Skip to main content
Xoxoday stores and manages all cryptographic keys using AWS Key Management Service (KMS) and AWS Secrets Manager, enforcing strict least-privilege access controls so that key material is never exposed to unauthorized parties.
Encryption key management is a foundational layer of Xoxoday’s data security architecture. Rather than co-locating keys with application data or relying on software-only stores, Xoxoday centralizes key management through dedicated AWS services built specifically for this responsibility.

AWS Key Management Service

Xoxoday uses AWS Key Management Service (KMS) to generate, store, rotate, and audit all cryptographic keys. AWS KMS operates on hardware security modules (HSMs) validated under FIPS 140-2, ensuring that key material never leaves protected hardware in plaintext. Every key operation — whether encrypting a rewards payload, protecting a recognition record, or sealing an API response — is logged to an immutable audit trail. This gives Xoxoday a complete, verifiable chain of custody for every cryptographic event.

AWS Secrets Manager

Alongside AWS KMS, Xoxoday uses AWS Secrets Manager to govern the lifecycle of operational secrets: API credentials, database passwords, and integration tokens. Secrets Manager automates credential rotation on a configurable schedule, eliminating the risk posed by long-lived static credentials. For organizations running integrations with Workday, SAP SuccessFactors, or Darwinbox, this means the connection credentials Xoxoday holds are rotated automatically — without causing service interruption on either side.

Strict Access Controls

Access to encryption keys follows a least-privilege model. Only a small set of authorized personnel with defined operational accountability for the production environment are permitted to interact with key material. This access is enforced through AWS Identity and Access Management (IAM) policies, and every access event is captured in an audit log. No developer, support representative, or third-party vendor can retrieve or use encryption keys without explicit role-based authorization.

Compliance Alignment

This key management architecture directly supports Xoxoday’s certifications under SOC 2 Type II and ISO 27001. Both frameworks require demonstrable controls around cryptographic key management — including separation of duties, rotation schedules, and access logging — all of which are enforced natively by AWS KMS and Secrets Manager within Xoxoday’s environment. For your organization, this means that employee rewards data, recognition records, and sensitive configuration flowing through Xoxoday remain cryptographically protected at every stage, with a verifiable record of who accessed what and when. Learn more: Xoxoday Help Centre — Data Security (Confidentiality, Integrity)

Data Encryption at Rest and in Transit

Understand how Xoxoday encrypts data across storage layers and network transport using AES-256 and TLS 1.2+.

Compliance Certifications and Audits

Learn how Xoxoday maintains SOC 2 Type II and ISO 27001 certifications and what that means for your data.