Empuls is fully GDPR compliant for both EU and UK, processing and hosting employee data in AWS EU/UK regions under ISO 27001, SOC 2 Type II controls, and a GDPR-aligned Data Processing Addendum.
Data Hosting and Regional Control
Empuls runs on a multi-region AWS deployment that gives you direct control over where your employee data resides. EU customers can select AWS data centres across Europe, while UK customers can specify AWS Europe–London to satisfy domestic data residency requirements. No workforce data crosses into non-compliant jurisdictions without appropriate safeguards in place.Security Certifications and Encryption
Empuls is built and operated under ISO 27001 and SOC 2 Type II controls — the two most widely recognised international standards for information security management. All personal data is encrypted in transit using TLS 1.2 or higher and at rest using AES-256 encryption. Access to employee records is strictly role-based, and Empuls processes only the minimum necessary identifiers: typically name, email address, and phone number.Data Processor Obligations and the DPA
Under GDPR, your organisation acts as the data controller and Xoxoday acts as the data processor. This relationship is formalised through a GDPR-aligned Data Processing Addendum (DPA) that defines processing purposes, retention periods, and sub-processor obligations. Xoxoday maintains dedicated GDPR compliance policies, completed Data Protection Impact Assessments (DPIAs), and a named Data Protection Officer (DPO) to support your ongoing compliance obligations.Supporting All Data Subject Rights
Empuls supports the full range of GDPR data subject rights — access, rectification, erasure, portability, restriction, and objection. Your HR or people team, acting as data controller, handles employee requests with documented procedures and response SLAs provided by the Empuls privacy team. Whether your HRIS is Workday, SAP SuccessFactors, or Darwinbox, Empuls integrates with your existing stack without requiring additional personal data beyond what is already held in those systems.Sub-processors and International Transfers
Empuls sub-processors, including AWS, are themselves GDPR-compliant and bound by their own Data Processing Agreements. Where data must ever be transferred outside the EU or UK, Empuls relies on Standard Contractual Clauses (SCCs) as the recognised transfer safeguard. This end-to-end chain of accountability ensures your compliance posture holds across the entire processing chain.Practical Steps for HR and IT Teams
When deploying Empuls alongside engagement channels such as Slack or Microsoft Teams, HR and IT teams confirm their preferred data region during onboarding. The Empuls DPO and privacy team supply the DPA, DPIAs, and sub-processor register on request — ready for vendor due diligence questionnaires, procurement reviews, or internal audit requirements. Learn more: Empuls Help Centre — GeneralData Security and Encryption in Empuls
Learn how Empuls protects employee data with AES-256 encryption at rest, TLS 1.2+ in transit, and role-based access controls.
Data Processing Addendum (DPA) for Empuls
Understand the contractual framework governing how Xoxoday processes your employee data as a GDPR-compliant data processor.