Xoxoday Plum acts as a data processor — your organisation retains complete ownership of all data stored in the platform, including the right to access, modify, and delete it at any time.
What data ownership means in practice
Your team retains full rights to access, modify, export, and delete any data held within Xoxoday Plum. This includes employee records, reward transaction histories, redemption logs, and any personally identifiable information synced from your HR systems. There is no lock-in — your data remains yours throughout the contract lifecycle and after it ends. When HR data flows in from systems such as Workday, SAP SuccessFactors, or Darwinbox via API integration, Xoxoday Plum treats that data as belonging to your organisation. The platform stores and processes it only to enable the reward and recognition workflows you have configured. If an employee record is updated or deleted in Workday, the corresponding data in Xoxoday Plum can be updated or purged to reflect that change.Data processing agreements and compliance
Xoxoday Plum formalises this relationship through a Data Processing Agreement (DPA), which governs how data is handled, retained, and secured. The DPA aligns with GDPR requirements and supports organisations operating across the European Economic Area, the United Kingdom, and other jurisdictions with equivalent data protection legislation. Xoxoday Plum holds ISO 27001 certification and SOC 2 Type II attestation. These independent audits verify that the controls protecting your data — access management, encryption, and incident response — meet recognised international standards. Your InfoSec and procurement teams receive documented evidence of how Xoxoday Plum manages data on your behalf.Handling deletion and right-to-erasure requests
When an employee submits a right-to-erasure request under GDPR or a comparable regulation, your administrators initiate data deletion directly through Xoxoday Plum’s admin console or by raising a request with the support team. Xoxoday Plum processes such requests within the timelines defined in your DPA, ensuring your organisation meets regulatory obligations without delays caused by your vendor. This model gives HR, IT, and legal teams confidence that adopting Xoxoday Plum does not transfer or dilute ownership of sensitive workforce data. Learn more: Xoxoday Plum Help Centre — GeneralHow does Xoxoday Plum handle data security?
Learn about the encryption standards, access controls, and certifications — including ISO 27001 and SOC 2 Type II — that protect your data in Xoxoday Plum.
Is Xoxoday Plum GDPR compliant?
Understand how Xoxoday Plum supports GDPR obligations, including lawful basis for processing, data subject rights, and cross-border data transfers.