Xoxoday formally notifies organisations at least 30 days before any major infrastructure, security, or data-handling change that could affect their security posture, with expedited notification issued as soon as practicable in urgent situations.
What Triggers a Notification
Not every platform update warrants a formal security notification, but Xoxoday maintains a defined threshold for changes that do. Categories of change that trigger advance communication include infrastructure or hosting environment modifications, the introduction of new sub-processors, significant updates to security controls or protocols, and platform architecture changes that affect data handling or access permissions. As a practical example, if Xoxoday migrates a workload to a new cloud region or updates the data integration pipeline connecting to Workday or SAP SuccessFactors, your organisation receives formal written communication ahead of the transition. This gives your IT, legal, and compliance teams time to review the change against internal policies before it takes effect.Standard Notice Period
The default notice period is at least 30 days before any material change is implemented. This window is intentional. It gives enterprise security teams adequate time to assess the change, update internal risk registers, review any impact on existing controls, and raise questions with Xoxoday before go-live. For organisations operating under ISO 27001 or SOC 2 Type II frameworks, this period supports the evidence-gathering requirements that accompany those audits.Urgent and Emergency Changes
Where urgent action is unavoidable — such as applying a critical security patch or responding to an active security incident — Xoxoday notifies your organisation as soon as practicable rather than waiting for the standard 30-day window. These expedited notifications include a clear rationale for the urgency and a documented impact assessment, so your team understands what changed, why, and what action, if any, is required on your side.Contractual Basis
Xoxoday’s notification obligations are codified in the Master Services Agreement (MSA) and the Data Processing Agreement (DPA). The DPA specifically addresses sub-processor changes in line with GDPR and equivalent data protection standards, ensuring that your organisation’s compliance posture is maintained regardless of the underlying infrastructure change. These documents form the binding framework through which all major change communications are governed. Xoxoday’s account team coordinates notifications through the communication channels agreed during onboarding — whether that is email, a ticketing integration, or alerts routed through Slack or Microsoft Teams — so the right stakeholders receive timely, actionable information every time. Learn more: Xoxoday Help Centre — SecurityHow does Xoxoday manage sub-processor changes?
Learn how Xoxoday discloses third-party sub-processors and notifies organisations of changes under the DPA.
What does Xoxoday's incident response process look like?
Understand how Xoxoday detects, escalates, and communicates security incidents to affected organisations.