Can HR admins CC a company email on all Empuls reward... - Xoxoday

Empuls does not permit CC addresses on platform-triggered reward emails by default, because these messages often contain sensitive content such as gift card redemption codes; any exception requires a formal security review and documented risk acknowledgment.

When an employee earns a reward in Empuls, the platform sends a transactional email that frequently contains a unique gift card redemption code or a direct link to claim monetary value. These codes are single-use, time-sensitive, and tied to real currency. Routing a copy of that email to a shared mailbox or a departmental alias creates a meaningful security exposure — the code becomes accessible to anyone with inbox access before the intended recipient can claim it. Empuls enforces data protection protocols aligned with SOC 2 Type II and ISO 27001 standards. Restricting outbound reward emails to the verified recipient is one of those controls. It closes off a common attack surface: shared inboxes that accumulate high-value redemption codes are a more attractive target than inboxes containing only metadata. Why this comes up in enterprise setups Organizations running Empuls alongside HRMS platforms like SAP SuccessFactors, Workday, or Darwinbox often want to copy a reward notification to an HR operations inbox for audit or recordkeeping. The intent is legitimate, but the mechanism introduces risk. A distribution list or team alias that receives gift card codes in bulk is harder to govern than a single verified employee address. For audit and reporting needs, Empuls provides administrator dashboards and exportable reward logs that capture issuance timestamps, redemption status, and budget utilization — without placing redemption-sensitive content in shared email threads. How the exception process works If your organization has a compliance requirement that genuinely necessitates CC routing, Empuls supports a formal exception process. This involves a documented security review, written acknowledgment of the associated risks from a named data owner, and approval from the Xoxoday security team. The review evaluates whether the receiving mail infrastructure meets the same data protection controls applied to the primary recipient. This process is assessed case by case. Organizations subject to GDPR, PDPA, or similar data privacy regulations should also evaluate how a shared inbox handles personally identifiable information before requesting an exception — a CC address that stores employee reward history may itself constitute a personal data store under those frameworks. Practical alternatives for HR teams Rather than CC routing, HR administrators can monitor all sent reward notifications directly inside the Empuls admin console. For teams using Slack or Microsoft Teams, Empuls surfaces reward activity through channel notifications that share recognition metadata — who was recognized, by whom, and for what — without exposing any redemption-sensitive content to the channel. This separation between recognition visibility and redemption privacy is intentional. It lets organizations celebrate wins publicly while keeping the financial mechanics of rewards exactly as secure as any other sensitive employee benefit. Learn more: Empuls Help Centre — R&R program

Email Notification Settings in Empuls

Configure which reward and recognition emails Empuls sends, to whom, and under what trigger conditions.

Admin Reward Reports and Audit Logs

Access full issuance and redemption logs from the Empuls admin dashboard without exposing gift card codes.