Empuls maintains a comprehensive Records of Processing (RoP) data inventory that documents every category of personal data collected, stored, and processed on behalf of each customer, in accordance with GDPR Article 30 obligations.
What Records of Processing Mean for Your Organisation
A Records of Processing Activities (RoPA) document is a formal inventory that maps exactly what personal data a data processor holds, why it is held, where it flows, and how long it is retained. Under GDPR Article 30, processors handling data on behalf of controllers are required to maintain this record. Empuls treats this obligation as a baseline standard, not a compliance checkbox. Xoxoday Empuls acts as a data processor when it handles employee information provided by customer organisations. This means the RoP maintained by Empuls captures the full lifecycle of that data — from initial ingestion through to deletion — across every processing activity the platform performs.What the Empuls Data Inventory Covers
The Empuls Records of Processing inventory includes the categories of personal data collected (such as employee names, email addresses, and work identifiers), the purposes for which each category is processed, the legal basis for processing, data retention periods, and the identities of any sub-processors involved. When an organisation connects Empuls to an HRIS such as Workday, SAP SuccessFactors, or Darwinbox, the data flows triggered by that integration are separately documented within the RoP. This means HR and compliance teams can trace exactly which employee attributes are pulled from the source system, how they are used within Empuls for recognition and rewards workflows, and when they are purged.How This Supports Your Compliance Programme
Maintaining a verified RoP from Empuls gives your Data Protection Officer or Legal team a reliable artefact for responding to regulatory audits, Data Subject Access Requests (DSARs), and vendor due-diligence questionnaires. Rather than relying on informal assurances, you receive documented evidence of processing activities that can be incorporated directly into your own Records of Processing. Empuls’s approach to data governance is independently validated. The platform holds ISO 27001 certification and has completed SOC 2 Type II audits, both of which require demonstrable controls around data mapping and inventory maintenance. The RoP is reviewed and updated as part of Empuls’s internal audit cycle to reflect any changes in processing scope, new integrations, or updated retention policies.Requesting the Records of Processing
Customers can request a copy of the Empuls Records of Processing applicable to their account through their dedicated Customer Success contact or via the data privacy request process. Empuls provides this documentation to support your organisation’s own GDPR compliance obligations without requiring a separate legal agreement for each request. Learn more: Empuls Help Centre — GeneralEmpuls Sub-Processors List
See every third-party sub-processor Empuls engages, including their role and data processing location.
GDPR Compliance on Empuls
Understand how Empuls fulfils its obligations as a data processor under GDPR for EU and UK customers.
Data Retention Policy
Review default and configurable data retention periods for employee records processed by Empuls.
Security Certifications
Explore Empuls’s ISO 27001 and SOC 2 Type II certifications and what they cover.