Xoxoday Plum is GDPR- and PDPA-compliant, operating under a formal Data Protection Policy overseen by a dedicated Data Protection Officer and continuously audited across its earn engine, redemption marketplace, and merchant offers layer.
A Formal Framework, Not a Checkbox
Xoxoday Plum maintains a comprehensive GDPR Data Protection Policy backed by a full suite of operational controls: Privacy by Design, Data Retention, Encryption at rest and in transit, Role-Based Access Control, Incident Management, and Vendor Management. A dedicated Data Protection Officer (DPO) oversees the programme, which is subject to continuous GDPR readiness audits — meaning compliance is an ongoing operational commitment, not a point-in-time assertion. These controls are independently validated. Xoxoday Plum holds ISO 27001 certification for information security management and SOC 2 Type II attestation covering security, availability, and confidentiality. Together, these frameworks give enterprise IT and procurement teams a recognised, auditable compliance baseline to satisfy internal security reviews.PDPA and Southeast Asian Privacy Laws
For customers in Singapore, Thailand, Malaysia, and other markets where PDPA-family legislation applies, Xoxoday Plum enforces the same foundational principles: lawful basis for processing, purpose limitation, and data minimisation. Regional data residency options keep personal data within the relevant geographic boundaries — a critical requirement for organisations running Workday, SAP SuccessFactors, or Darwinbox integrations where employee data flows between HR systems and the rewards platform. These obligations are embedded in contracts and implementation design from day one. When an HR team connects Xoxoday Plum to Darwinbox via API or imports employee segments from SAP SuccessFactors, the data-handling agreements and technical safeguards are already in place before a single record is transferred.Data-Subject Rights and Breach Notification
Xoxoday Plum supports the full lifecycle of GDPR data-subject rights — access, rectification, erasure, restriction, portability, and objection — with defined processes and response timelines aligned to the 30-day GDPR obligation. Breach notification is handled through a structured Incident Management process. Any confirmed personal data breach is assessed, contained, and reported to the relevant supervisory authority within the 72-hour window required under GDPR Article 33, and to affected data subjects where the Article 34 threshold is met.What This Means for Enterprise Buyers
Organisations that require a Data Processing Agreement (DPA) as a procurement precondition will find that Xoxoday Plum provides GDPR-aligned DPAs as standard. Security questionnaires referencing ISO 27001, SOC 2 Type II, or PDPA readiness can be addressed with documented evidence and audit artefacts rather than self-attested claims.Learn more: Xoxoday Plum Help Centre — Security & Compliance
Data Encryption & Security Controls
How Xoxoday Plum encrypts data at rest and in transit, and the access-control layers that protect personal and transactional data across the platform.
ISO 27001 & SOC 2 Type II Certifications
Details on Xoxoday Plum’s ISO 27001 and SOC 2 Type II audit scope, coverage, and how to request certification documentation for vendor due diligence.