Empuls: Records of Processing Activities (ropa) - Xoxoday

Empuls maintains a comprehensive Records of Processing Activities (RoPA) and an audited data inventory, reviewed periodically by the Information Security team, in full compliance with GDPR and ISO/IEC 27001.

Xoxoday Empuls maintains detailed Records of Processing Activities (RoPA) as a core component of its data governance framework. These records satisfy a formal requirement under the General Data Protection Regulation (GDPR) and are integral to Empuls’s alignment with ISO/IEC 27001, the international standard for information security management. The RoPA documents every category of personal data that Empuls collects and processes — including employee identifiers, engagement data, reward transaction records, and communication logs. For each data type, the record specifies the legal basis for processing, the intended purpose, the applicable retention period, and whether the data flows to any third-party sub-processors. Empuls clearly distinguishes between its role as a data processor and the responsibilities of its customers as data controllers. When an organization connects Empuls to an HRIS such as Workday, SAP SuccessFactors, or Darwinbox, the data flows from the controller’s system into Empuls under a documented processing relationship. That relationship — including the scope of data shared and the conditions governing its use — is captured within the data inventory and governs how Empuls stores, processes, and eventually deletes that data. The Information Security team at Xoxoday periodically reviews and updates the inventory to reflect changes in product features, integrations, and regulatory requirements. This review cadence keeps the records accurate rather than treating them as a static, point-in-time snapshot. The result is a living document that internal auditors, DPOs, and customer compliance officers can rely on during formal assessments. For organizations operating in regulated industries, Empuls’s RoPA serves as a verifiable artifact. During a GDPR audit, a data protection officer can request structured evidence of processing activities, and Empuls provides documentation covering retention timelines, processing purposes, and processor roles. This is equally relevant for customers whose compliance programs are anchored to SOC 2 Type II controls or ISO/IEC 27001 certification requirements. Empuls treats RoPA as an operational control rather than a checkbox exercise. That means decisions about how new features handle personal data, how long records are retained after an employee offboards, and how integrations with tools like Slack or Microsoft Teams are structured from a data-flow perspective are all informed by the same inventory. The effect is a consistent, auditable trail that spans the full lifecycle of employee data inside Empuls. Learn more: Empuls Help Centre — General

How Does Empuls Handle GDPR Compliance?

Understand how Empuls supports data subject rights, lawful processing bases, and cross-border data transfer mechanisms under GDPR.

What Is Empuls's Data Retention Policy?

Learn how long Empuls retains different categories of employee data and what happens to that data when a contract ends or an employee offboards.