Software Built On Trust

To be agile with the dynamic business and technology environment, we build products that are secure by design, provide data security and are highly resilient. Our security model and scalable infrastructure will help keep your organization secure and compliant.

Physical Security

Entry to our office premise is restricted only to authorized personnel. Entry & exit points are continuously monitored in our office through CCTV cameras, bio-metric access logs etc.

Malware And Spyware Protection

Gateway based anti-virus and content inspection filtering are set up to prevent any harmful viruses and other malware entering our network - through real time scanning.

CIS Committee

At Xoxoday, our CIS committee initiates security programs. This committee comprises of highly skilled security professionals and they ensure that adequate skills and resources are made available for various information security initiatives.

Risk Management

Risk assessment is conducted on a regular basis by our information security team to identify the security risks encountered by our information processing facilities or system components.

Training And Awareness

We train our employees in online privacy and in responsible handling of personal information. Our Information security team conducts training and awareness programs as a part of induction to our new joiners and conduct refresher trainings to all employees of Xoxoday.

Employee Vetting

Xoxoday performs background checks on all new employees in accordance with local laws. The background check includes but is not limited to employee background verification and criminal checks.


Xoxoday has developed a comprehensive set of security policies covering a range of topics. These policies are updated frequently and shared with all employees.

Vendor Management

To run efficiently, we rely on subservice organisation. When these sub-service organizations are possible to impact the security production environment, we take appropriate steps to ensure our security posture is maintained by establishing agreements that require these service organizations to adhere to confidentiality commitments we have made to users.

Product Security

Best In Class Product Security

Our products are built with banking grade security that completely safeguards the infrastructure, data and processes. These are regularly verified for security, privacy and compliance, thus are certified as per global product security standards.


We adapt appropriate cryptographic methodology to mask the data in rest and transit to protect the confidentiality, integrity, availability and privacy of information. Encryption of data at rest: AES 256 bit encryption, Data in transit: TLS 1.2

Segregation Of Duties

Segregation of duties is one of our key security principles. It is achieved by assigning the tasks and associated privileges based on our organizational structure and job roles. Access to production environment is restricted and limited to very specific users based on their roles.

Incident And Breach Management

At Xoxoday we have an Incident response team which is a multi-disciplinary team comprised of knowledgeable and skilled individuals. Procedures are in place to address any information security incidents and initiate immediate action with resolution

Quality Assurance

Thorough automated functional tests, UI/UX tests, Regression tests which are performed with the criteria for sign off on a release set at high standards.

Code Review

Our security experts conduct thorough code reviews and all changes are tested by our quality assurance team

Data Back-up

User data is backed-up periodically across multiple servers, helping protect the data in the event of hardware failure or disaster

Failout And Disaster Recovery

Xoxoday is built with fault tolerance capability. Each of our services is fully redundant with replication and failover. Services are distributed across multiple AWS availability zones. These zones are hosted in physically separate data centers, protecting services against single data center failures.

System Monitoring, Logging And Alerting

Xoxoday monitors servers, workstations and mobile devices to retain and analyse a comprehensive view of security state of its corporate and production infrastructure. All production logs are stored in a separate network that is restricted to only relevant security personnel.

Pentest And Vulnerability Scans

On a regular basis, we engage security experts to conduct detailed penetration testing and we use third party security tools to continuously scan for any vulnerabilities.

Virus Scanning

Traffic coming into Xoxoday Servers are automatically scanned for harmful viruses using state of the art virus scanning protocols which are updated regularly.

PCI Obligations

We use stripe as our payment gateway. Security details of stripe can be checked in their security website.

End Point Security

All workstations issued to Xoxoday personnel are configured to comply with our standards for security. These standards require all workstations to be properly configured, updated, and be tracked and monitored by Xoxoday endpoint management solutions.

Best Practices

Stand On The Shoulders Of The Giants

Learn the best and proven ways to ensure your data and systems are protected and that you maximise the utility of our products. Below given recommendations guide enterprise customers like you during the process of using our products. This list is not an exhaustive list, rather, these help you and your stakeholders understand the scope of what all need to be considered.

Identity And Access Management

With this framework, we can control user access and ensure that appropriate users in an enterprise have appropriate access. Make sure to always remove accesses that are no longer valid.

Secure API

Update your APIs as and when we bring in new releases and notify you of the same.

Enforce Least Privilege

Enforce the principle of least privilege and differential access based on the users responsibility. This will significantly reduce your attack surface by eliminating unnecessary access rights.

Educate And Train Users

Create unique accounts for everyone and educate them about the dangers of sharing accounts. Make policies that prevent users from sharing account details.

End Point Protection

Secure entry point to your applications. In order to make sure that we are not creating any backdoor entry, it is important to take measures to secure endpoints before exposing them.

Document Security Policies

Maintain a knowledge repository that includes comprehensively documented software securitypolicies. Security policies allow your employees, including network administrators, security staff, and so on, to understand what activities you’re performing and why.


