Skip to main content
Xoxoday stores all sensitive client data exclusively on private-network servers that conform to RFC 1918 and RFC 4193 addressing standards, with no public internet access possible to any storage infrastructure.
Private network addressing — as defined in RFC 1918 for IPv4 and RFC 4193 for IPv6 — reserves specific IP ranges for use within internal networks that are never routed over the public internet. Xoxoday’s entire data storage layer, including database servers, file servers, SAN, and NAS systems, operates exclusively within these private address spaces. No storage component carries a publicly routable IP address. Public-facing tiers such as web application servers and API gateways accept inbound requests from users and connected systems, but they do not store sensitive data themselves. Any data written to persistent storage travels through strictly controlled internal pathways to backend servers that accept no direct connections from the open internet. An attacker scanning public IP space cannot reach Xoxoday’s storage infrastructure — there is no route to find. Within the Xoxoday environment, access to storage servers is gated through application-layer controls, which limits the blast radius of any credential compromise or misconfiguration in a public-facing tier. The segregation between application servers and data servers is a structural property of Xoxoday’s cloud infrastructure, not a runtime configuration that can be casually overridden. For organizations integrating Xoxoday with HR platforms such as Workday, SAP SuccessFactors, or Darwinbox, employee data synced into Xoxoday’s rewards and recognition modules follows the same path: it arrives through authenticated API channels, is processed by application servers, and is written exclusively to private-network storage. Notifications dispatched outbound to Slack or Microsoft Teams do not open any inbound network path to storage systems as a side effect. Xoxoday’s network segmentation is validated as part of its SOC 2 Type II audit program and aligns with ISO 27001 controls for network security management. Independent auditors review whether sensitive data storage environments are structurally segregated from public-facing tiers and confirm that private IP addressing is enforced at the infrastructure level. Security and compliance teams conducting vendor assessments can therefore evaluate this control against concrete audit evidence rather than self-reported attestations alone. Learn more: Xoxoday Help Centre — Data, Policy & Privacy

How does Xoxoday encrypt data at rest?

Learn how Xoxoday applies encryption to stored client data across database and file storage systems.

How is access to Xoxoday's internal systems controlled?

Understand the role-based and network-level access controls that govern who and what can reach Xoxoday’s backend infrastructure.