Q: What procedures and controls are in place to protect equipment supporting the service from intruders, theft, fire, water, and environmental or physical damage?
Xoxoday implements robust physical and environmental security aligned with ISO/IEC 27001:2022 and SOC 2 Type 2 standards. Key measures include:
Controlled Access: Biometric authentication, role-based entry, and continuous monitoring
Visitor Management: Restricted access to critical areas
Intrusion Prevention: 24/7 security, CCTV, and intrusion detection
Fire Protection: Smoke detection and automatic suppression systems
Environmental Monitoring: Temperature, humidity, and water leakage monitoring
Water Damage Prevention: Flood sensors and facility design
Power Resilience: UPS systems and backup generators
Secure Equipment Placement: Minimized exposure to physical risks
Redundant Utilities: Multiple sources to ensure uninterrupted operations
Q: Are audit trails stored securely and protected so they cannot be altered?
Xoxoday ensures that all audit trails across its rewards, incentives, and payout platform are securely stored in compliance with industry standards such as ISO/IEC 27001:2022 and SOC 2 Type 2.Data is kept in tamper-proof, access-controlled environments with encryption at rest and in transit, role-based access controls, and immutable logging, ensuring integrity, compliance, and audit readiness.
Q: Are clients permitted for a detailed information security assessment as required by the client's information security policy?
Yes. Xoxoday supports enterprise-grade transparency by allowing clients to request a detailed information security assessment of its infrastructure, applications, and processes. This assessment can cover security controls, compliance certifications, penetration test results, and relevant documentation in alignment with the client’s internal information security policy. Such engagements are coordinated with our Information Security and Compliance teams to ensure confidentiality while providing assurance on data protection measures.
Q: Does the company restrict to only authorized, supported, and properly licensed software being installed on its owned and/or managed systems, with only its IT administrators (or specific personnel approved by Information Security) installing such software?
Yes. Xoxoday enforces a strict software governance policy under which only authorized, licensed, and security-vetted software can be installed on company-owned or managed systems. Installation is restricted to IT administrators or personnel explicitly approved by the Information Security team. This prevents the introduction of malicious or unsupported applications and ensures compliance with licensing agreements.
Q: Describe data center compliance with those standards, including independent audit results or certifications.
Xoxoday uses AWS, Azure, and Oracle as cloud providers, all compliant with PCI-DSS, HIPAA/HITECH, FedRAMP, GDPR, FIPS 140-2, and NIST 800-171. Xoxoday itself is certified for ISO 27001, ISO 14001, CCPA & CPRA, HIPAA, and SOC 2 Type 1 & 2. Regular internal and independent audits ensure compliance and control effectiveness.
Q: Is there a dedicated Information Security Officer or CISO responsible for security architecture and operations?
Yes. The CISO, reporting to the group CTO, oversees the organization’s security, data protection, and privacy as Chief Data Protection Officer (CDPO) and Chief Privacy Officer (CPO). The Information Security team supports daily operations, including governance and compliance with ISO 27001, SOC 2 Type 2, and GDPR.
Q: What are the data center security standards for the hosted solution?
Xoxoday is hosted on Azure, AWS, and Oracle, leveraging their secure, scalable, and resilient cloud infrastructure. Key data center security standards include:
Physical & Infrastructure Security
ISO 27001, SOC 2, and PCI DSS Compliance – Data centers
adhere to internationally recognized security and compliance standards.
24/7 Security Monitoring – Facilities are protected with
multi-layered security controls, including biometric access, surveillance, and on-site personnel.
Redundant Power & Network Infrastructure – Ensures high
availability with backup power systems and geographically distributed data centers.
Data Protection & Encryption
Encryption at Rest and in Transit – Data is encrypted using
AES-256 standards for stored information and TLS 1.2+ for data transmission.
Automated Backups & Disaster Recovery – Xoxoday ensures continuous data backups and replication across multiple availability zones for resilience.
Data Access Controls – Role-based access control (RBAC) and multi-factor authentication (MFA) ensure that only authorized users can access data.
Network & Cybersecurity Measures
DDoS Protection & Threat Monitoring – Cloud service provides
advanced firewall protection, intrusion detection systems (IDS), and AI-driven threat analytics.
Automated Patch Management – Regular updates and security
patches are applied to protect against vulnerabilities.
Logging & Audit Trails – Comprehensive log management
and audit capabilities enable real-time security monitoring and compliance tracking.
Regulatory Compliance & Certifications
HIPAA, GDPR, CCPA, and FedRAMP Compliant – Xoxoday follows
stringent data security and privacy regulations required for enterprise and healthcare organizations.
Data Residency & Regional Hosting Options: Organizations can choose region-specific data centers to comply with local data sovereignty laws.
Q: Is customer data used for any purpose other than the one explicitly stated in the contract?
No, Xoxoday strictly adheres to the principle of purpose limitation. Customer data is only processed for the intended and contractually defined purposes. We do not use client data for analytics, training, marketing, or any secondary activities unless explicitly agreed upon. This is in alignment with GDPR Article 5 on lawful and fair data processing and is reflected in our internal information security and privacy protocols.
Q: Have you undergone a SSAE 18/SOC 2 audit?
The SOC 2 Type II assessment for Xoxoday (Nreach Online Services Pvt. Ltd.) was conducted for the period from November 9, 2023 to November 8, 2024, with November 8, 2024 serving as the assessment end date. This report evaluates the design and operational effectiveness of our controls over the specified period, in accordance with the applicable trust services criteria.
Please find the SOC 2 Type II report attached for your review:
Q: How does the platform support audit logging and user access tracking?
The Xoxoday customer rewards platform enables robust audit logging and exportable tracking of user and admin activities. Administrators can access and export comprehensive data on users, roles, and audit trails via the Reports → Administrative Data module.
Key capabilities include:
• User & Role Export: View and export all users and roles for organization-wide tracking.
• Audit Trail Export: Access program-specific logs for compliance reporting.
• Permissions-Based Access: Requires view rights to User Access Management and Reports modules.
• Member-Level Logs: Capture profile updates, activity history, and more at an individual or aggregate level.
This helps organizations streamline compliance, monitor user behavior, and maintain governance controls.