Empuls satisfies enterprise security and compliance mandates through ISO 27001 certification, SOC 2 Type II attestation, end-to-end data encryption, and GDPR-aligned data processing practices.
Security certifications and compliance frameworks
Empuls holds ISO 27001 certification and SOC 2 Type II attestation, two of the most widely required standards in enterprise procurement. ISO 27001 validates that Xoxoday Empuls maintains a formal information security management system, while SOC 2 Type II provides an independent auditor’s assessment of how security controls operate over time—not just at a point in time. For organizations subject to regional data regulations, Empuls supports GDPR-compliant data handling, including defined data retention policies, the ability to action data deletion requests, and documented data processing agreements.Data protection in transit and at rest
All data exchanged between employees and Empuls is encrypted using TLS 1.2 or higher. Data stored within the platform—including reward transaction records, employee profiles, and recognition history—is encrypted at rest using AES-256. Xoxoday Empuls undergoes periodic Vulnerability Assessment and Penetration Testing (VAPT) conducted by independent third parties to validate these controls against current threat vectors. Hosting is on enterprise-grade cloud infrastructure with defined Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO), giving procurement and IT teams concrete SLA commitments to evaluate.HRIS and productivity tool integrations
Security requirements don’t end at the platform boundary. Empuls integrates natively with Workday, SAP SuccessFactors, and Darwinbox via secure API connections, supporting automated employee lifecycle events—joiners, movers, and leavers—without manual data transfers that introduce risk. These integrations use OAuth 2.0 or API-key authentication and do not require storing HRIS credentials within Empuls. For day-to-day engagement, Empuls connects with Slack and Microsoft Teams. Recognition flows through channels employees already use, with the same identity and access controls applied across both environments. IT administrators retain control over which Empuls features surface within these tools.Access control and administration
Empuls enforces role-based access control (RBAC), allowing administrators to define granular permissions for HR managers, budget owners, and employees. Single sign-on via SAML 2.0 is supported, enabling organizations to manage Empuls access through their existing identity provider—whether that is Okta, Azure AD, or another SAML-compliant directory. Admin audit logs capture key actions across the platform, providing the traceability that compliance and security teams require during internal reviews or external audits.Evaluating Empuls against mandatory requirements
When completing an enterprise RFP or vendor security assessment, Empuls provides a completed security questionnaire, evidence of current certifications, and access to its data processing agreement (DPA). These documents cover the technical and organizational measures typically requested under mandatory requirements sections—covering data classification, incident response procedures, subprocessor lists, and business continuity planning. Learn more: Empuls Help Centre — Mandatory Requirements and Desired FeaturesSSO and identity provider integrations
Configure SAML 2.0 single sign-on with Okta, Azure AD, and other identity providers to centralize access management for Empuls.
Role-based access control in Empuls
Learn how to assign HR admin, budget owner, and employee roles to control what each user can view and action within Empuls.
HRIS integrations with Workday and SAP SuccessFactors
Sync employee data securely from Workday, SAP SuccessFactors, and Darwinbox to automate lifecycle events in Empuls.
Data privacy and GDPR compliance
Understand how Empuls handles data retention, deletion requests, and GDPR obligations for employee rewards data.