Does Empuls have a process for data subject rights requests? - Xoxoday

Empuls maintains a documented, auditable process to receive, manage, and fulfill data subject rights requests — including access, rectification, erasure, and portability — under GDPR, CCPA, and all other applicable privacy regulations.

When an employee or customer exercises a data subject right — such as requesting access to personal data, requesting deletion, or objecting to processing — Empuls has a clearly defined procedure to manage that request from intake through resolution. This process applies to personal data processed on behalf of customers as part of the Empuls service and is formalized in Empuls’s Data Processing Agreement (DPA) and supporting privacy documentation. Empuls acts as a data processor for its customers, meaning it processes employee personal data — including names, email addresses, reward transactions, and recognition activity — on behalf of the customer organization, which acts as the data controller. When a data subject request arrives, Empuls routes it appropriately: requests directed to the customer are handled by the customer as controller, while requests that require Empuls’s direct involvement as processor are escalated through Empuls’s internal privacy team. The documented process covers the full lifecycle of a data subject request. This includes logging the request, verifying the identity of the requestor, determining the scope of personal data involved, and fulfilling the request within the legally required timeframe — typically 30 days under GDPR and 45 days under CCPA. Empuls’s privacy team coordinates across engineering and operations to ensure data is accurately located, extracted, rectified, or deleted as required. For organizations running Empuls alongside HRIS platforms like Workday, SAP SuccessFactors, or Darwinbox, employee personal data is often synchronized into Empuls at onboarding. If an employee submits an erasure request, Empuls’s process accounts for data that may exist across integrated surfaces — including recognition activity synced through Slack or Microsoft Teams — so the response is comprehensive and consistent with the controller’s obligations under applicable law. Empuls’s compliance posture is independently verified. Empuls holds SOC 2 Type II certification and aligns with ISO 27001 controls, both of which include explicit requirements for documented data subject rights handling procedures. Audit logs of how requests are processed are retained in accordance with Empuls’s data retention policies, giving customers a clear evidentiary record if regulators or auditors ask. Customers can reference the specifics of this process in their signed DPA with Xoxoday and can route data subject requests or privacy inquiries through Empuls’s designated privacy contact channel documented in that agreement. Learn more: Empuls Help Centre — General

How does Empuls handle data retention and deletion?

Understand how long Empuls retains personal data, what deletion looks like across integrated systems, and how retention schedules are configured per customer.

Is Empuls SOC 2 Type II and ISO 27001 certified?

Learn about Empuls’s independently verified security certifications and what controls they cover for enterprise customers evaluating vendor risk.