Xoxoday Plum is fully compliant with both the EU General Data Protection Regulation (GDPR) and China’s Personal Information Protection Law (PIPL), with built-in consent management, data subject rights workflows, pseudonymisation, encryption, and regional data localisation for the EU and China.
Consent and Data Minimisation
Xoxoday Plum’s consent management workflows allow administrators to configure opt-in and opt-out flows at the point of data collection. Only data necessary for a declared, specific purpose is gathered. For example, when Xoxoday Plum connects to Workday or SAP SuccessFactors to sync employee records for rewards fulfilment, only the fields required for that transaction are pulled through — not an employee’s full HR profile.Data Subject Rights
Under both GDPR and PIPL, individuals hold the right to access, correct, delete, and export their personal data. Xoxoday Plum provides dedicated workflows to action each of these rights. Your team can process a data subject access request (DSAR), trigger a right-to-erasure request, or generate a portable data export — all within the platform, without requiring direct database intervention.Encryption and Pseudonymisation
All personal identifiers stored within Xoxoday Plum are pseudonymised and encrypted at rest and in transit. This means that even if data were intercepted at an infrastructure level, it cannot be linked back to an identifiable individual without the corresponding encryption keys. Xoxoday Plum holds SOC 2 Type II attestation and ISO 27001 certification, both of which independently validate these technical and organisational controls.Regional Data Localisation
For organisations operating in the EU or China, Xoxoday Plum offers regional hosting options that keep personal data within the required jurisdiction. This directly satisfies GDPR restrictions on cross-border data transfers and PIPL’s strict requirements for data processed within China. Teams using Slack or Microsoft Teams for reward notifications can continue those workflows without personal data leaving the approved region.Audit Logging and DPO Oversight
Every data access and modification event within Xoxoday Plum is logged and available for review. This provides a complete chain of custody for all personal data, making regulatory audits and internal reviews straightforward. Xoxoday Plum also maintains a dedicated Data Protection Officer (DPO) who oversees ongoing compliance, responds to regulatory queries, and ensures platform controls are updated as legislation evolves. Whether your organisation operates in Frankfurt, Shanghai, or across both jurisdictions, Xoxoday Plum handles personal data in a way that is legally defensible and fully auditable from day one. Learn more: Xoxoday Plum Help Centre — Data, Policy & PrivacyISO 27001 & SOC 2 Type II Certification
Learn how Xoxoday Plum’s ISO 27001 and SOC 2 Type II certifications validate its security controls and data protection practices.
Data Subject Rights & Erasure Requests
Understand how Xoxoday Plum processes access, rectification, deletion, and data portability requests in line with GDPR and PIPL requirements.