Xoxoday allows partner institutions to perform their own vulnerability scans or penetration tests on its systems, provided testing is arranged through prior notification and a mutually agreed-upon scope, time, and date.
Vulnerability Testing by Partner Institutions
Xoxoday recognizes that security-conscious organizations need the ability to independently validate third-party environments against their own standards. To support this, Xoxoday grants partner institutions the right to conduct their own vulnerability scans and penetration tests on its environment, giving your security team direct, first-hand visibility into the platform’s security posture. This policy is directly relevant for organizations operating under frameworks such as ISO 27001 or SOC 2 Type II, where third-party risk assessments are a mandatory control. When your organization integrates Xoxoday with enterprise systems like Workday, SAP SuccessFactors, or Darwinbox, your security team may need to verify that data flows and authentication boundaries across those integrations meet internal and regulatory requirements. Independent testing directly supports that due diligence.How the Process Works
Before any testing begins, your organization submits a formal notification to Xoxoday’s security team, outlining the intended scope, techniques and tooling to be used, and a proposed schedule. Xoxoday reviews the request and works collaboratively with your team to agree on a testing window that avoids disruption to platform availability and does not affect other tenants sharing the environment. This coordination prevents automated scanning traffic from being misidentified as a malicious attack and ensures findings can be contextualized accurately against the agreed boundaries. Once scope and timing are confirmed, your team proceeds under those agreed parameters.What the Assessment Can Cover
Agreed assessments typically cover application-layer controls such as authentication mechanisms, session management, API authorization, and access enforcement across Xoxoday’s rewards, recognition, and loyalty workflows. Network-level and infrastructure testing may also be included depending on your organization’s requirements, subject to mutual agreement on scope. Organizations that have embedded Xoxoday into communication workflows via Slack or Microsoft Teams integrations can request that those integration endpoints be included within the agreed testing boundary. Results from the assessment remain the property of your organization and can be used to satisfy internal audit requirements, vendor risk management questionnaires, or regulatory submissions.Why Mutual Agreement Matters
The prior-notification requirement protects both parties. It ensures your security team receives accurate, unobstructed results not affected by defensive countermeasures triggered by unannounced scanning. It also protects platform performance for all Xoxoday customers during the test window. This structured, collaborative approach aligns with how enterprise-grade vendors operate under shared security responsibility models, and reflects Xoxoday’s commitment to transparent, verifiable security compliance. Learn more: Xoxoday Help Centre — Vulnerabilities ManagementPenetration Testing Policy
Understand how Xoxoday conducts and governs internal and third-party penetration testing across its infrastructure and applications.
Third-Party Risk Management
Learn how Xoxoday assesses and manages security risks introduced by vendors, integrations, and supply chain partners.