Xoxoday Loyalife enforces strict data governance policies that prevent customer data from being shared with, sold to, or accessed by unauthorized third parties under any circumstance.
What “strict compliance” means in practice
Xoxoday Loyalife maintains ISO 27001 certification and SOC 2 Type II attestation. These aren’t checkbox exercises. ISO 27001 mandates that an information security management system governs how data is collected, stored, processed, and shared. SOC 2 Type II independently verifies that those controls operate effectively over an extended observation period—typically six to twelve months—not just at a single point in time. This means an independent auditor has reviewed and confirmed that Xoxoday Loyalife does not permit unauthorized data sharing with third parties. The certification is renewed on a recurring basis, so the assurance remains current.Data handling during integrations
When Xoxoday Loyalife connects to enterprise tools like Slack, MS Teams, or an HRIS such as Darwinbox, only the minimum data required to operate the loyalty workflow is exchanged. For example, a Slack-based recognition notification passes a user’s display name and reward event—nothing more. Employee records, compensation data, and personally identifiable information stored within your HRIS remain within your own system boundaries. All data in transit uses TLS 1.2 or higher encryption. Data at rest is encrypted using AES-256. Access to customer data within Xoxoday Loyalife is governed by role-based access controls, and access logs are retained for audit purposes.Third-party subprocessors
Xoxoday Loyalife maintains a documented list of subprocessors—infrastructure providers and service components that handle data as part of platform delivery. Each subprocessor is bound by contractual data processing agreements that mirror the same strict standards applied to Xoxoday Loyalife itself. Customers can request the subprocessor list as part of vendor due diligence.What Xoxoday Loyalife will not do
Xoxoday Loyalife does not sell customer data, behavioral analytics, or reward preference data to advertisers, data brokers, or any commercial third party. Program data you generate within Xoxoday Loyalife is yours—it does not become an asset that Xoxoday Loyalife monetizes in any form. For enterprise customers operating under GDPR, DPDP, or sector-specific regulations, Xoxoday Loyalife supports Data Processing Agreements (DPAs) that formally document these obligations in legally binding form. Learn more: Xoxoday Loyalife Help Centre — GeneralData Security & Encryption Standards
How Xoxoday Loyalife encrypts data in transit and at rest across all integrations and storage layers.
Compliance Certifications: ISO 27001 & SOC 2
Details on the third-party audits and certifications that underpin Xoxoday Loyalife’s security posture.