Anti-Bribery, Corruption & Ethics
Q: Does Xoxoday have an Anti-Bribery and Corruption (ABC) policy, and is regular training provided to employees?
Yes, Xoxoday enforces a comprehensive Anti-Bribery and Corruption (ABC) policy that outlines strict guidelines to prevent unethical conduct, bribery, and corruption across all levels of the organization. This policy is applicable to all employees, contractors, and third-party partners operating under Xoxoday’s global digital rewards and incentives ecosystem.
To reinforce this policy, mandatory annual training is provided to all employees, aligning with international legal frameworks such as the UK Bribery Act 2010 and the Foreign Corrupt Practices Act (FCPA). The training covers:
• Bribery risk identification and reporting
• Compliance responsibilities and legal obligations
• Gift, hospitality, and facilitation payment policies
• Whistleblower protections and reporting mechanisms
Employees in high-risk functions receive enhanced training modules tailored to their roles. Additionally, internal audits and compliance checks are regularly conducted to enforce adherence and uphold our zero-tolerance approach to bribery and corruption.
Corporate Social Responsibility
Q: Do you and/or your subcontractors conform to the International Conventions on child labor as defined by the United Nations?
Xoxoday is committed to maintaining the highest ethical and labor standards, ensuring that neither our operations nor those of our subcontractors engage in the use of child labor. We fully comply with ILO Convention 138 on the Minimum Age for Employment and ILO Convention 182 on the Elimination of the Worst Forms of Child Labor, as defined by the United Nations.
Key points:
Zero-Tolerance Policy: Strict prohibition of child labor across all operations and subcontractor activities.
Compliance with International Standards: Adherence to ILO Convention 138 and Convention 182.
Supplier Code of Conduct: Enforces zero tolerance for any form of child labor or modern slavery.
Legal Compliance: Alignment with both local labor laws and international labor conventions.
Supply Chain Oversight: Regular monitoring and audits of subcontractors and manufacturers to ensure adherence to ethical labor practices.
Protective Measures: Employment of rigorous vetting and contractual requirements for suppliers to prevent violations
Q: Does Xoxoday have a responsible sourcing policy within its CSR framework?
Yes, Xoxoday’s CSR strategy incorporates a responsible sourcing policy that requires all suppliers and subcontractors to follow sustainable procurement principles. This includes adherence to environmental regulations, ethical labor practices, and local compliance laws. The policy emphasizes collaboration with vendors who demonstrate commitment to environmental and social responsibility, reinforcing Xoxoday’s broader mission to foster a sustainable and ethical supply chain.
Diversity & Ownership
Q: Is your company minority or woman-owned?
We are not a certified minority or woman-owned business.
Q: How does Xoxoday support equity, diversity, and inclusion (EDI) within the organization and for its clients?
Xoxoday champions equity, diversity, and inclusion (EDI) both internally and externally. Internally, a formal DEI policy ensures equal opportunities and fair treatment for all employees—regardless of gender, ethnicity, age, religion, disability, or orientation. Externally, Xoxoday’s rewards platform supports diverse user groups with multilingual access, multi-currency support, and global reward catalogs, enabling organizations to deliver inclusive and personalized experiences to employees, customers, and partners.
Compliance
Q: Which of the areas are covered in the code of conduct policy?
The Xoxoday Business Code of Conduct addresses the following critical areas of compliance and ethical business practices:
Respect for Human Rights
Forced Labor or Human Trafficking
Child Labor
Working Conditions
Remuneration
Non-Discrimination
Anti-Corruption and Bribery
Health and Safety
Environmental Responsibility
These principles are embedded in both policy and practice to ensure socially responsible operations.
Q: Is Xoxoday government-owned, or are any of its owners or directors politically exposed persons (PEPs)?
No, Xoxoday is a privately held company and is not government-owned, either fully or partially. None of its owners or directors are government officials or classified as politically exposed persons (PEPs). The company is backed by reputed investors, and operates independently with a strong governance framework.
Q: Can Xoxoday provide a secure environment that can detect and block common security vulnerabilities such as those identified by the OWASP?
Xoxoday’s product suite follows a secure-by-design approach to address and mitigate vulnerabilities as outlined by the OWASP Top 10 and other industry security benchmarks.
Key points:
OWASP Alignment: Security controls are implemented to address vulnerabilities such as injection flaws, broken authentication, sensitive data exposure, XML external entities (XXE), cross-site scripting (XSS), insecure deserialization, and more.
Application Security Testing: Regular vulnerability scanning and penetration testing performed by certified security experts.
Secure Development Lifecycle (SDLC): Integration of secure coding practices, peer code reviews, and automated static/dynamic application security testing (SAST/DAST).
Web Application Firewall (WAF): Deployed to detect and block common web-based threats in real-time.
Intrusion Detection & Prevention Systems (IDS/IPS): Monitor and respond to suspicious activities across the infrastructure.
