Skip to main content
Empuls enforces a one-recipient policy on all system-triggered reward emails to protect sensitive payloads such as gift card codes and redemption tokens; CC recipients are not supported by default, and any exception requires a formal security review.
When running an R&R program at scale, HR and People Ops teams often want a central inbox copied on every award notification — for audit trails, tax documentation, or operational visibility. Empuls treats this as a security boundary rather than a configuration option, and the distinction matters. Why Empuls restricts CC on reward emails Reward notification emails sent by Empuls frequently carry sensitive payloads. Gift card codes, voucher links, and redemption tokens are embedded directly in the email body. Copying these messages to a shared mailbox or a distribution list dramatically expands the attack surface — anyone with access to that inbox can claim a reward intended for someone else. Empuls applies a strict one-recipient policy to all system-triggered reward communications. This design is consistent with Empuls’s compliance posture under ISO 27001 and SOC 2 Type II, where access to reward assets is scoped to the individual recipient at the point of delivery. What this means in practice If your organization uses integrations with Darwinbox, SAP SuccessFactors, or Workday to automate award triggers, those trigger events fire correctly — but the resulting Empuls notification lands only in the awardee’s inbox. The same applies to notifications surfaced through Slack or Microsoft Teams: the message goes to the individual, not a shared channel or group handle. A central HR email cannot be added as a CC recipient to routine reward emails, including anniversary awards, spot bonuses, peer recognition notifications, or long-service milestone messages. When an exception is possible Empuls does not block exceptions categorically. Organizations with a documented compliance or audit requirement can submit a formal exception request. This request enters a security review cycle that assesses the sensitivity of the reward type, the access controls on the shared mailbox, and whether the request meets the organization’s data handling policies. Any approved exception carries a formal acknowledgment of the associated risks and is scoped narrowly to the specific use case — it is not applied across all program notifications. A practical alternative for central visibility Many HR teams achieve the same goal without modifying email routing. Empuls provides manager and admin dashboards where all award events, redemption activity, and notification logs are available in real time. For payroll or tax documentation, reward reports can be exported from Empuls on a scheduled basis and delivered to a central finance or HR inbox — without exposing gift card codes in transit. Organizations using Workday or SAP SuccessFactors can also build a trigger-based audit log that records award events in a core HCM system independently of the reward email itself, keeping compliance records separate from sensitive redemption content. Learn more: Empuls Help Centre — R&R program

Setting Up Award Triggers and Automations

Learn how Empuls fires award notifications through HRIS integrations and calendar-based triggers, and how to configure automation rules for your R&R program.

Empuls Data Security and Compliance Standards

Understand how Empuls protects reward data under ISO 27001 and SOC 2 Type II, including access controls, encryption, and audit logging across all recognition workflows.