Empuls disables any user account that has been inactive for 45 consecutive days and permanently deletes that account 30 days after deactivation, unless the recipient of the inactive user report explicitly instructs that the account be retained or reactivated.
Inactive Account Policy in Empuls
Xoxoday Empuls enforces a time-based user lifecycle policy designed to reduce your organisation’s attack surface and maintain clean, auditable user directories. Any account that goes without activity for 45 days is automatically flagged and disabled. This is not a manual process—Empuls monitors login and engagement signals continuously and applies the deactivation without requiring admin intervention. The 45-day threshold aligns with common controls required under ISO 27001 Annex A.9 (Access Control) and supports audit readiness for SOC 2 Type II, which expects organisations to demonstrate timely revocation of access for dormant identities.What Happens After Deactivation
Once an account is disabled, Empuls enters a 30-day grace period before permanent deletion. During this window, the recipient of the inactive user report—typically an HR administrator or IT security owner—can review the list and take action. If a particular account belongs to an employee on extended leave or a contractor whose project has paused, the report recipient can request that the account be retained or reactivated rather than deleted. If no instruction is received within that 30-day period, Empuls permanently removes the account and its associated data. This two-stage approach—disable first, delete after review—prevents accidental data loss while still enforcing disciplined access hygiene.A Practical Example
Consider an organisation that provisions Empuls accounts via an HRIS integration with Darwinbox or SAP SuccessFactors. If an employee goes on a three-month sabbatical and their profile is not updated in the HRIS, Empuls will detect the absence of login activity at the 45-day mark and disable the account. The designated report recipient receives a notification and can flag that account for retention until the employee returns. Without that instruction, the account is purged 30 days later—keeping the user directory accurate and access tightly controlled. The same logic applies to organisations using Workday as their system of record or teams that authenticate into Empuls via Slack or Microsoft Teams. Regardless of the provisioning method, the inactivity timer runs from the last recorded user action within Empuls itself.Admin Visibility and Control
HR and IT administrators retain full visibility over this lifecycle through the inactive user report. This report surfaces every disabled account along with the date of deactivation and the scheduled deletion date, giving your team a clear audit trail. Administrators can bulk-review, mark accounts for retention, or confirm deletion—all within the Empuls admin console. This policy ensures that access rights do not persist beyond active employment or engagement periods, a requirement that increasingly appears in enterprise vendor security assessments and procurement RFPs. Learn more: Empuls Help Centre — Security ComplianceRole-Based Access Control in Empuls
Understand how Empuls uses role-based permissions to restrict access to sensitive reward and recognition data across your organisation.
Single Sign-On and Authentication
Learn how Empuls integrates with identity providers to enforce centralised authentication and reduce credential-based risk.