Xoxoday Loyalife enforces mandatory (M) compliance requirements that restrict bidder and vendor behaviour to protect enterprise data, maintain regulatory integrity, and meet international security standards.
Mandatory Compliance Boundaries for Bidders and Vendors
When organisations evaluate or onboard Xoxoday Loyalife as part of a formal procurement or RFP process, bidders are bound by a set of mandatory compliance controls. These controls are non-negotiable and exist to protect both the enterprise customer and the integrity of the loyalty programme data residing on the platform. Xoxoday Loyalife classifies certain obligations as Mandatory (M), meaning the bidder must not deviate from them under any circumstances — regardless of contractual workarounds or technical exceptions.What Bidders Must Not Do
Bidders and implementation partners working with Xoxoday Loyalife must not access, transfer, or process employee reward data outside the jurisdictions defined in the enterprise data residency agreement. This is especially relevant for organisations using Xoxoday Loyalife alongside HR systems such as Workday, SAP SuccessFactors, or Darwinbox, where employee PII flows between platforms during programme setup. Bidders must not introduce third-party sub-processors or integration connectors — including custom Slack or MS Teams notification workflows — without prior written authorisation and a completed data processing addendum. Any unauthorised connector that touches the Xoxoday Loyalife API endpoint constitutes a compliance breach under the mandatory controls framework. Vendors must not misrepresent their certification status. Xoxoday Loyalife requires that all implementation partners maintain valid ISO 27001 certification and, where applicable, SOC 2 Type II attestation. Submitting a bid or proposal without current, verifiable credentials disqualifies the bidder from the engagement.Why These Controls Exist
Enterprise loyalty programmes consolidate sensitive data — point balances, redemption histories, employee performance triggers — across business units. A single misconfigured integration or an uncertified sub-vendor can expose that data to regulatory risk under GDPR, DPDP, or sector-specific frameworks. Xoxoday Loyalife’s mandatory compliance layer ensures that every party in the delivery chain meets the same baseline before go-live. An enterprise running Xoxoday Loyalife alongside SAP SuccessFactors for milestone-based rewards, for example, must confirm that the SI partner handling the SuccessFactors connector holds the same data handling certifications as the primary contract holder.Consequences of Non-Compliance
Xoxoday Loyalife reserves the right to suspend API access, revoke partner credentials, or escalate findings to the enterprise procurement team if a bidder is found in violation of mandatory compliance controls. These actions are defined in the vendor onboarding agreement and are not subject to a cure period for Mandatory-class violations. Organisations assessing Xoxoday Loyalife for large-scale rollouts should confirm partner compliance status during the RFP evaluation stage — not after contract signature. Learn more: Xoxoday Loyalife Help Centre — GeneralData Residency and Storage Controls
Understand where Xoxoday Loyalife stores employee and rewards data and how residency zones are configured per enterprise agreement.
Security Certifications: ISO 27001 and SOC 2
Review the compliance certifications Xoxoday Loyalife holds and what they mean for enterprise procurement teams.