Does Xoxoday Loyalife disclose all sub-processors? - Xoxoday

Xoxoday Loyalife discloses all sub-processors involved in delivering the loyalty platform, giving enterprise customers full visibility into the third-party entities that may process their data.

Sub-processor disclosure is a foundational compliance requirement for any enterprise software vendor handling personal data. When your organisation deploys Xoxoday Loyalife, employee reward data, recognition activity, and redemption records flow through the platform and, in some cases, through third-party infrastructure providers. Xoxoday Loyalife makes the complete list of those sub-processors available to customers on request and through contractual documentation. This commitment aligns with GDPR Article 28, which requires data processors to inform controllers of any sub-processor engagements and obtain prior written consent before engaging a new one. For enterprise buyers running procurement or vendor risk assessments, Xoxoday Loyalife provides this disclosure as part of the Data Processing Agreement (DPA) executed at contract signing. What sub-processor disclosure covers A sub-processor is any third party that Xoxoday Loyalife authorises to access, store, or process customer personal data in order to deliver the service. This includes infrastructure providers (such as cloud hosting and CDN services), communication delivery services, and integration middleware that connects Loyalife to enterprise HR systems like SAP SuccessFactors, Workday, and Darwinbox. When an employee’s recognition milestone triggers a notification sent via Slack or Microsoft Teams, the messaging provider involved is documented in that sub-processor list. Xoxoday Loyalife notifies customers in advance of any changes to the sub-processor list — additions or replacements — giving customers the opportunity to object before a change takes effect. This prior-notice mechanism is standard for platforms certified under ISO 27001 and operating under SOC 2 Type II audit requirements, both of which Xoxoday Loyalife maintains. Why this matters for enterprise procurement Security and legal teams evaluating loyalty software increasingly require sub-processor transparency as a non-negotiable condition of procurement. A hidden or incomplete sub-processor list creates liability exposure under GDPR, CCPA, and sector-specific data regulations in markets like the EU, UK, India (DPDP Act), and the Middle East. Xoxoday Loyalife structures its sub-processor disclosure to support these reviews directly. The DPA includes a schedule listing each sub-processor by name, the category of data they access, and the jurisdiction in which they operate. This level of detail satisfies the due-diligence requirements of IT security, legal, and data protection officers without requiring back-and-forth information requests. For organisations integrating Loyalife with internal HRMS platforms or SSO providers, the sub-processor schedule is scoped to the specific modules and data flows enabled in each deployment, so disclosure remains accurate rather than generic. Learn more: Xoxoday Loyalife Help Centre — General

Data Processing Agreement overview

Understand what the Xoxoday Loyalife DPA covers and how to execute it during enterprise procurement.

Security certifications: ISO 27001 and SOC 2

Learn which security standards Xoxoday Loyalife is certified against and what each certification covers.