoft Teams integrations. Regular internal vulnerability assessments, automated scanning, and a structured patch management process form Xoxoday’s continuous vulnerability management programme. A documented incident response plan — tested regularly — governs how security events are detected, contained, and resolved. Dedicated security personnel operate 24x7x365 to monitor threats and coordinate response activities. Xoxoday holds ISO 27001, SOC 2 Type II, and GDPR compliance certifications, with practices aligned to NIST cybersecurity frameworks. These certifications are independently audited and represent a formal, verifiable commitment to protecting the confidentiality, integrity, and availability of customer data. For organisations conducting formal RFP or security assessment processes, Xoxoday provides relevant audit reports and compliance documentation on request. Learn more: Xoxoday Help Centre — Data, policy and privacy

How does Xoxoday handle GDPR compliance?

Understand how Xoxoday meets GDPR obligations, including data subject rights, lawful processing bases, and cross-border data transfer safeguards.

How does Xoxoday manage data access and permissions?

Learn how Xoxoday’s RBAC framework, MFA enforcement, and least-privilege IAM policies control who can access what across your organisation’s instance.