Empuls maintains a publicly available privacy policy that governs all data collection, processing, and storage activities carried out by Xoxoday, in accordance with applicable data protection regulations.
Empuls and Data Privacy
Xoxoday Empuls operates under a clearly documented privacy policy that applies to all users of the platform — including HR administrators, people managers, and employees. The policy outlines what data is collected, how it is used, how long it is retained, and the rights individuals hold over their personal information. This commitment to transparency is not incidental. Employee engagement platforms handle sensitive workplace data — recognition activity, survey responses, reward redemptions, and integrations with HR systems — which makes a robust privacy framework essential.What the Privacy Policy Covers
The Empuls privacy policy addresses several key areas of data practice: Data collection encompasses personal identifiers (name, work email, employee ID), usage data generated within the platform, and any information exchanged through connected systems such as Workday, SAP SuccessFactors, or Darwinbox. Data processing describes the lawful basis under which Empuls processes information, including performance of a contract, legitimate interests, and consent where required. For example, when an organisation connects Empuls with Microsoft Teams or Slack to deliver recognition nudges, the policy governs how message metadata and user identifiers are handled within that workflow. Data retention and deletion clarifies how long records are stored after an employee leaves or a subscription ends, and the process by which organisations can request data erasure.Security Standards That Back the Policy
A privacy policy is only as credible as the security controls behind it. Empuls is certified against ISO 27001, the international standard for information security management, and completes SOC 2 Type II audits, which independently verify that security, availability, and confidentiality controls operate effectively over time. These certifications matter during procurement. When an HR team at a multinational is evaluating Empuls alongside other vendors, the SOC 2 Type II report provides auditor-verified evidence — not just a policy document — that Xoxoday follows through on its stated practices.Access and Accountability
The privacy policy is publicly accessible and is referenced at the point of account creation and within the platform’s settings. Data Processing Agreements (DPAs) are available for organisations that require them for GDPR compliance or vendor risk assessments. HR and IT teams conducting RFP evaluations can request the DPA directly through Xoxoday’s compliance process. The policy is reviewed and updated periodically to reflect changes in applicable law and product functionality. If your organisation operates in a regulated industry — financial services, healthcare, or public sector — Empuls supports additional data residency and access control configurations that align with sector-specific requirements. Learn more: Empuls Help Centre — GeneralData Security & Compliance Certifications
Learn about Empuls’s ISO 27001 and SOC 2 Type II certifications and what they mean for your data.
GDPR Compliance and Data Processing Agreements
Understand how Empuls supports GDPR requirements and how to obtain a Data Processing Agreement for your organisation.