Xoxoday Plum does not operate any fully automated decision-making processes — all actions involving customer data, compliance matters, or business rules require explicit human review before execution.
Human Oversight as a Core Principle
Xoxoday Plum is built on the principle that automated systems support human judgment rather than replace it. No customer-facing decision — whether it involves reward disbursement, incentive calculation, or data processing — executes without a human checkpoint in the workflow. This ensures that fairness, accuracy, and accountability remain verifiable at every step. This approach is particularly important in enterprise environments where Xoxoday Plum integrates with HRIS platforms like Workday, SAP SuccessFactors, or Darwinbox. When reward triggers flow in from these systems, Xoxoday Plum processes them within a governed framework that requires human validation before any consequential action is taken on employee or customer data.A Documented Governance Framework
Xoxoday Plum maintains a documented governance framework for all automated processing activities, anchored by two core policies: the GDPR Data Protection Policy and the Data Retention & Disposal Policy. These documents define how automated processes are scoped, validated, and audited across the platform. The framework establishes clear procedures for validating processing accuracy, monitoring system performance, and logging decisions at each stage. This documentation is foundational to Xoxoday Plum’s alignment with ISO 27001 and SOC 2 Type II standards, both of which require evidence-based control environments for data processing activities.Managing Data Subject Rights
One area where governance is especially critical is handling data subject requests. Under GDPR, individuals have the right to access, correct, or erase their personal data. Xoxoday Plum’s governance framework includes defined workflows for processing these requests — ensuring they are acknowledged, routed to the appropriate team, and resolved within regulatory timeframes. Rather than delegating these requests to automated routing alone, Xoxoday Plum ensures that a qualified team member reviews each request before action is taken. This prevents errors that fully automated systems can introduce when processing ambiguous or conflicting data requests.Annual Review by the Information Security Team
Xoxoday Plum’s GDPR Data Protection Policy and Data Retention & Disposal Policy are reviewed annually by the Information Security team. These reviews assess whether existing controls remain effective, whether new processing activities require updated governance, and whether emerging regulatory guidance demands policy revisions. This annual cycle ensures that Xoxoday Plum’s automated processing governance stays current as the product evolves — covering new integrations, updated data flows, and expanding compliance obligations across regions. Notifications or alerts triggered through connected tools like Slack or Microsoft Teams also fall within this governance scope when they involve personal data. Learn more: Xoxoday Plum Help Centre — Process, Strategy & MethodologyGDPR Compliance on Xoxoday Plum
Understand how Xoxoday Plum aligns with GDPR requirements, including lawful bases for processing, data subject rights, and DPA agreements.
Data Retention and Disposal Policy
Learn how Xoxoday Plum defines retention periods, manages data disposal, and ensures personal data is not held longer than necessary.