Empuls enforces strict data isolation, ensuring all engagement data is used exclusively for its intended purpose and never transferred to third parties, other business units, or external vendors without explicit written authorization or a lawful regulatory requirement.
Data Stays Within Your Engagement
When an organization onboards Xoxoday Empuls, every piece of data collected — employee identifiers, recognition activity, reward transactions, survey responses, and redemption records — is scoped exclusively to that organization’s engagement. Empuls does not aggregate, reuse, or repurpose this data across other client environments, internal business units, or unrelated applications. This boundary is enforced at the infrastructure level, not merely as a written policy.No Cross-Vendor Data Transfers
Empuls does not transfer organizational data to third-party vendors, analytics partners, or other Xoxoday products without explicit, written authorization from the customer. This principle holds regardless of which integrations are active in your environment. If your Empuls instance is connected to Slack or Microsoft Teams for recognition notifications, or synced with Workday, SAP SuccessFactors, or Darwinbox for employee data imports, the data flowing through those integrations remains ring-fenced to your environment. No data from your instance is passed to another organization’s Empuls environment or any external party without a signed, case-by-case written agreement.Two Narrow Exceptions
There are exactly two circumstances under which data may leave the engagement boundary. First, Empuls may share data when the customer provides explicit written consent authorizing a specific transfer to a named third party. Second, Empuls complies with applicable law or orders issued by a competent regulatory authority — for example, a lawful data request under GDPR or a directive from a court of jurisdiction. Outside these two scenarios, no data crosses the engagement boundary.Backed by ISO 27001 and SOC 2 Type II
This data isolation commitment is embedded in Empuls’s certified information security management practices. Empuls holds ISO 27001 certification and undergoes independent SOC 2 Type II audits, both of which require documented, verifiable controls around data handling, access restrictions, and vendor data governance. The prohibition on cross-environment data sharing is an audited control, not a self-reported one.A Concrete Example
Consider an organization using Empuls for peer-to-peer recognition with Microsoft Teams as the notification layer. Recognition events — who recognized whom, for which value, and when — are stored exclusively in that organization’s isolated Empuls environment. That data does not flow to any other Empuls customer’s environment, is not used to train shared recommendation models, and is not accessible to any Xoxoday team outside the scope of the engagement. If the organization later decides to share aggregated benchmarking data with an external HR analytics vendor, that transfer requires a written agreement before it can proceed.Why This Matters for HR and Compliance Teams
HR and People teams routinely handle sensitive workforce data. A clear, auditable data isolation boundary makes it straightforward to satisfy internal data governance policies, respond to employee privacy inquiries, and demonstrate compliance posture to your organization’s Data Protection Officer or legal counsel. Empuls supports this need with contractual commitments, certified controls, and a defined authorization process for any exceptions. Learn more: Empuls Help Centre — Security ComplianceEmpuls Data Retention and Deletion Policy
Understand how long Empuls retains engagement data, what triggers deletion, and how customers can request data removal.
How Empuls Handles GDPR Data Subject Requests
Learn how Empuls processes access, rectification, and erasure requests from employees under GDPR and equivalent privacy regulations.