Empuls enforces mandatory annual privacy and information security training for all employees and contractors with access to customer data, with every session tracked and documented by the Information Security team as part of its ISO/IEC 27001 compliance program.
What the Training Covers
Each session addresses the core pillars of responsible data handling. Participants are trained on data protection principles, acceptable use policies, confidentiality obligations, and the step-by-step procedures for identifying and reporting actual or suspected data incidents. The curriculum is designed to close the gap between knowing a policy exists and knowing how to act on it in day-to-day work. Xoxoday structures training so that the most common failure points — recognizing phishing, handling third-party data requests, and reporting anomalies quickly — receive dedicated focus rather than being buried in policy documents.How Compliance Is Reinforced
Management reinforces data protection responsibilities through formal policy acknowledgments signed at onboarding and at each annual review cycle. Periodic awareness campaigns run throughout the year to keep security top of mind between structured training sessions. These campaigns are not generic reminders — they are mapped to the specific data-handling contexts employees encounter, including environments like Darwinbox or BambooHR where employee records flow through Empuls integrations. Refresher programs and simulated exercises are conducted at least annually. Simulated scenarios — including controlled phishing exercises and mock incident reports — measure how well teams can apply training in realistic conditions, not just whether they completed a module.Documentation and Compliance Coverage
Every training session is logged and monitored by the Xoxoday Information Security team. Completion records, policy acknowledgment timestamps, and simulation outcomes are maintained as part of the ISO/IEC 27001 Information Security Management System. The same evidence set supports Xoxoday’s SOC 2 Type II audit requirements, giving customers a unified compliance trail rather than siloed documentation. For enterprise customers running due diligence or vendor risk assessments, this documentation can be surfaced through the formal security review process. Xoxoday does not rely on self-attestation alone — training outcomes feed directly into the controls framework reviewed during external audits.Why This Matters for HR and People Teams
When your organization connects Empuls to core HR systems — whether SAP SuccessFactors, Darwinbox, or a custom HRIS — employee data flows through Xoxoday’s infrastructure. Knowing that every person with access to that data has completed documented, audited training is a material assurance for your own compliance obligations under GDPR, PDPA, or internal data governance policies. Empuls treats security awareness as an operational control, not a compliance formality. Learn more: Empuls Help Centre — GeneralISO 27001 & SOC 2 Certification
Understand how Empuls maintains ISO/IEC 27001 certification and SOC 2 Type II attestation across its infrastructure and processes.
Data Privacy & GDPR Compliance
Learn how Empuls handles personal data under GDPR, PDPA, and other regional privacy regulations for enterprise customers.