Skip to main content
Empuls deletes or returns all customer data—including originals, copies, and derivatives—within 30 days of contract expiration or termination, following NIST SP800-88 “Clear” media sanitization standards, and issues written certification upon completion.
When a contract with Xoxoday Empuls ends, your organization retains full control over its data. Empuls commits to returning, deleting, or destroying all customer data within 30 days of contract termination, expiration, or at any point when there is no longer a legitimate business need to retain it. This applies to all data formats and storage media—originals, backup copies, and any derived materials.

How Empuls Handles Data Deletion

Empuls performs media sanitization in accordance with NIST Special Publication 800-88, Appendix A, specifically the “Clear” standard. This guideline, published by the National Institute of Standards and Technology, defines verifiable techniques for overwriting data so it cannot be reconstructed or recovered. Once deletion is complete, Empuls provides a formal written certification confirming all actions have been carried out. Before deletion begins, your organization has the option to request a full data backup. This is particularly useful for organizations that need to migrate historical engagement data—such as recognition records, reward redemptions, or survey responses—into another HR system like Workday, SAP SuccessFactors, or Darwinbox before the Empuls instance is decommissioned. In cases where applicable law prevents the immediate return or destruction of specific data, Empuls notifies the client in writing and explains the legal basis for retaining it. Empuls does not continue processing that data for any purpose without the client’s explicit prior written consent. This ensures that regulatory constraints never result in unauthorized use of retained information.

Obligations That Survive Contract Termination

Data security obligations do not end when the contract does. Empuls maintains its commitments to protect the confidentiality and integrity of customer data even after the business relationship has formally concluded. This aligns with the requirements of frameworks such as ISO 27001 and SOC 2 Type II, both of which Empuls is certified against, and which require vendors to demonstrate continued data protection controls beyond the contract lifecycle. For organizations using Empuls alongside tools like Slack or Microsoft Teams for recognition workflows, data generated through those integrations is also covered under the same deletion and sanitization commitments. No channel-specific or integration-specific data is exempt.

Requesting Data Deletion or a Pre-Deletion Backup

To initiate data return or deletion, submit a written request to your Empuls account team. Empuls will confirm receipt, execute the deletion or return process, and deliver written certification within the 30-day window. Learn more: Empuls Help Centre — Security Compliance

How does Empuls protect data at rest and in transit?

Empuls encrypts all customer data using AES-256 at rest and TLS 1.2+ in transit across every environment.

Is Empuls SOC 2 Type II and ISO 27001 certified?

Empuls holds SOC 2 Type II and ISO 27001 certifications, with audit reports available on request under NDA.