Q: How does the platform ensure secure handling of client data?
The platform is designed to prioritize enterprise-grade data protection and privacy. It complies with global standards such as GDPR and CCPA to ensure the secure handling, storage, and transmission of user and client data. Robust encryption (AES-256 at rest and TLS 1.2 in transit), role-based access controls, multi-factor authentication, and strict user access governance are implemented across the Xoxoday customer rewards platform. This ensures that all transactions and personal data are protected against unauthorized access or breaches.
Q: How does the platform ensure timely vulnerability detection and patching?
Xoxoday implements a proactive vulnerability management lifecycle. This includes continuous automated and manual vulnerability scans across both application and infrastructure layers. Risks are triaged based on severity, and critical vulnerabilities are patched within 24–72 hours. Periodic penetration testing and a regular patching cadence further reinforce our secure-by-design approach. Comprehensive vulnerability reports are available upon request for compliance and governance teams.
Q: How is customer data segmented from other clients?
The Xoxoday platform uses a multi-tenant architecture with logical data segregation. Customer data is protected using a unique client-level encryption key and stored in a separate database. While physical server isolation is not default, private cloud hosting is available as an optional service at an added cost.
Q: How is encryption handled for data in transit and at rest?
Xoxoday uses industry-standard encryption protocols to secure all sensitive data. Data at rest is protected using AES-256 encryption, while data in transit leverages TLS 1.2/1.3 for secure communication across systems. These measures ensure robust end-to-end encryption across the entire platform. The security framework complies with international data protection standards, guaranteeing privacy and integrity at every layer of data flow.
Q: If data is stored in a file system, how is it separated from other clients?
All client data, including that stored on file systems, is logically separated via a multi-tenant framework. Each organization’s data is encrypted with a unique key and stored in isolated databases. Access control policies and audit protocols ensure rigorous separation and data confidentiality.
Q: Is role-based access control and MFA supported?
The Xoxoday incentive rewards platform enforces strict role-based access controls based on the principle of least privilege. Each admin is granted function-specific access (e.g., marketing, operations, finance) ensuring compartmentalized control.
All backend and administrative access is protected with multi-factor authentication (MFA). Every administrative action is logged, providing a secure and auditable framework for managing access privileges.
Q: Are data backups encrypted?
All backup data is encrypted using industry-standard AES-256 encryption protocols to ensure confidentiality and integrity both at rest and in transit. The encryption keys are securely managed through our cloud provider’s Key Management System (KMS), with strict access controls, regular audits, and rotation policies in place to mitigate unauthorized access risks. This approach ensures compliance with FIPS 140-2 standards and aligns with best practices for secure backup storage.
Q: Are involatile backup copies made on a predefined, secure schedule?
Yes, we have a 4 hour schedule for incremental backups and daily schedule for full backup. These are stored in replicated cloud storage for redundancy. We have established security rules for storing the backup in a secure manner.
Q: Do all cryptographic modules in use in your solution conform to FIPS PUB 140-2 or 140-3?
Yes, Xoxoday leverages cryptographic modules that conform to FIPS PUB 140-2 standards.
Conformance to FIPS 140-2:
All cryptographic operations (e.g., encryption at rest, encryption in transit, TLS termination, and key management) are performed using modules provided by AWS Key Management Service (KMS) and AWS Certificate Manager, both of which utilize FIPS 140-2 validated cryptographic libraries.
Our use of TLS 1.2+ for data transmission and AES-256 encryption for data at rest adheres to FIPS 140-2 recommended practices.
No custom or proprietary cryptographic modules are used outside of those provided by compliant cloud infrastructure or vetted third-party libraries.
Non-Conforming Modules:
There are currently no known non-conforming cryptographic modules in production use within Xoxoday. All modules used either directly meet FIPS 140-2 validation or are integrated through FIPS-compliant services.
If the institution requires formal attestation, we can provide documentation or third-party reports outlining the compliance of our cryptographic components upon request.
Q: Do you have a cryptographic key management process (generation, exchange, storage, safeguards, use, vetting, and replacement) that is documented and currently implemented for all system components?
Yes, Xoxoday’s digital rewards platform implements a well-documented and actively maintained cryptographic key management process. This includes all critical lifecycle stages such as key generation, secure key exchange, usage, access safeguards, periodic vetting, and replacement.
These controls apply to all system components, including databases, infrastructure, and web-facing services. The platform uses Advanced Encryption Standard (AES) 256-bit encryption for data at rest and Transport Layer Security (TLS) for data in transit. These encryption measures are supported by role-based access control and strict audit logging for all key management operations.
Q: Are all users and client data (including all data in business applications and locally stored databases) on workstations and removable media encrypted?
Yes. At Xoxoday, safeguarding user and client data is a top priority, and we adhere to the highest security and compliance standards globally. All data — whether in transit or at rest — is encrypted using robust encryption protocols as part of our comprehensive data protection strategy. This includes data stored on workstations, removable media, business applications, and local databases.