Does Xoxoday Plum access institutional or personal data? - Xoxoday

Xoxoday Plum accesses institutional and personal data strictly to the extent required to deliver contracted services, enforcing role-based access controls and maintaining GDPR compliance across every product line.

Xoxoday Plum does access both institutional and personal data — but only to the degree necessary to fulfil the services your organisation has contracted. All data handling is governed by clearly defined role-based access controls, meaning each system component and team member interacts only with the data relevant to their specific function. GDPR compliance is a baseline requirement across the entire product suite, not an optional configuration. Rewards marketplace and payout processing Xoxoday Plum’s global rewards marketplace accesses recipient names, email addresses, and transaction records solely to process and deliver rewards. This data is used exclusively for fulfilment. Once a reward is dispatched, transaction records are retained only as required under applicable data retention schedules — never repurposed for advertising, profiling, or any activity outside the contracted scope. Employee engagement and recognition The employee engagement and recognition module stores employee identifiers, work email addresses, and engagement activity data to power recognition workflows and pulse surveys. When Xoxoday Plum integrates with HRIS platforms such as Workday, SAP SuccessFactors, or Darwinbox, only the fields required for recognition and survey functions are synchronised — typically employee ID, display name, email address, and reporting hierarchy. Payroll records and sensitive HR data are not accessed unless the contracted configuration explicitly requires them. Sales commission and incentive management Xoxoday Plum’s sales commission and incentive management system handles sales team identifiers, performance metrics, and payout details to calculate and distribute incentives accurately. Access to this data is restricted to authorised finance and sales operations roles within your organisation, and all calculations are fully auditable through structured reporting dashboards. Customer loyalty and merchant-funded offers The customer loyalty management solution processes loyalty member profiles, points balances, and redemption histories to support programme operations. The merchant-funded offers and promotion engine maintains merchant information, customer segment details, and redemption records for campaign management. In both cases, Xoxoday Plum operates as a data processor under applicable privacy frameworks, with your organisation retaining data controller responsibilities. Independent security validation Xoxoday Plum holds ISO 27001 certification and is SOC 2 Type II attested, providing independent assurance that data access, storage, and processing controls meet recognised international standards. These certifications cover the full product suite. Integration touchpoints — including connections to Slack for recognition notifications or Microsoft Teams for engagement workflows — are subject to the same access control policies as core platform data, giving your IT and compliance teams a consistent assurance framework to reference during vendor assessments. Learn more: [Xoxoday Plum Help Centre — Technical requirement](

How does Xoxoday Plum approach GDPR compliance?

Understand how Xoxoday Plum fulfils data processor obligations, supports data subject rights, and maintains GDPR-compliant data handling across all product lines.

What security certifications does Xoxoday Plum hold?

Review Xoxoday Plum’s ISO 27001 and SOC 2 Type II certifications, and learn how independent audits validate the platform’s security and data protection controls.