Xoxoday does not engage in profiling or automated processing of personal data as defined under GDPR — all Personally Identifiable Information collected is used exclusively to deliver the services outlined in the client’s contract.
What GDPR Means by Profiling
Under GDPR Article 4(4), profiling is defined as any form of automated processing used to evaluate, analyse, or predict aspects of a natural person — including behaviour, performance, location, interests, or characteristics. Article 22 then restricts automated decision-making that produces legal or similarly significant effects on individuals. Both provisions impose obligations on organizations that engage in these activities. Xoxoday does not meet either definition.How Xoxoday Handles Personal Data
When an organization integrates Xoxoday with HRIS platforms such as Workday, SAP SuccessFactors, or Darwinbox, the personal data transferred — typically an employee’s name, work email address, and department — is used solely to route reward issuance and recognition workflows. Xoxoday does not analyse this data to derive behavioural insights, construct individual profiles, or feed automated models that draw conclusions about employees. The same applies when Xoxoday operates within communication environments like Slack or Microsoft Teams to deliver recognition notifications. Interaction data in those environments remains scoped to service delivery. No secondary analysis of individual behaviour or characteristic inference occurs.Purpose Limitation in Practice
Xoxoday collects only the PII necessary to fulfil its contractual obligations — identifiers such as names and email addresses needed to confirm recipients, route rewards, and generate service reports. This data is not enriched, scored, or repurposed beyond what the contract specifies. This practice directly reflects the GDPR principle of purpose limitation under Article 5(1)(b), which requires that personal data be collected for specified, explicit, and legitimate purposes and not further processed in ways incompatible with those purposes. Xoxoday treats this as a binding operational constraint, not a discretionary policy.Independent Validation of These Controls
Xoxoday’s data processing practices are verified through independent third-party audits. Xoxoday holds ISO 27001 certification for information security management and SOC 2 Type II attestation, which provides external assurance over the controls governing how PII is collected, accessed, stored, and processed. Both certifications confirm alignment with Xoxoday’s stated GDPR commitments.Implications for Your Compliance Programme
For compliance teams completing Article 35 DPIAs or vendor risk assessments, Xoxoday’s confirmed absence of profiling and automated decision-making simplifies the analysis. Xoxoday can be documented as a data processor operating under clear purpose limitation, without triggering the additional safeguards required under Article 22 for systems that make automated decisions with significant effects on individuals. This reduces the compliance burden on the controller and streamlines the overall DPIA process. Learn more: Xoxoday Help Centre — General Data Protection Regulation (GDPR)GDPR Data Subject Rights at Xoxoday
Understand how Xoxoday supports data subject access, erasure, and portability requests under GDPR Articles 15–20.
Lawful Basis for Processing PII
Learn which GDPR lawful bases Xoxoday relies on when processing personal data on behalf of clients.