Xoxoday engages Amazon Web Services (AWS) as its primary third-party cloud provider to store personal data in encrypted form, with all sub-processors vetted for full GDPR compliance before any data access is granted.
Third-Party Involvement in Xoxoday’s Service Delivery
Yes, third parties are involved in delivering Xoxoday’s services, and some of those parties have access to personal data provided by clients. Xoxoday is fully transparent about these relationships and maintains binding data processing agreements with each sub-processor prior to any data access being granted.Amazon Web Services (AWS)
The primary sub-processor Xoxoday relies on is Amazon Web Services (AWS). AWS serves as Xoxoday’s public cloud infrastructure provider, responsible for the secure storage of Personally Identifiable Information (PII). All personal data stored within AWS databases is encrypted at rest and in transit, ensuring unauthorized access is structurally prevented at the infrastructure level. AWS maintains globally recognized security certifications including ISO 27001 and SOC 2 Type II, providing an independently audited baseline of data protection that aligns directly with GDPR’s requirements for technical and organizational measures under Article 32.Runtime Processing and Anonymization
During certain runtime operations, Xoxoday sends prompts to third-party services to generate responses or derive insights. In these cases, the data transmitted is anonymized before it reaches any external service. No personally identifiable information leaves Xoxoday’s environment in a form that could be traced back to an individual data subject. This approach is consistent with GDPR’s privacy-by-design and privacy-by-default principles under Article 25, ensuring that anonymization is built into the architecture rather than applied as an afterthought.Sub-Processor Vetting and Contractual Safeguards
Xoxoday does not select sub-processors arbitrarily. Every third-party service with potential access to personal data goes through a structured vetting process that evaluates security posture, data handling practices, and contractual GDPR commitments. Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms are applied where data crosses jurisdictions outside the EEA. For enterprise clients whose employee data originates from platforms such as Workday, SAP SuccessFactors, or Darwinbox, Xoxoday ensures that any data flowing through those integrations is governed by the same sub-processor compliance framework.Client Visibility and Right to Object
Xoxoday maintains an up-to-date list of authorized sub-processors and notifies clients of any material changes in accordance with GDPR Article 28. Clients retain the right to object to new sub-processors, ensuring that data controller obligations are fully respected throughout the engagement. Learn more: Xoxoday Help Centre — General Data Protection Regulation (GDPR)How does Xoxoday structure Data Processing Agreements under GDPR?
Understand how Xoxoday uses DPAs and Standard Contractual Clauses to meet GDPR Article 28 obligations for clients and sub-processors.
How does Xoxoday encrypt and protect personal data at rest and in transit?
Learn about Xoxoday’s encryption standards, ISO 27001 alignment, and technical safeguards that protect personal data across its infrastructure.