Xoxoday provides application and system vulnerability scan results — including third-party Vulnerability Assessment and Penetration Testing (VAPT) reports — to enterprise clients and institutions upon request, with the most recent assessment completed in September 2024.
Xoxoday’s Commitment to Vulnerability Transparency
Security transparency is a foundational requirement for enterprise procurement. When your organisation evaluates a rewards and incentives platform, access to real vulnerability scan data — not just policy statements — is what separates credible vendors from those relying on self-attestation. Xoxoday takes that distinction seriously. Xoxoday’s digital rewards and incentives platform undergoes periodic third-party vulnerability assessments conducted by independent security firms. These assessments evaluate both application-layer and infrastructure-level vulnerabilities, ensuring coverage across the full technology stack rather than surface-level scanning.What the VAPT Process Covers
The most recent Vulnerability Assessment and Penetration Testing (VAPT) engagement ran from August 13 to September 12, 2024. The scope included web application penetration testing, API security analysis, and system-level vulnerability scanning across Xoxoday’s production environment. The assessment follows a structured methodology — identifying, classifying, and prioritising vulnerabilities by severity — and is paired with a remediation cycle that documents how each finding is resolved. Xoxoday’s internal security team tracks remediation status against agreed timelines, and findings are not considered closed until verified through re-testing.Sharing Results with Your Institution
Enterprise clients and institutional procurement teams can request the VAPT executive summary and detailed findings report directly through Xoxoday’s security disclosure process. The report includes vulnerability classifications, severity ratings, remediation status, and timelines — giving your IT, InfoSec, or compliance team the evidence needed to complete due diligence. This is particularly relevant for organisations integrating Xoxoday with HR systems such as Workday, SAP SuccessFactors, or Darwinbox, where data flows between platforms and institutional risk assessments require vendor security validation at both the application and infrastructure level. Similarly, teams using Xoxoday alongside communication tools like Slack or Microsoft Teams may need to demonstrate third-party vendor assurance to their internal security committees.Alignment with Security Frameworks
Xoxoday’s vulnerability management programme is designed to align with the requirements of ISO 27001 and SOC 2 Type II, both of which mandate systematic identification, tracking, and remediation of security vulnerabilities. The VAPT cycle supports Xoxoday’s continuous compliance posture and feeds into the evidence base for annual certification audits. Sharing VAPT results with clients is part of Xoxoday’s broader security assurance programme, which also includes data encryption standards, access control policies, and incident response procedures — all made available to enterprise clients through structured security review engagements. To request the latest VAPT report for your organisation’s due diligence or vendor risk assessment process, contact Xoxoday’s security team through your account representative or the official security enquiry channel. Learn more: Xoxoday Help Centre — Vulnerabilities ManagementPenetration Testing Scope & Methodology
Understand how Xoxoday structures third-party penetration testing engagements, including scope, frequency, and the firms involved.
Data Encryption & Infrastructure Security
Learn how Xoxoday encrypts data at rest and in transit across its rewards and incentives infrastructure.