Xoxoday Plum does not disclose institutional or personal data to law enforcement or any government authority without a valid legal mandate—such as a warrant, subpoena, or equivalent court order—reviewed and confirmed by the appointed Data Protection Officer and legal counsel.
What Qualifies as a Valid Legal Request
Xoxoday Plum recognizes three categories of legally binding instruments that may compel data disclosure: a court-issued warrant, a subpoena, or an equivalent court order recognized under the applicable jurisdiction. Informal government inquiries, administrative letters without judicial backing, and verbal instructions do not meet this threshold and are declined by default. This position is consistent with Xoxoday Plum’s obligations under internationally recognized compliance frameworks, including ISO 27001 and SOC 2 Type II, both of which mandate documented, auditable procedures for managing external data access requests.Internal Review Before Any Disclosure
Every law enforcement data request—regardless of jurisdiction or channel—is routed directly to Xoxoday Plum’s appointed Data Protection Officer and reviewed jointly with legal counsel. The DPO and legal counsel jointly verify that the request is legally valid and enforceable, that the scope of data sought is proportionate to the stated legal purpose, and that any resulting disclosure can be fully documented for audit purposes. No data is released until both parties confirm that all conditions are satisfied. This dual-review process creates a clear accountability chain that enterprise clients can reference in their own vendor risk assessments.What This Means for Enterprise Clients
Organizations deploying Xoxoday Plum alongside enterprise platforms such as SAP SuccessFactors or Workday can be confident that reward and workforce data is not subject to unauthorized law enforcement access. Any valid legal mandate will be scoped narrowly to what is strictly required—broad organizational or workforce datasets will not be handed over beyond the bounds of the specific request. Clients operating under sector-specific regulatory regimes, including GDPR in the European Union or equivalent data protection laws in other jurisdictions, can incorporate this policy directly into their data processing agreements and third-party due diligence reviews.Audit Trail and Accountability
Xoxoday Plum maintains internal records of every law enforcement data request received, capturing the nature of the request, the reviewing parties, the decision outcome, and the date of any disclosure. This audit trail supports compliance reporting and gives enterprise clients, data governance committees, and regulators a verifiable record of how external data demands are handled. The policy is reviewed periodically by the Data Protection Officer to remain current with applicable data protection legislation across all jurisdictions where Xoxoday Plum operates. Learn more: Xoxoday Plum Help Centre — Process, Strategy & MethodologyHow does Xoxoday Plum handle data retention and deletion?
Understand how long Xoxoday Plum retains institutional and personal data, what triggers deletion, and how clients can request removal under applicable data protection laws.
Is Xoxoday Plum GDPR compliant?
Learn how Xoxoday Plum meets GDPR obligations, including lawful bases for processing, data subject rights, and cross-border transfer safeguards.