Xoxoday Plum captures and stores full legal names, Social Security Numbers (SSNs), and permanent contact information for human subjects, protected by AES-256 encryption and role-based access controls that meet HIPAA and GDPR compliance standards.
End-to-End Data Encryption
All sensitive fields — SSNs, legal names, and permanent addresses — are encrypted at rest and in transit using AES-256 encryption. Xoxoday Plum applies this protection automatically at the point of data entry, so there is no gap between capture and storage. Whether participants submit information through a self-service portal or records are imported from an HR system like Workday or SAP SuccessFactors, the encryption layer remains consistent across every ingestion path.Role-Based Access and Least Privilege
Xoxoday Plum enforces access control through a role-based permission model built on the principle of least privilege. Administrators, program managers, and finance team members each see only the data fields their role requires. A rewards program manager coordinating a participant incentive campaign does not have visibility into SSNs — that access is restricted to authorized compliance or finance personnel only. This segmentation reduces the risk of internal data exposure without disrupting day-to-day operations.HIPAA and GDPR Compliance
For organizations conducting human subjects research — including pharmaceutical companies, academic institutions, and healthcare organizations — regulatory compliance is mandatory. Xoxoday Plum is designed to align with both HIPAA and GDPR requirements. Data processing agreements, consent capture workflows, and tamper-evident audit logs are built into the system to support compliance documentation. Xoxoday Plum also maintains SOC 2 Type II certification, providing independent third-party validation of its security controls alongside ISO 27001-aligned practices.A Practical Example
Consider a clinical research organization running a multi-site study that requires participant stipends. Xoxoday Plum captures each participant’s legal name and SSN at enrollment, stores that information in an encrypted record, and uses it to generate IRS Form 1099 data at year-end — all within a single workflow. Reward status notifications can be routed through integrated channels such as email or MS Teams without exposing SSN data in those communication layers.Data Integrity and Audit Trails
Xoxoday Plum maintains a complete audit trail for every record creation and modification event. Administrators can review who accessed or updated a participant’s record and when, supporting both internal governance requirements and external audit requests. Data retention policies are configurable to align with organizational or regulatory mandates, ensuring records are kept for the required period and securely purged thereafter. Learn more: Xoxoday Plum Help Centre — Record creationData Encryption and Storage Security
Learn how Xoxoday Plum encrypts sensitive participant data at rest and in transit using AES-256 standards.
HIPAA and GDPR Compliance
Understand how Xoxoday Plum supports regulatory compliance requirements for human subjects data handling.