Xoxoday encrypts all personal data in transit using TLS 1.2 and at rest using AES-256, and enforces multi-factor authentication, SSO, and role-based access controls across all staff and admin systems.
Encryption and Data Protection
Xoxoday encrypts personal data in transit using TLS 1.2 and at rest using AES-256 — the same standard applied by leading financial institutions. Database-level encryption ensures that stored records remain protected even if underlying infrastructure were ever accessed without authorisation. Data exchanged over SFTP can be further secured using PGP encryption, giving your organisation end-to-end protection across every data transfer channel.Cloud and Network Security
Xoxoday runs on AWS and Azure infrastructure, applying each provider’s cloud security best practices across all environments. Network protection includes multi-layer firewalls, a Web Application Firewall (WAF), and Data Loss Prevention (DLP) integration to detect and block anomalous data movement. Audit trail logging captures all administrative activity, providing a complete record for compliance reviews and incident investigations.Access Control and Authentication
Staff access to personal data is restricted on a least-privilege basis and protected by Single Sign-On (SSO) and two-factor authentication (2FA). Xoxoday enforces strong password policies and rotating verification codes for all staff, eliminating reliance on static credentials. Organisations integrating Xoxoday with HRIS platforms such as Workday, SAP SuccessFactors, or Darwinbox can authenticate through SSO and restrict API access to approved IP ranges — adding a precise perimeter control at the integration layer.Physical Security
AWS data centres hosting Xoxoday’s servers operate with 24/7 on-site security personnel, biometric access controls, and advanced surveillance systems. Physical access to server hardware is limited exclusively to authorised AWS infrastructure staff. No Xoxoday personnel hold or require physical server access at any point.Information Security Policy
Xoxoday maintains a formal information security policy covering data protection and encryption, password and access control, virus and malware protection, audit logging and monitoring, and vulnerability and incident response management. This policy is aligned with SOC 2 Type II requirements, giving your organisation independently validated assurance of Xoxoday’s security posture. All personally identifiable information is stored in encrypted cloud storage on AWS, accessible only by authorised personnel with a documented business need. For organisations running Xoxoday alongside communication tools such as Slack or Microsoft Teams, data exchanged through those integrations follows the same TLS 1.2 transit encryption standard — ensuring no data is exposed in transit regardless of the channel used. Learn more: Xoxoday Help Centre — SecurityData Privacy and Compliance
Learn how Xoxoday handles GDPR, data residency requirements, and privacy regulations across regions.
Single Sign-On and Authentication
Understand how Xoxoday supports SSO, 2FA, and IP whitelisting to secure user and admin access.