Q: Is the solution an Internet-based application with a user-friendly GUI that is easy to deploy?
Yes. The customer retention software is web-based and features an intuitive GUI, allowing for easy deployment and minimal training. Its user-friendly design ensures quick adoption and a positive user experience, making it suitable for organizations seeking low-friction onboarding.
Q: What browser plugins or technologies are required to run the application, and what is the policy for supporting different plugin versions?
The Xoxoday employee engagement solution is completely browser-based and does not require any additional plugins or software to be installed on client systems. It is designed to work seamlessly across modern web browsers like Chrome, Firefox, Safari, and Edge. Since the platform relies on standard web technologies (HTML5, JavaScript, CSS3), no specific browser extensions or third-party tools are needed for end users to access or use the application. We also ensure backward compatibility with previous browser versions up to a defined support window, typically the last two stable versions, to maintain accessibility without compromising performance or security.
Technical Requirements
Q: Do you conform with a specific industry standard security framework (e.g., NIST Cybersecurity Framework, CIS Controls, ISO 27001)?
Yes, our organization conforms with the ISO/IEC 27001 industry standard security framework. We have implemented a comprehensive Information Security Management System (ISMS) based on the ISO/IEC 27001:2013 standard, which governs our approach to managing sensitive data, ensuring information security, and mitigating risks.
We are ISO/IEC 27001:2013 certified, demonstrating our commitment to maintaining the confidentiality, integrity, and availability of customer and internal data. The certification covers the design, development, hosting, and support of our platform and associated infrastructure.
Q: Does Xoxoday support Multi-Factor Authentication (MFA)?
Yes, we strongly recommend enabling MFA. Xoxoday keeps your account secure by requiring a second form of verification during login.
Supported Verification Methods:
Authenticator Apps: The most secure option. You can link your account to apps like Google Authenticator or Microsoft Authenticator to generate rotating codes.
Email Verification: We send a secure, one-time code to your email inbox.
SSO Integration: If your company uses a central login (like Okta or Azure AD), we automatically support whichever MFA method you already use there (e.g., Push notifications).
Don't get locked out: We offer backup codes so you can regain access even if you lose your phone or cannot access your email.
Q: Does your application automatically lock the session or log out an account after a period of inactivity?
Yes. To mitigate the risk of unauthorized access, the Xoxoday platform enforces strict session management protocols:
Idle Session Timeout: By default, user sessions are automatically terminated after 15 to 30 minutes of inactivity (configurable by tenant administrators).
Absolute Session Expiry: Regardless of activity, all sessions are subject to a forced re-authentication event after a maximum duration (e.g., 12 hours) to ensure token freshness.
Re-Authentication: Once a session expires, the user must re-enter credentials or re-authenticate via SSO.
Q: Does your change management process include authorization, impact analysis, testing, and validation?
Yes. Our Change Management Policy strictly follows a formalized lifecycle to ensure stability and security. The process includes four mandatory gates:
Impact Analysis: Every Change Request (RFC) undergoes a risk assessment covering technical feasibility, security impact, and potential service disruption.
Authorization: Changes must be approved by the Change Advisory Board (CAB). Segregation of duties is enforced; developers cannot authorize their own changes for production.
Testing & Validation: All changes are deployed to a Staging Environment first. We perform functional and regression testing to ensure integrity before the code touches production.
Controlled Deployment: Deployments are executed by authorized personnel during maintenance windows, with documented Rollback Procedures in place for immediate reversal in case of failure.
Q: Does your change management process verify that all required third-party libraries and dependencies are still supported with each major change?
Yes. We utilize a robust Software Composition Analysis (SCA) framework embedded within our CI/CD pipeline to ensure supply chain security.
Our Process Includes:
Automated Scanning: We integrate tools (e.g., Snyk, OWASP Dependency-Check) to scan every build for deprecated, unsupported, or vulnerable libraries.
Release Gating: Our CI/CD pipeline automatically blocks builds if high-severity vulnerabilities or end-of-life (EOL) dependencies are detected, requiring manual review and remediation before deployment.
Inventory Management: We maintain a strictly version-controlled manifest (e.g.,
package.json,pom.xml) to track all active dependencies.Regular Maintenance: As part of our technical debt reduction, we conduct quarterly reviews of our stack to upgrade libraries and ensure continued vendor support.
Q: Does your solution support local authentication protocols for user and administrator authentication?
Yes. While we recommend SSO for enterprise clients, our platform supports a secure, hardened local authentication module for both users and administrators.
Security Controls for Local Access:
Secure Storage: Passwords are never stored in plain text. We utilize strong, salted hashing algorithms (e.g., bcrypt) to protect credentials at rest.
Brute-Force Protection: The system enforces account lockouts after a defined number of failed attempts and supports CAPTCHA integration to prevent bot attacks.
Password Policy: We enforce NIST-aligned password complexity rules (length, character mix) and prevent the reuse of compromised or common passwords.
Native MFA: Local accounts can be protected via native Multi-Factor Authentication (MFA) using TOTP apps (Google/Microsoft Authenticator) or Email OTP.