Our Commitment To Protecting Your Data

We are committed to protecting the privacy of your company, employee, channel partner and customer data. We understand that this data is critical to your business and we assure you that using our products doesn't require you to compromise on your data's security or control.

Xoxoday’s commitment to GDPR

We handle your information carefully and ensure that it is secure with us.

At Xoxoday, we ensure that the data is gathered, stored and handled with respect towards individual rights. We have raised awareness among our employees and other stakeholders on how to handle the data appropriately. They now understand the importance of GDPR and information security. Our controls are placed based on the data protection impact assessment (DIPA) conducted.

What is GDPR?

GDPR (General Data Protection Regulation) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). It sets out the principles for data management and the rights of the individual. GDPR was adopted on 14 April 2016, and became enforceable from 25 May 2018.

Principles of GDPR

Confidentiality and data security

Personal data is subject to data secrecy. Our Data Protection Officer is responsible for maintaining the confidentiality and data security and secured suitable organizational and technical measures to prevent unauthorized access, illegal processing or distribution, as well as accidental loss, modification or destruction.

Fairness and lawfulness

When personal data is processed, the individual rights of the data subjects are protected. Personal data is collected and processed in a legal and fair manner.

Restriction to a specific purpose

Personal data is processed only for the purpose that was defined before the data was collected. Our data Protection Officer is responsible for restriction on processing of the data.


When the data is collected, the data subject will be made aware of, or informed by us.

Xoxoday’s Data Security Policy

As part of the Xoxoday operations, information is obtained from the Controllers and processed. This information shall include any offline or online data that makes a person identifiable. Xoxoday collects this information in a transparent way and only with the full cooperation and knowledge of interested parties. Once this information is available, the following rules shall apply.

We exercise data protection by:
  • Restricting and monitoring access to sensitive data by providing access to employees on need basis.
  • Training employees in online privacy and security measure.
  • Building secure network connections to access the data by using encryption techniques, firewalls and password protection.
  • Establishing clear procedures for reporting privacy breaches or data misuse
  • Including contract clauses or communicate statements on how we handle data
  • Establishing data protection practices (document shredding, secure locks, data encryption, frequent backups, access authorization etc.)
Data Storage

Information and records relating to Individuals are stored securely and accessible only to authorised person. Information is stored as long as it is needed or required by statute and will be disposed of appropriately in line with the Retention, Archiving and Destruction of Information procedure. It is the Xoxoday and Data Protection Officer responsibility to ensure all personal and company data is not recoverable from any computer system previously used within the organisation which has been passed on/sold to a third party. Xoxoday has a detailed process outlined for the erasure/deletion of personal data in accordance with the retention, archiving and destruction policy; as per the service agreement with the data controllers.

Access Control

Xoxoday has established the Data Management System and Information Security Management system to ensure that the data is managed during the conduct of business in a safe and secure manner in delivering the business values to the interested parties. Xoxoday is committed to protect the data and personally identifiable information through an organized process and prevent any breaches that may be caused due to intrusion and enforce effective access controls for applicable information assets. The company has chosen to adopt the Access Control principles established in ISO 27001: 2013 as the official policy access control domain.

Breach Notification Procedure

At Xoxoday we have a data breach response team. It is a multi-disciplinary team comprised of knowledgeable and skilled individuals in IT Department, IT Security and Legal. The team ensures readiness for a personal data breach response, along with the needed resources and preparation (such as call lists, substitution of key roles, required review of company policies, procedures and practices). The Data Breach Response Team is prepared to respond to a suspected/alleged or actual personal data breach 24/7, year-round. The Data Breach Response Process will be initiated when anyone notices that a suspected/alleged or actual personal data breach occurs. The data breach shall be immediately notified to the Data Protection Officer.


We adapt appropriate cryptographic methodology to mask the data in rest and transit to protect the confidentiality, integrity, availability and privacy of information. Encryption of data at rest: AES 256 bit encryption, Data in transit: TLS 1.2

  • Develop and implement the organisation’s Data Protection Policy.
  • Create ‘best practice’ guidance for data processors, preferably in written form for future reference.
  • Train and advise staff on the provisions of the Data Protection Act.
  • Identify and monitor the data processors whilst at work, ensuring that they deal with data in a manner consistent with the key data protection principles.
  • Process and respond to all requests for information, correction, or erasure by data controller or data subjects.
  • Ensure data remains up-to-date and is destroyed when necessary.
  • To report to the supervisory authority in-case of breach.
  • Review the policy annually with the management and update policies if required.
  • There is no conflict of interest between the duties of the individual as a DPO and other duties.
  • Notify data controller and other concerned stakeholders in the event of data breach identified.
Privacy By Design

Privacy by design has always been an implicit requirement of GDPR principles. When developing new systems we have conducted Data Protection Impact assessment (DPIA), and our controls are placed based on the results of DPIA. By default, our processing activities are performed with data security and, more generally, compliance with the GDPR in mind. Personal data necessary for a specific purpose of processing are made accessible only with the consent of the data subjects.