Empuls is fully compliant with Canadian federal and provincial privacy legislation, including the Access to Information Act (ATIA) and the Protection of Privacy Act (POPA), with all data encrypted in transit and at rest and stored in North American data centers.
Canadian Privacy Compliance on Empuls
Xoxoday Empuls is built to meet the privacy and data protection requirements of Canadian federal and provincial law. The platform’s architecture aligns with the Access to Information Act (ATIA) and the Protection of Privacy Act (POPA), so organizations operating in Canada—including public sector institutions and federally regulated employers—can adopt Empuls without requiring separate compliance remediation.Data Residency and Sovereignty
Empuls hosts Canadian client data in North American data centers, satisfying local data residency and sovereignty requirements under ATIA and POPA. Employee recognition records, reward transactions, and engagement survey results stay within compliant jurisdictions by default. Organizations running Empuls alongside HRIS platforms like Workday, SAP SuccessFactors, or Darwinbox can integrate freely, confident that data flows remain within approved regional boundaries.Encryption and Access Controls
All data processed by Empuls is encrypted in transit using TLS 1.2 or higher and encrypted at rest using AES-256. Access to customer data is governed by role-based permissions and least-privilege principles—only personnel with a verified business need can view or process sensitive information. Every access event is logged in tamper-evident audit trails, giving compliance and security teams a complete record for regulatory review or audit response.Privacy by Design
Empuls embeds privacy and security at every layer of its architecture rather than treating them as bolt-on controls. This approach aligns with ISO 27001, SOC 2 Type II, and GDPR frameworks, so the protections governing Canadian data are consistent with globally recognized standards. Whether employees send peer recognition through Slack or Microsoft Teams or managers review engagement dashboards directly in Empuls, the same privacy-first controls apply uniformly across every interaction.Data Retention and Deletion
Empuls enforces retention and deletion policies that comply with ATIA and POPA timelines. When an agreement ends or an individual submits a deletion request, personal data is securely destroyed within the defined regulatory window. Organizations do not need to build or maintain separate deletion workflows—Empuls handles compliant data disposal as part of its standard offboarding process.Transparency and User Rights
Empuls informs users about the purposes of data collection, their rights to access or correct personal information, and the consent mechanisms in place. These disclosures are embedded in onboarding flows and platform privacy notices, ensuring employees and administrators always understand how their data is used and who holds access to it. Learn more: Empuls Help Centre — GeneralHow does Empuls handle data residency for enterprise clients?
Learn how Empuls stores and routes customer data across regional data centers to meet local sovereignty and residency requirements.
Is Empuls GDPR compliant?
Understand how Empuls aligns with GDPR requirements for data subject rights, consent, and cross-border data transfers.