Skip to main content
Xoxoday Plum processes user-submitted data that may include regulated information, securing it through encryption, role-based access control, and compliance with HIPAA, GDPR, and CCPA standards.
Xoxoday Plum processes user-provided data across surveys, reward redemptions, and campaign workflows. These inputs can include information subject to regulatory frameworks such as HIPAA, GDPR, and CCPA. Xoxoday Plum is built to handle this data responsibly from the moment it enters the system.

Configurable Data Collection

When your organisation runs an engagement survey or configures a redemption flow integrated with Workday or SAP SuccessFactors, Xoxoday Plum allows you to scope data collection fields to your internal classification policies. Your teams define what information is collected, how it is labelled, and how long it is retained. This gives compliance and HR leaders direct control over the information lifecycle without requiring separate tooling.

Encryption at Rest and in Transit

All data submitted through Xoxoday Plum is encrypted at rest and in transit using industry-standard protocols. Whether information flows from a campaign form or a Darwinbox-connected incentive workflow, it stays protected across every touchpoint. Xoxoday Plum holds SOC 2 Type II and ISO 27001 certifications, providing independent verification that its security controls meet enterprise standards.

Role-Based Access Control

Xoxoday Plum enforces role-based access control (RBAC) across all modules. Only users with the appropriate permissions can view, export, or act on sensitive data fields. For example, a campaign manager configuring a reward flow does not automatically gain visibility into response data flagged as restricted under your organisation’s data classification rules.

Regulatory Compliance by Design

Xoxoday Plum supports compliance with HIPAA, GDPR, and CCPA as applicable to your deployment. For organisations operating across multiple jurisdictions — including those using MS Teams or Slack integrations to distribute reward notifications globally — data handling practices adapt to regional requirements automatically. No additional configuration is needed to align with each region’s regulatory baseline.

Client-Defined Retention Rules

Xoxoday Plum enables your organisation to set its own data retention schedules for regulated inputs. When a campaign or survey cycle closes, your data governance team can configure automated deletion or archival rules aligned with your internal compliance obligations. This ensures regulated data does not persist beyond its authorised lifespan. Learn more: Xoxoday Plum Help Centre — Data, Policy & Privacy

Encryption & Data Storage

Learn how Xoxoday Plum encrypts data at rest and in transit to protect sensitive information across all reward and campaign workflows.

GDPR, HIPAA & CCPA Compliance

Understand how Xoxoday Plum meets regulatory requirements across jurisdictions for enterprise-grade data handling.