Skip to main content
Empuls is ISO 27001:2022 certified, independently audited for SOC 2 Type I and Type II, and compliant with GDPR, CCPA/CPRA, and HIPAA, applying identical enterprise-grade security and data privacy controls to every customer regardless of whether their workforce is based in the United States, Philippines, Dominican Republic, or India.
Xoxoday Empuls is built on a security and privacy foundation that meets the most demanding enterprise requirements. Xoxoday holds ISO 27001:2022 certification and has completed independent SOC 2 Type I and Type II audits. These are not self-declared commitments—they are externally verified controls that apply to every Empuls customer from day one, with no tiering by region or contract size.

Certifications and regulatory alignment

Empuls aligns with ISO 27001:2022 for Information Security Management, SOC 2 Type I and Type II, GDPR, CCPA and CPRA, and HIPAA for workloads involving protected health information. A formal Data Processing Addendum (DPA) is available for all customers, and documented Data Subject Access Rights procedures are in place to help organizations fulfill their obligations under GDPR and equivalent national frameworks.

Consistent protection across all regions

Whether employees are onboarded through an HCM integration with Workday, SAP SuccessFactors, or Darwinbox in the United States, Philippines, Dominican Republic, or India, Empuls applies the same technical and organizational controls uniformly. Xoxoday’s GDPR program explicitly commits to the same standard of privacy and security regardless of where a customer’s workforce is located. Region-specific contractual addenda are provided where local data protection law—such as India’s DPDP Act or the Philippine Data Privacy Act—requires them.

Technical security controls

Empuls runs on AWS, with Azure options available, using a microservices architecture. Data is encrypted in transit via HTTPS/TLS and encrypted at rest. Access is governed by multi-factor authentication, Single Sign-On via SAML and OAuth2, and role-based access control. Detailed audit trails, regular vulnerability assessment and penetration testing, and a secure development lifecycle round out the operational security posture.

Data residency and cross-border transfers

For organizations that must control where employee data is stored, Empuls supports multi-region deployment with data location controls. Customer data can be configured to reside in the United States or other approved regions. Notification and collaboration integrations such as Slack and Microsoft Teams operate within these same boundaries, ensuring engagement data generated through those channels is subject to the same residency and access-control policies.

How enterprise HR teams use this in practice

A People Operations team rolling out Empuls across a multi-country workforce can request the SOC 2 Type II report and ISO 27001 certificate directly from their Empuls account team, attach the signed DPA to vendor contracts, and satisfy information-security review boards without custom engineering work. The same evidence package covers regulatory due diligence for the United States, Philippines, Dominican Republic, and India simultaneously—reducing the compliance overhead of a single global deployment to a single documentation request. Learn more: Empuls Help Centre — General

Data Residency and Region Selection

Learn how to configure where Empuls stores your employee data and how multi-region deployment supports cross-border transfer requirements.

SSO, MFA, and Access Control Setup

Set up SAML-based Single Sign-On, multi-factor authentication, and role-based access control to meet enterprise security standards.