Can Xoxoday Plum flag PII-exempt studies by user role? - Xoxoday

Xoxoday Plum enables administrators to flag studies or projects as exempt from collecting personally identifiable information (PII) — such as names or Social Security Numbers — with exemption flags fully configurable by user role to support IRB compliance and research privacy protocols.

For organizations running research programs, incentive studies, or compliance-sensitive reward campaigns, collecting personally identifiable information is not always necessary — and in many cases it creates regulatory risk. Xoxoday Plum addresses this directly by allowing platform administrators to designate specific studies or projects as PII-exempt at the record level. Once flagged, Xoxoday Plum restricts the system from prompting for or storing sensitive identifiers like participant names, Social Security Numbers, or other protected data fields. This capability is built into the record creation workflow. When a project is created or configured, administrators can toggle the PII exemption flag directly on that record. The system then enforces those restrictions throughout the project lifecycle — from reward issuance to reporting exports — without requiring manual oversight at every touchpoint. Role-Based Flag Assignment Xoxoday Plum ties PII exemption flags to user roles, giving organizations granular control over who can view, assign, or modify exemption status. A compliance officer or IRB coordinator can be granted exclusive rights to toggle PII flags, while standard project managers or data entry users see only what their role permits. This separation of duties aligns with SOC 2 Type II access control principles and reduces the risk of unauthorized data exposure across large or distributed teams. Practical Example Consider a healthcare organization running a participant rewards program through Xoxoday Plum, integrated with Workday or SAP SuccessFactors for HR data. Certain studies — such as anonymous patient satisfaction surveys — must remain fully de-identified under IRB protocols. Administrators flag these studies as PII-exempt at creation, and Xoxoday Plum enforces those restrictions automatically, regardless of which team member interacts with the record downstream. Compliance and Audit Support PII exemption flags in Xoxoday Plum also contribute to a defensible audit trail. Compliance teams can review which projects carry exemption flags, who assigned them, and when — supporting documentation requirements tied to ISO 27001 certifications or institutional review board audits. This visibility is especially valuable in regulated industries such as healthcare, financial services, and academic research. Organizations operating across multiple teams — syncing reward data to Darwinbox or surfacing notifications through Slack or MS Teams — benefit from consistent PII rule enforcement regardless of how or where project data flows. Learn more: Xoxoday Plum Help Centre — Record creation

Managing User Roles and Permissions

Configure role-based access controls in Xoxoday Plum to define who can create, edit, or view project records and sensitive settings.

Data Privacy and Compliance Settings

Explore how Xoxoday Plum supports SOC 2 Type II, ISO 27001, and IRB requirements through configurable data handling and audit logging.