Encryption Standards: AES-256 encryption for data at rest and TLS 1.2+ for data in transit to prevent interception or tampering.
Compliance Frameworks: Certified for ISO/IEC 27001:2022 and SOC 2 Type 2, and compliant with GDPR requirements
Q: Does the system support different types of access controls, such as user-based, role-based, and context-based permissions?
Yes. The Xoxoday platform employs a granular access control framework designed on the Principle of Least Privilege. We support three distinct layers of permissioning across all our product lines:
Role-Based Access Control (RBAC): We provide pre-defined and custom roles (e.g., Super Admin, Budget Owner, Reporting User) to ensure users can only access features necessary for their job function.
Context-Based/Attribute-Based Access (ABAC): Permissions are dynamically filtered based on user attributes, such as Department, Business Unit, or Geographic Region. For example, a "Sales Manager" can only view incentive data for their specific territory.
Financial Governance (Maker-Checker): For high-risk actions like budget allocation or reward payouts, we enforce maker-checker workflows, requiring a secondary approval before transactions are processed.
This architecture ensures robust segregation of duties and data isolation across our Engagement, Incentive, and Rewards solutions.
Q: Does Xoxoday support both thick client and mobile devices?
Yes, Xoxoday fully supports both thick client (web browser-based platforms) and mobile devices. Our solution offers a seamless experience through dedicated applications for web browsers, Android, and iOS, ensuring employees can engage anytime, anywhere.
The platform’s responsive design and native mobile apps enable users to access features like recognition, rewards redemption, surveys, social intranet, and community groups on the go.
Additionally, the platform integrates with popular collaboration tools like Microsoft Teams and Slack, further enhancing accessibility and usability across devices. This flexibility helps organizations engage their distributed and hybrid workforces effectively.
Q: Does Xoxoday support encryption for the transport and storage of sensitive data, and if so, what type and what level are implemented?
Yes. We employ a defense-in-depth encryption strategy covering the entire data lifecycle, aligned with ISO 27001:2022 and SOC 2 Type 2 standards.
1. Data in Transit (Network Security) All data transmitted between client devices, our APIs, and our internal microservices is encrypted using TLS 1.2 or higher.
Ciphers: We enforce strong cipher suites (e.g., AES-256-GCM, ECDHE-RSA) and Perfect Forward Secrecy (PFS).
Protection: We implement HSTS (HTTP Strict Transport Security) to prevent protocol downgrade attacks and certificate pinning to mitigate Man-in-the-Middle (MITM) risks.
2. Data at Rest (Storage Security) All sensitive data stored within our infrastructure is encrypted using AES-256 bit encryption.
Database Level: We utilize Transparent Data Encryption (TDE) for databases and column-level encryption for highly sensitive PII.
Storage Level: Full-disk encryption (FDE) is applied to all EBS volumes, S3 buckets, and backup archives.
3. Key Management We utilize an enterprise-grade Key Management System (e.g., AWS KMS) to generate, rotate, and secure encryption keys. Keys are managed with strict Role-Based Access Control (RBAC) and are never stored alongside the data they protect.
Q: Does your system integrate into an Identity and Access Management system? And if so what systems do you support?
Yes, the Xoxoday solutions integrate seamlessly with IAM systems to simplify and secure user authentication. We offer pre-built integrations with Azure AD and Google Workspace and support all common SSO providers through the SAML 2.0 protocol. This flexibility allows enterprises to align access to the Xoxoday platform with their existing identity management infrastructure.
Q: How do users access the Xoxoday system?
Xoxoday supports secure user authentication through integrations with popular Identity and Access Management (IAM) systems. We provide pre-built integrations with Azure Active Directory (Azure AD), Google Workspace, and support all standard Single Sign-On (SSO) providers using the SAML 2.0 protocol. This ensures that users can access the platform seamlessly with their existing corporate credentials while maintaining strong security standards. The platform can also be accessed through various work applications like Microsoft teams, Slack, Salesforce, SAP and other 100+ popular softwares.
Q: Where are Xoxoday’s solution servers located?
Xoxoday’s solutions are hosted through partnerships with Oracle, AWS and Azure cloud servers, with operational data centers currently located in the USA, India, Saudi Arabia, Singapore, UAE, EU.
We can accommodate hosting requirements in a new region, provided time & cost for onboarding the new cloud environment is factored into the delivery. We are committed to meeting data residency requirements and will work with your team to ensure compliance with local regulations.
Q: Who is covered by the Code of Conduct?
Our ethical compliance framework extends beyond our internal walls. The Xoxoday Code of Conduct is applicable to our Direct Operations as well as our external ecosystem, including Business Partners and Direct Procurement Suppliers.
We view these entities as an extension of our brand. Therefore, any partner or supplier directly engaged in delivering our value proposition is contractually obligated to uphold our standards regarding labor rights, anti-corruption, and data privacy.