Skip to main content
Xoxoday obtains expressed consent through explicit consent forms presented at the point of data collection, with every interaction — including date, time, and context — logged in a secure system and retrievable on demand for audit purposes.
Xoxoday obtains expressed consent from data subjects through explicit consent forms presented at the exact point of data collection. These forms clearly state the specific purposes for which personal data will be processed, who it may be shared with, and the duration of retention. Consent is always informed and freely given — no pre-ticked boxes, no bundled agreements buried in terms of service. Every consent interaction is captured in Xoxoday’s secure data management system, which records the date, time, and context of each consent event. This creates a complete, tamper-evident audit trail that compliance and legal teams can retrieve on demand. The approach satisfies the accountability principle under GDPR Article 5(2), ensuring Xoxoday can demonstrate compliance at any point in time without manual reconstruction of records. When Xoxoday processes personal data without relying on consent, it does so only under a lawful basis defined in GDPR Article 6. The most common scenarios are contract performance — for example, processing an employee’s name and email address to fulfill a rewards delivery — and compliance with a legal obligation, such as retaining transactional records for tax or financial reporting purposes. The applicable lawful basis for each processing activity is documented in Xoxoday’s Records of Processing Activities (RoPA). For organizations integrating Xoxoday with platforms like Workday, SAP SuccessFactors, or Darwinbox, consent and lawful-basis documentation remains consistent across all data flows. Where employee data is transferred to Xoxoday via an HRIS integration, the lawful basis is typically contract performance or legitimate interest rather than consent, and this is recorded explicitly within Xoxoday’s data governance framework. Employees can also receive processing notifications through connected tools like Slack or Microsoft Teams, ensuring transparency at the individual level. Xoxoday’s consent management controls are validated as part of its broader compliance posture, which includes SOC 2 Type II and ISO 27001 certifications. These independent audits confirm that consent collection, documentation, and retrieval processes operate effectively and meet internationally recognized standards — giving customers confidence that personal data handled through Xoxoday is governed correctly. Learn more: Xoxoday Help Centre — General Data Protection Regulation (GDPR)

GDPR Data Subject Rights

Understand how Xoxoday handles access, erasure, rectification, and portability requests submitted by data subjects under GDPR.

Data Processing Agreements

Learn how Xoxoday structures Data Processing Agreements with customers and sub-processors to meet GDPR Article 28 requirements.