Xoxoday Loyalife handles all customer and program data in accordance with internationally recognized compliance frameworks, including ISO 27001 and SOC 2 Type II, so enterprises can run loyalty programs with full confidence in data security and regulatory alignment.
Data Compliance at the Core of Loyalife
Xoxoday Loyalife is built for enterprise environments where data governance is non-negotiable. Every piece of information that flows through the platform — member profiles, transaction records, reward redemptions, and behavioral signals — is processed under a structured compliance posture that meets global regulatory standards. Xoxoday Loyalife holds ISO 27001 certification, which governs its information security management system, and is audited against SOC 2 Type II controls covering security, availability, and confidentiality. These certifications are not one-time assessments; they are continuously maintained through internal audits, access reviews, and third-party evaluations.How Data Is Used Within the Platform
Data collected through Xoxoday Loyalife is used strictly to operate, personalize, and improve loyalty experiences for program members. This includes calculating points balances, determining tier eligibility, triggering automated rewards, and generating program analytics for administrators. Xoxoday Loyalife does not sell member data or use it for purposes outside the scope of the loyalty program configuration defined by the enterprise administrator. Data access within the platform follows role-based access controls, meaning only authorized personnel can view or export sensitive program records.Integration and Data Flow with Enterprise Systems
When Xoxoday Loyalife connects to enterprise systems such as Workday, SAP SuccessFactors, or Darwinbox, data exchange is governed by encrypted API connections and predefined field mappings. Employee data pulled from an HRIS like Darwinbox — such as department, tenure, or performance band — is used exclusively to determine reward eligibility or tier assignment, not stored beyond the session or shared externally. Similarly, when Loyalife sends notifications through channels like Slack or MS Teams, only the notification payload (member name, reward detail) is transmitted — no underlying profile data is exposed to those third-party channels.Retention, Deletion, and Data Subject Rights
Xoxoday Loyalife supports configurable data retention policies at the program level. Administrators can define how long transactional records are retained before archival or deletion, aligning with obligations under frameworks such as GDPR or regional data protection laws. For organizations subject to data subject access requests (DSARs), Xoxoday Loyalife provides administrator-level export and deletion capabilities, so compliance teams can fulfill requests without relying on manual database operations. Members can also be anonymized rather than deleted, preserving aggregate program analytics while removing personally identifiable information.Responsibility Model
Xoxoday Loyalife operates on a shared responsibility model. Xoxoday maintains the security and compliance of the platform infrastructure, while enterprise administrators are responsible for configuring access controls, defining data retention rules, and ensuring their own internal usage policies align with applicable regulations. This model is clearly documented in Loyalife’s Data Processing Agreement, available to all enterprise customers. Learn more: Xoxoday Loyalife Help Centre — GeneralHow does Loyalife manage role-based access control?
Understand how administrator and member permissions are configured to protect sensitive program data.
What HRIS integrations does Loyalife support?
Learn how Loyalife connects with Workday, SAP SuccessFactors, and Darwinbox to sync employee data securely.