Xoxoday Plum does not process, store, or transmit credit card data — it functions as a digital rewards and incentives engine, not a payment gateway or financial processing tool.
How Xoxoday Plum Handles Reward Transactions
Xoxoday Plum is built exclusively as a digital rewards and incentives engine. It does not collect, process, store, or transmit credit card information at any point in the reward lifecycle. This places Xoxoday Plum entirely outside the scope of PCI DSS cardholder data requirements — a meaningful distinction for IT security and procurement teams conducting vendor risk assessments. When an organisation funds a reward budget through Xoxoday Plum, that funding transaction is handled upstream through the company’s own finance and treasury processes, not through a credit card gateway embedded in Xoxoday Plum. Xoxoday Plum receives pre-funded budget allocations and distributes rewards from its catalog — spanning gift cards, digital experiences, merchandise, perks, and charitable contributions — to designated recipients. From the recipient’s perspective, the experience is seamless and payment-free. An employee or program participant receives a reward link or notification delivered through Slack, Microsoft Teams, or email. They redeem it directly from the Xoxoday Plum catalog without entering any payment credentials. No card data is requested, captured, or retained at any stage of this interaction. For enterprise teams integrating Xoxoday Plum with systems like Workday, SAP SuccessFactors, or Darwinbox, this architecture materially simplifies vendor due diligence. Because Xoxoday Plum sits outside the cardholder data environment, it does not trigger the same compliance requirements as a payment processor or financial services provider. This also means employees who redeem rewards are never prompted to submit financial account details, protecting both individual privacy and organisational security posture. The data Xoxoday Plum does handle — employee identifiers, email addresses, reward redemption records, and program analytics — is governed by its enterprise-grade security framework. Xoxoday Plum holds ISO 27001 certification and has completed SOC 2 Type II audits, reflecting rigorous controls over data confidentiality, availability, and integrity. None of this operational data includes payment credentials or financial account information. Security teams and legal reviewers can classify Xoxoday Plum as a standard SaaS application vendor rather than a financial data processor. This classification typically shortens procurement cycles and reduces the documentation overhead required for vendor approval across enterprise environments. Learn more: Xoxoday Plum Help Centre — Reward TransactionData Security & Compliance
Understand how Xoxoday Plum protects employee and program data through ISO 27001, SOC 2 Type II, and enterprise-grade security controls.
How Reward Transactions Work
Learn how reward budgets are funded, allocated, and redeemed within Xoxoday Plum without exposing financial credentials.